Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require companies to provide privacy notices that tell consumers what data is collected, why the data is being collected, with whom the data is shared, sold, etc.

All of the statutes also require that data collectors allow consumers to opt out of various things, such as the collection, sharing, or processing of certain data for certain online users (like children) or for certain types of data (like personally sensitive data).

One current and ongoing political fight concerns whether companies should be required to allow and honor consumers’ data choices and preferences via global privacy controls (“GPC”). GPCs are often called “universal opt-out mechanisms” and “opt-out preference signals.” GPCs can be defined as signals sent automatically by browser, computer, or device settings that identify the consumer’s global privacy preferences for a website, app, or online service.

Consumer privacy advocates have recognized that identifying privacy preferences can be a cumbersome and inconvenient process for consumers, particularly if the preferences must be given for each website one at a time. Privacy advocates understand that the more difficult and inconvenient a process is, the less likely a consumer is to take the time to identify their privacy preferences.

Consumers may take the time to identify their privacy preferences for websites that they visit often. However, most consumers browse the internet by making one-time visits and staying for only a few minutes. For these kinds of “short hop” visits, for most consumers, it is too time-consuming to track down the link, go to the privacy page, and identify privacy preferences. However, even a short visit to a website might result in unwanted data collection, storage, sharing, and sale, resulting in, for example, a deluge of targeted advertising.

One solution to this problem is GPCs. Consumers can take the time to review and signal their preferences once for their browser, extensions, add-ons, device, or computer. Thereafter, even for “short hop” visits, their preferences will be sent to the website.

Currently, about twelve online personal data privacy statutes require that data collectors recognize and obey GPCs. California has now added its “voice” to the discussion by enacting what is called Assembly Bill 3048. The California Governor is expected to sign the legislation. AB 3048 amends earlier data privacy legislation and goes a bit further than simply requiring websites and online services are required to accept and honor such GPCs. That is already the law in California.

AB 3048 is not aimed at data collectors and processors but rather at browser developers and companies that make and operate mobile devices. Starting on January 1, 2026, such companies will be required to allow consumers to send privacy preference signals, in effect creating GPCs. AB 3048 does not require any sort of factory or default setting for those preference signals, and AB 3048 does not require that the GPCs be automatically “on.” It is a good guess that the next political “fights” will include those two questions.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.