I've read the bill, and the Governor was right to veto it. The bill is terribly written.

The parts about browsers is quite reasonable. One way to implement the required signal would be for the browser to add a header to HTTP requests that indicates the desire to opt-out.

The problem is the requirement that operating systems do a similar thing for any communications to businesses. Here's how it is phrased in the bill:

> A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system

What does it mean by "interacts through the mobile operating system"?

Say I install some app. When the user uses that app the app opens a TCP connection to some a server of some business and the user interacts with that server through the app. All that communication between the app and server does go through the operating system, namely via the app making API calls to the operating system's network services.

Does that count as the user interacting "through the mobile operating system"?

If it does, then how is the operating system supposed to send a signal? I suppose that if the app happens to be using HTTP or some other protocol that the OS happens to recognize it could try to inject some signal into that. That likely would be very error prone, but it is theoretically possible.

But what if the app is using end-to-end encryption? Then all the OS sees is encrypted data.

Maybe that part of the bill is meant to apply to situations where the user is interacting using the programs that are part of the operating system? That would be more sensible. If that's what they mean the bill should be re-written to say that.

It's not like going into detail about such things would make the bill unwieldy. The PDF of the bill is 4 pages and 1 of those is a page for signatures of various people acknowledging they received it, 1 is the legislative counsel's digest of the bill, and one is a page for the governor to sign. That leaves 1 page for the bill itself.

Here is the entire text of that page:

>The people of the State of California do enact as follows:

> SECTION 1. Section 1798.136 is added to the Civil Code, to read:

> 1798.136. (a) (1) Unless otherwise prohibited by federal law, a business shall not develop or maintain a browser that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the browser.

> (2) The setting required by paragraph (1) shall be easy for a reasonable person to locate and configure.

> (b) (1) A business shall not develop or maintain a mobile operating system that does not include a setting that enables a consumer to send an opt-out preference signal to businesses with which the consumer interacts through the mobile operating system.

> (2) This subdivision shall become operative six months after the adoption of regulations by the California Privacy Protection Agency that outline the requirements and technical specifications for an opt-out preference signal to be used by a mobile operating system.

> (c) The California Privacy Protection Agency may adopt regulations as necessary to implement and administer this section, including, but not limited to, ensuring that the setting described by subdivision (a) is easy for a reasonable person to locate and configure and updating the definitions of “browser” and “mobile operating system” to address changes in technology, data collection, obstacles to implementation, or privacy concerns.

> (d) As used in this section:

> (1) “Browser” means an interactive software application that is primarily used by consumers to access internet websites.

> (2) “Mobile operating system” means an operating system in use on a smartphone or tablet.

> (3) “Opt-out preference signal” means a signal that complies with this title and that communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information or to limit the use of the consumer’s sensitive personal information.

> (e) This section shall become operative on January 1, 2026.

> SEC. 2. The Legislature finds and declares that this act furthers the purposes and intent of the California Privacy Rights Act of 2020.