This bill was about Global Privacy Control (GPC) [1], which sites and mobile apps are required to respect under the California Consumer Privacy Act. The law is enforced by the Office of the California Attorney General [2]. There is a draft specification at the W3C [3].
Disclosure: I am one of the co-founders of GPC and a spec editor.
[1] https://globalprivacycontrol.org/.
[2] https://oag.ca.gov/news/press-releases/attorney-general-bont....
There's a difference between legal and moral, while building cloud.doshare.me we looked towards different analytics platform that respected privacy by default and behold there weren't many. Even mixpanel claimed to be privacy respecting but in reality it's only legally compliant to privacy, they don't even allow self hosting of their solution. This is overall a very big problem in the tech industry and will continue to be so, unless it's ensured by everyone of us, it's more of a people movement than governmental and UN enforceable situation.
Regulations are needed, but also antitrust laws that are easy and quick to enforce. Right now we waste time in years of lawsuits for a slap on the wrist. These companies are a problem just due to their size - we don’t need to examine their practices to know that their big staffing and capital makes competition impossible in many areas. We need to break them up or at least impose a giant tax for anyone making 100 billion or more in revenue.
A lot of finger pointing but it’s very light on the specifics. Newsome apparently veto’s it but it doesn’t really go into why. There’s got to be a lot more going on here.
Anyone know?
I've read the bill, and the Governor was right to veto it. The bill is terribly written.
The parts about browsers is quite reasonable. One way to implement the required signal would be for the browser to add a header to HTTP requests that indicates the desire to opt-out.
The problem is the requirement that operating systems do a similar thing for any communications to businesses. Here's how it is phrased in the bill:
> A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system
What does it mean by "interacts through the mobile operating system"?
Say I install some app. When the user uses that app the app opens a TCP connection to some a server of some business and the user interacts with that server through the app. All that communication between the app and server does go through the operating system, namely via the app making API calls to the operating system's network services.
Does that count as the user interacting "through the mobile operating system"?
If it does, then how is the operating system supposed to send a signal? I suppose that if the app happens to be using HTTP or some other protocol that the OS happens to recognize it could try to inject some signal into that. That likely would be very error prone, but it is theoretically possible.
But what if the app is using end-to-end encryption? Then all the OS sees is encrypted data.
Maybe that part of the bill is meant to apply to situations where the user is interacting using the programs that are part of the operating system? That would be more sensible. If that's what they mean the bill should be re-written to say that.
It's not like going into detail about such things would make the bill unwieldy. The PDF of the bill is 4 pages and 1 of those is a page for signatures of various people acknowledging they received it, 1 is the legislative counsel's digest of the bill, and one is a page for the governor to sign. That leaves 1 page for the bill itself.
Here is the entire text of that page:
>The people of the State of California do enact as follows:
> SECTION 1. Section 1798.136 is added to the Civil Code, to read:
> 1798.136. (a) (1) Unless otherwise prohibited by federal law, a business shall not develop or maintain a browser that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser.
> (2) The setting required by paragraph (1) shall be easy for a reasonable person to locate and configure.
> (b) (1) A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system.
> (2) This subdivision shall become operative six months after the adoption of regulations by the California Privacy Protection Agency that outline the requirements and technical specifications for an opt-out preference signal to be used by a mobile operating system.
> (c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section, including, but not limited to, ensuring that the setting described by subdivision (a) is easy for a reasonable person to locate and configure and updating the definitions of “browser” and “mobile operating system” to address changes in technology, data collection, obstacles to implementation, or privacy concerns.
> (d) As used in this section:
> (1) “Browser” means an interactive software application that is primarily used by consumers to access internet websites.
> (2) “Mobile operating system” means an operating system in use on a smartphone or tablet.
> (3) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information or to limit the use of the consumer’s sensitive personal information.
> (e) This section shall become operative on January 1, 2026.
> SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.
This sounds like a variation of “do not track”, a concept invented by ad networks like Google and Facebook to give the pretense of caring about privacy.
DNT was then either ignored, or directly used as a tracking vector.
Even the advertising networks that did “respect it” stopped respecting it the moment it became popular (iirc multiple networks said they would not respect it if it was not off by default, or if users were asked ahead of time rather than it being a functionally hidden setting)
[dead]
The bill they are talking about[1] was completely worthless and deserved to be vetoed. All it did was require browsers and mobile OSes to have a "setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system".
It didn't refer to any standard about how this signal should be sent so different browsers could send completely different information.
It didn't put any requirements on businesses who receive this signal. They are free to completely ignore it just like Do-Not-Track, and most will.
Even if a company wanted to comply out of good will it doesn't define even vaguely what people are opting out of by toggling this setting which would lead to confusion as different sites would implement different things, and different browsers and OSes would describe it differently.
It was literally mandating a dummy button.
[1] https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml...