California law regulating web browsers could have national data privacy impact, experts say

Privacy changes required by a newly-enacted California law could mean web browsers will soon offer all Americans a mechanism to easily opt out of all data sharing and sales when surfing the web.

In October, California Gov. Gavin Newsom signed a law which amends the state’s trailblazing Consumer Privacy Act to mandate that web browsers create a turnkey tool for residents to opt out from data sharing once instead of having to do so each time they visit a website.

Crucially, the law applies to Californians even when they are traveling out of state or using a virtual private network, a fact which a California data privacy regulator and the legislator behind the law say likely means browsing companies will make the tool available nationally. 

Twelve states, including California, now require businesses to stop sharing data from consumers who opt out. But because most web browsers have not offered mechanisms for residents to easily exercise their rights, most do not do so. That means that once browsing companies set up a universal opt out tool, tens of millions of consumers — including those outside of California — could begin refusing to share their web browsing data.

The California law goes into effect on January 1, 2027.

Tom Kemp, the executive director of the California Privacy Protection Agency, which sponsored the legislation, said his team has been in conversation with web browsing companies about their plans for implementing the changes and there is no sign that they will seek to overturn the law. 

While the browsing companies can elect to change their browser options in California only, he said, “it may produce too much friction, at least in the United States, to have multiple versions of browsers and then ask questions about residency and look at location.”

“It makes sense [for browsers to] universally offer this capability so they don't run the risk of denying Californians their rights,” Kemp said. “If they deny Californians who are traveling or even in state and using a VPN [the ability to send a universal opt-out signal] they run the risk of an enforcement action.”

Josh Lowenthal, the California legislator who introduced the bill, said he was in “constant contact” with Apple, Google and other browser companies when crafting the law and pushing it through the state legislature.  

“There were a lot of key technical questions that had to get worked out, but where the legislation landed, it's actually quite simple for these browsers to implement — what's not simple is for them to understand who is a California resident and who is not which is why it will likely be national,” Lowenthal said. “They understood that out of the gate.”

“The language is very clear that it affects all California residents, wherever they are, and that's not something that [the browser companies] truly fought against,” he said.

Google and Apple did not respond to requests for comment regarding how they will tweak their browsers to adhere to the law. Microsoft declined to comment on changes to its browser.

While Google did not publicly oppose the law, it did reportedly lobby against the bill through a group it supports financially.

Kemp expects the law to change how companies do business.

Firms will have an incentive to opt out all consumers from data sharing regardless of where they live, Kemp said, or they will have to determine where customers reside to ensure they are not in one of the 12 states requiring them to allow consumers who do not want to share their data to exercise that right.

Consumers using major browsers have to date needed to download an extension to send a universal opt-out signal and few do, he said. Having an easy-to-trigger mechanism built into a browser will exponentially increase the number of consumers sending opt out signals, Kemp said.

“Tweny-five percent of the population of the United States lives in a state that requires this,” he said. “A tipping point has been reached that it just makes sense for any business anywhere to support the opt-out preference signal.” 

“Otherwise, they're going to have to jump through the same hoops as the browsers where for every visitor coming in they'll have to say for these residents we'll accept it, for these residents, we won't.” 

The law could have a major impact on data brokers due to how many people will opt out of data sharing once it is as simple as toggling a button to do so.

“It’s huge,” Kemp said. “This will significantly up the game.”