Google’s Silent Pushback on California’s Browser Privacy Bill: What Counsel & Security Teams Must Know

Ramyar Daneshgar

Ramyar Daneshgar

3 min read

By Ramyar Daneshgar
Security Engineer | USC Viterbi School of Engineering

Disclaimer: This article is for educational purposes only and does not constitute legal advice.

Executive Summary

In 2025, the state of California advanced landmark legislation - AB 566 - that would require web browsers (and later mobile OSs) to include a built-in opt-out preference signal allowing consumers to universally indicate that their personal information should not be sold or shared. Simultaneously, Google mobilised a covert lobbying campaign - via third-party organisations and email outreach to small businesses - to resist this change.

1. Background

Assembly member Josh Lowenthal introduced AB 566 on February 13, 2025, sponsored by the California Privacy Protection Agency (CPPA). The bill proposes to add Section 1798.136 to the California Civil Code, which would require any business that develops or maintains a web browser to provide a setting enabling a consumer to send an opt-out preference signal to businesses with which they interact through the browser. (Consumer Privacy Committee)

The intent: under the existing California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California consumers already have the right to opt-out of sale or sharing of their personal information. AB 566 would require browsers to natively support a “one-step” mechanism (sometimes called a “global opt-out” or “universal opt-out preference signal”) rather than requiring users to opt-out individually at each website. (California Privacy Protection Agency)

According to the CPPA’s own statement, AB 566 would make California “the first state in the nation to require browser support for” such signals. (California Privacy Protection Agency)

2. Google’s Quiet Opposition

Although Google did not publicly announce opposition to AB 566, investigative reporting shows that Google sent emails to small business owners in its “Grow with Google” program, urging them to sign a petition opposing the bill and warning that the legislation “would hurt your ability to use online ads to reach customers.” (The Markup)

In these email solicitations:

  • The technology giant asked recipients thousands of miles away (Rhode Island) to oppose the California bill. (CalMatters)
  • The petition was issued by the Connected Commerce Council (3C), a group financially supported by Google and Amazon, yet did not openly disclose Google’s direct role. (The Markup)
  • Company lobbying disclosures show that Google spent nearly $700,000 on state-level lobbying in California in 2025, with AB 566 among the bills referenced. (AP News)

These tactics illustrate how a dominant data-driven company sought to influence privacy law at the infrastructure layer (browsers) to protect its advertising and tracking model.

3. Why This Matters for Privacy & Compliance Professionals

3.1 Shift in Regulatory Focus

The AB 566 initiative and its resistance highlight a key trend: privacy regulation is moving from simply controlling what companies collect and share, to controlling how the infrastructure (devices, browsers, OSs) enables or disables data flows. In this case, browser architecture becomes a regulatory frontier.

3.2 Infrastructure as Compliance Surface

For companies building or relying on digital infrastructure (browsers, OSs, SDKs, ad-tech platforms), this means compliance cannot be limited to apps or websites. The platform layer itself may be subject to statutory obligations (requiring built-in opt-out signals).

3.3 Business Model Exposure

The opposition by Google underscores another point: business models that depend on data sharing, behavioural advertising, or third-party tracking may face regulation not only at the application layer, but at the browser/OS layer. Compliance teams need to model how major shifts in data-flow architecture affect lawful bases, contracts, third-party processors and risk.

3.4 Precedent Setting

California is often a precursor for U.S. privacy law trends. AB 566’s focus on universal opt-out signals may influence other states or federal policy. Organisations should monitor not just the letter of the law, but emerging control-signals like “OOPS” or “Global Privacy Control” (GPC). (Captain Compliance)

4. Practical Compliance Implications & Actions

  • Inventory browser/OS dependencies: Identify whether your product or service relies on data collection via a browser engine, extension or OS module and whether user consent or opt-out rights may be impacted by forthcoming regulation.
  • Map data-sharing flows: Understand how personal information is sold or shared across websites/platforms and whether global opt-out signals (once implemented) will constrain your architecture.
  • Update user-rights disclosures: With AB 566, end users may gain simpler mechanisms to opt-out of data sharing — your privacy notices, user-settings UI, and internal logs must support this.
  • Vendor/partner assessment: Any third-party service that collects or shares data via browser or mobile OS channels should be reviewed for compliance with universal opt-out signals and browser-engine obligations.
  • Monitor state-law amendments: AB 566 delays implementation to January 1, 2027. (Bill Texts) However, other states may adopt similar measure sooner. Compliance programmes must remain agile.
  • Scenario-testing enforcement exposure: If a browser fails to provide the mandated opt-out setting, it may face statutory liability. If your software depends on such browsers, you may face downstream risk.

5. Takeaway for Counsel, Security & Compliance Teams

This case demonstrates that even infrastructure companies (browser vendors) are now implicated in privacy law beyond traditional data-controllers and processors. Dominant platforms may resist regulation that threatens their data-sharing model, but from a compliance standpoint the question is no longer if regulation will arrive at this layer -it’s when.
Organisations must anticipate that user-control mechanisms (global opt-out signals) will become embedded in platforms, not just individual websites. Those who treat platform architecture as beyond the scope of privacy will find themselves unprepared when regulatory enforcement shifts focus.

Read more

Inside Meta’s $725 Million Facebook Privacy Settlement: The Largest U.S. Class-Action Privacy Payout and What It Means for the Future of Data Governance

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Disclaimer: This article is for educational purposes only and does not constitute legal advice. 1. Introduction: A Turning Point for U.S. Privacy Enforcement In 2025, Facebook’s parent company Meta Platforms, Inc. began disbursing payments from a $725 million

By Ramyar Daneshgar

Maryland’s “New Gold Standard” Privacy Law: The Maryland Online Data Privacy Act (MODPA) and Its Implications for Tech Companies

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Disclaimer: This article is for educational purposes only and does not constitute legal advice. Introduction On May 9, 2024, Maryland Online Data Privacy Act (“MODPA” or the “Act”) was signed into law by Wes Moore, Governor of Maryland, thereby positioning

By Ramyar Daneshgar

The Cybersecurity Information Sharing (WIMWAG) Act at a Crossroads: Renewal, Revision, and Privacy Concerns

By Ramyar Daneshgar Security Engineer | USC Viterbi School of Engineering Disclaimer: This article is for educational purposes only and does not constitute legal advice. Executive Summary The Cybersecurity Information Sharing Act (CISA), originally enacted in 2015, has served as the legal foundation for cybersecurity cooperation between the private sector and

By Ramyar Daneshgar