California continues to be a driving force in data privacy regulation in the US, and the recent passage of two new bills, AB 656 and AB 566, is set to reshape how companies manage user data and consent. These regulations signal a new era where privacy is not just a policy but a fundamental feature of the user experience. Understanding and being ready to adapt to these changes is critical. Let's break down what these new laws mean and how Relyance AI is already helping businesses navigate this evolving landscape.

AB 656: The Automated Right to Be Forgotten

AB 656 requires social media companies to implement simple account cancellation mechanisms that also automatically delete a user's personal data. While account cancellation is not a traditional Data Subject Request (DSR) under the CCPA, this is a clear signal that the public and regulators expect a higher standard for the “right to be forgotten”.

This is precisely where Relyance AI's Privacy Expert for DSR shines. Our DSR offering provides technical tooling to create and manage requests, not just in the traditional privacy portal or webform sense, but where request creation makes sense in a user journey to your business.  The automated workflows then take it away, ensuring that when a user wants to be deleted, the process is not just initiated, but fully executed across your systems. With Relyance AI’s visibility of data journeys, third parties, contracts, and AI models – you also know your data retention policies and where data shouldn’t be deleted. A true full package solution.

Our solution is already being used by forward-thinking companies to manage this very challenge, demonstrating that it's possible to meet and even exceed these new regulatory demands with our existing product.

AB 566: The Rise of In-Browser Opt-Out

The "California Opt Me Out Act" (AB 566) is particularly impactful, as it mandates that web browsers include a built-in, configurable opt-out preference signal.

It seems like the logical and efficient approach for this new signal would be leveraging the existing Global Privacy Control (GPC). The GPC is already recognized as a valid opt-out signal under CCPA regulation, but not explicitly mentioned in AB 566. Most Consent Management Platforms (CMPs) integrate with and respect GPC signals, including Relyance Consent Management. There are also browsers and extensions that already respect this signal. 

The regulation does not explicitly stipulate the browser signal actually does the gatekeeping for share or sale of data on browsed sites but “send an opt out signal to businesses with which the consumer interacts with through the browser”.  However, a browser's architecture allows it to act as a gatekeeper, deciding what data to accept, store, and send based on a set of rules, typically a privacy preference on a browser or extension would take on some level of gatekeeping and not just signalling.

This move by California could set a new precedent for the US. If users can set their opt out preference once at the browser level and all gatekeeping is also handled by this signal, the need for cookie banners and preference centers on every website may diminish. If this just becomes a signal, the need for a CMP is still strong as to control the tracking technologies that drive the share or sale of data. The CMP experience is also still needed if a user were to walk to override a signal for a particular business.

This also begs the question, does the responsibility for respecting user preferences could then shift to the data ecosystem itself? Does the browser who owns the signal or perhaps third parties, who are on the receiving end of the share or sale of data, then share responsibility if there is a breach of an opt out signal or does the responsibility remain on the business?

Either way, don’t make any hasty moves to rip out your cookie banner just yet, businesses need to be the makers of their own destiny here, ensuring a safe, responsible and trustworthy digital ecosystem.

What's Next?

While the law is clear on the requirement for an in-browser signal, it leaves the specifics up to the California Privacy Protection Agency (CPPA) to define through regulation. This gives the industry a chance to influence the outcome.

We'll be keeping a close eye on what browser companies decide to do, and we anticipate a move toward universal adoption of a standardized signal like the GPC.

At Relyance AI, we are ready to support this shift with our robust Consent Management capabilities, ensuring our customers can automatically detect and honor these new signals.

This new era of in-browser privacy controls is not a burden; it is an opportunity to build a more transparent and trustworthy digital ecosystem, and we're excited to lead the charge.