Lindsey Tonsager, Libbie Canter, Jayne Ponder, Jenna Zhang, Ariel Dukes, and Bryan Ramirez of Covington and Burling write:
Recently, California Governor Gavin Newsom signed into law several privacy and related proposals, including new laws governing browser opt-out preference signals, social media account deletion, data brokers, reproductive and health services, age signals for app stores, social media “black box warning” labels for minors, and companion chatbots. This blog summarizes the statutes’ key takeaways.
- Opt-Out Preference Signals: The California Opt Me Out Act (AB 566) will require businesses that develop or maintain browsers to include functionality configurable by a consumer that enables the browser to send an opt-out preference signal. Additionally, a business that develops or maintains a browser must make clear to a consumer in public disclosures how the opt-out preference signal works and the intended effect of the opt-out preference signal. The law states that a business that maintains or develops a browser that includes the opt-out preference signal shall not be liable for a violation of the title by a business that receives the opt-out preference signal. AB 566 will take effect January 1, 2027, and provides the California Privacy Protection Agency (“CPPA”) rulemaking authority.
- Social Media Account Deletion: AB 656 will require social media platforms that generate more than $100M per year in gross revenues to provide a “clear and conspicuous” button to complete an account deletion request. “Social media platform” is defined by reference to Section 22675 of the California code as a “public or semipublic internet-based service or application that has users in California” and where (1) a “substantial function” of the service or application is to connect users to interact socially with each other and (2) allows users to construct a public or semipublic profile, populate a list of users with whom the individual shares a social connection, and create or post content viewable by other users. If verification is needed for the account deletion request, it must be provided in a cost-effective and easy-to-use manner through a preestablished two-factor authentication, email, text, telephone, or message means.
Read more at Inside Privacy.