How California’s AB 3048 Could Lead to Millions of Opt-Out Requests and Help Advance Privacy Tech

A new law approved by California’s Assembly and Senate would require Google, Apple, and other tech firms to include new privacy protections into their browsers and mobile software, allowing millions of consumers to opt out of targeted ads across every website visit and mobile app.

Assembly Bill (AB) 3048 requires companies developing and maintaining web browsers and mobile operating systems (OS) to bake in an Opt Out Preference Signals (OOPS) allowing users to control their personal information across the web.

Many businesses are already required to respect consumers’ OOPS preferences. If signed by the California Governor, AB 3048 would not only bring this technology to millions more consumers—it would require the development of more powerful and more accessible privacy technology.

What is AB 3048?

AB 3048 was introduced by Assembly Member Lowenthal in February 2024.

The bill focuses on strengthening protections under the California Consumer Privacy Act (CCPA), which was passed in 2018.

The CCPA was the first of the recent tranch of “comprehensive state privacy laws” that have since passed in around 20 states, starting with Virginia, Colorado, and Connecticut—and, more recently, in states such as Kentucky, Maryland, and Rhode Island.

Among many other provisions, the CCPA gives consumers right to direct businesses not to “sell or share” their personal information, including via cookies, pixels, and other tracking technologies.

The CCPA was amended by the California Privacy Rights Act (CPRA) in 2020, which: 

• Clarified the rules on targeted advertising (known in California as “cross-contextual behavioral advertising”)
• Gave consumers new rights, including to direct businesses to “limit the use and disclosure” of their “sensitive personal information” 
• Established California Privacy Protection Agency (CPPA), a regulator responsible for enforcing the CCPA alongside the California Attorney General

AB 3048 is a further amends the CCPA’s rules on so-called “Opt-Out Preference Signals” (OOPS)—updating them to cover the newer provisions on “sensitive personal information” and expanding them to ensure more consumers can benefit from the law’s privacy protections.

OOPS under the CCPA

Since it was first passed, the CCPA has required businesses to respect OOPS (known in most other states as “Universal Opt-Out Mechanisms” or “UOOMs”). 

AB 3048 should make OOPS much more common by ensuring they are built into more browsers and mobile operating systems.

OOPS are primarily used as a way to opt out of targeted advertising. If a user’s a browser or mobile device is running an OOPS, it will send a signal to the website to request that the operator does not “track” the user or “sell” the user’s personal information.

The best-known OOPS is called Global Privacy Control (GPC).

Businesses covered by the CCPA—and the Colorado Privacy Act (CPA)—must already ensure they do not sell the personal information of users running GPC and similar OOPS. Many states outside California will soon introduce similar requirements.

AB 3048 and OOPS

A key feature of AB 3048 is to prohibit companies that develop and maintain web browsers and mobile operating systems (OS) from not including an OOPS in their product.

In other words, browser and mobile OS firms will have to provide and OOPS as part of their product.

Some browsers, like Brave and Firefox, already come with a built-in OOPS. These browsers include a setting that, when “on”, will send an opt-out request to every website by default.

Other browsers, such as Google Chrome, do not currently include a built-in OOPS—users must download an extension if they wish to protect their privacy in this way.

Google Chrome enjoys a substantial share of the browser market, meaning AB 3048 would bring OOPS to millions of consumers for the first time.

And existing users of GPC and other OOPS would benefit from new protections of their “sensitive personal information”.

How AB 3048 could influence the development of OOPS

Sensitive personal information

AB 3048 defines an OOPS as a signal that communicates the consumer’s choice to: 

• Opt out of the sale and sharing of their personal information, or
• Limit the use of their sensitive personal information

Under the CCPA, “sensitive personal information” includes social security numbers, precise geolocation, and certain types of health and bioemtric information, among types of data. 

The law’s “right to limit” enables consumers to tell a business to stop using this sensitive personal information except for certain strictly-defined purposes.

The CCPA’s OOPS requirements already require businesses to respond to both types of request via OOPS. 

However, the widely-used OOPS protocols, including GPC, are not set up to deal with sensitive personal information.

As such, the law will require tech firms to develop new, more powerful OOPS to enable consumers to control their sensitive personal information.

Mobile operating systems

AB 3048 covers both web browsers and mobile operating systems on smartphones and tablets.

Although some OOPS-type software already exists for mobile devices, and Apple products integrate several privacy controls that might qualify as OOPS, the technology is not currently well-established for mobile devices.

As such, AB 3048 could be a game-changer for mobile technology. 

For example, the law could require Google to build an OOPS into Android—the most widely-used mobile OS. 

Users would benefit from new privacy protections both when browsing the web on their mobile devices or using mobile apps, many of which sell and share extensive amounts of personal information.

How AB 3048 could impact businesses

As noted, CCPA-covered businesses must already respond to OOPS. California’s privacy regulator, the CPPA, has put out guidance in this area, and AB 3048 empowers the CPPA to develop regulations specifying how the new rules apply in practice.

OOPS are gaining traction in other states, with Colorado already requiring businesses covered by its privacy law to recognize GPC signals, and other states including Connecticut, Montana, Delaware, New Hampshire, and New Jersey planning to follow suit over the next two years.

As such, many businesses should already be processing OOPS (if you’re not yet set up to handle GPC or other OOPS, read DataGrail’s guidance on how to swiftly bring your business into compliance).

DataGrail’s research showed a 246% increase in privacy rights requests between 2021 and 2023, confirming that consumers are enthusiastic about controlling their personal information.

AB 3048 intends to empower every California consumer to exercise these rights automatically. If every mobile operating system and browser integrates an OOPS, we can expect an explosion in opt-out requests.

In a 2021 CCPA enforcement case, French cosmetics chain Sephora was penalized for failing to respect users’ GPC signals. Businesses with well-established systems processing OOPS signals will be best-placed to avoid any similar enforcement action in future—in California and beyond.

What happens next with AB 3048?

At the time of writing, AB 3048 awaits a signature from California’s Governor Gavin Newsom. Assuming Governor Newsom signs the bill, it will become law and take effect on January 1, 2026.

AB 3048 empowers California’s privacy regulator, the CPPA, to write regulations to implement the law. Among other things, these regulations will include requirements for browser and mobile OS developers to ensure their OOPS mechanisms are accessible to users.

Six months after the CPPA writes its regulations, AB 3048 will become “operative.” This could mean a large volume of consumers gain the ability to opt out of the sale or sharing of their personal information—and the use of their sensitive personal information—around July 1, 2026.

Partly depending on how the CPPA writes its regulations, AB 3048 could transform the digital advertising landscape, leading to:

• The development of new ways for consumers to control their personal information and sensitive personal information online.
• Millions of people gaining access to this new technology, enabling them to automatically opt out of targeted advertising across every website they visit and every mobile app they use.
• Businesses experiencing an influx of opt-out requests—and facing potential legal issues if they fail to comply.

Remember—processing GPC and other opt-out signals is already a legal requirement under the CCPA and other laws. Read DataGrail’s Do Not Sell or Share Opt-Out Guide to find out how to seamlessly comply with this obligation.