⚠ Your ISP sold your browsing history 12 times this year. We're the only party trying to stop it. Read our platform →
EDITORIAL

California Just Made Privacy the Default. Here’s Why That’s a Bigger Deal Than It Sounds.

California Just Made Privacy the Default. Here’s Why That’s a Bigger Deal Than It Sounds.

For twenty years, “privacy” in California has meant one thing in practice: your right to opt out, buried three menus deep, on a per-site basis, forever, one company at a time. This year that finally started to change — and it’s worth stopping to notice, because Pirates spend most of our time pointing at what’s broken.

Two things happened. The state built a single button that deletes you from hundreds of data brokers at once. And the state told browser makers they now have to ship a real opt-out switch, not a suggestion.

Both bills came out of Sacramento’s normal legislative process — not a Pirate platform plank, not a libertarian dream, not a progressive wish list. Which is exactly why we’re covering them.


A Quick Word on Why We’re Praising a Bill We Didn’t Write

Pirate Parties are syncretic — a word that sounds academic but means something simple: we don’t have a home team. We’re not the left’s tech caucus or the right’s deregulation wing. We evaluate policy against a fixed set of principles (privacy, transparency, free flow of information, evidence-based lawmaking) and call it as we see it, regardless of which party or coalition produced it.

That means we’ve spent plenty of space criticizing bills sponsored by the same legislature that passed DROP and AB 566. It also means when Sacramento gets something right, we say so — loudly, and without the reflexive “but who really benefits” cynicism that a lot of political writing defaults to. Consistency to the principle is the whole point. If we only praised policy from allies and only criticized policy from opponents, we’d just be another partisan outlet wearing a pirate flag.

So: this piece is a genuine compliment. DROP and AB 566 hold up under Pirate Wheel analysis regardless of who sponsored them or what party controls the statehouse that passed them.


DROP: One Request, Hundreds of Brokers

The California Privacy Protection Agency’s Delete Request and Opt-out Platform (DROP) went live this year under the 2023 Delete Act. It does something that used to be structurally impossible: instead of hunting down every data broker that’s ever scraped, bought, or resold your information and opting out one at a time, you submit a single deletion request through the state platform, and every registered broker has to process it.

As of August 1, brokers have 45 days to process a request and 90 days to report back to the state on how they handled it. Miss it, and the CPPA has enforcement teeth.

This matters because the old system was never actually a system — it was a maze built by the people profiting from the maze. Every broker had its own opt-out form, half of them required you to create an account to delete your account, and plenty just ignored requests entirely, betting correctly that no individual has the time to chase down 400 companies they’ve never heard of. DROP inverts the default: instead of you doing the work of opting out of everyone, the burden shifts to brokers to prove they complied.


AB 566: The Browser Has to Ask For You

The second piece is AB 566, the “Opt Me Out Act,” which requires web browsers sold or distributed in California to include a built-in, one-step setting that sends an opt-out preference signal — and requires businesses to honor it. This is the difference between a right and a default. California has technically had opt-out rights on the books for years (CCPA/CPRA), but rights that require you to find them, click through a dark pattern, and repeat it per-domain aren’t rights, they’re a compliance shell game. AB 566 makes “don’t sell or share my data” a setting you flip once, in your browser, that follows you everywhere.


Why This Is a Pirate Win, Not Just a California Win

Run both through the Pirate Wheel and they score on two spokes at once:

  • Privacy (Data + Identity): Both laws move the default state from “your data is fair game unless you fight for each exception” to “your data is protected unless you affirmatively opt in.” That’s the correct direction of the burden of proof — Pirates have always argued surveillance and data harvesting should require justification, not the other way around.
  • Quality Legislation: These are rare laws that actually pass all four tests. Necessity — data broker harm is well-documented, not hypothetical. Effectiveness — a platform-level delete-once mechanism and a browser-level signal both solve the structural problem (per-site friction) instead of just adding another disclosure nobody reads. Proportionality — nobody’s rights are curtailed to make this work; brokers just lose the ability to profit from friction. Rights basis — this is squarely about individual data sovereignty, not a moral panic dressed up as policy.

Compare that to the usual privacy “protections” we cover here — age verification mandates, chat-control style scanning, ID-gated internet access — which all expand surveillance in the name of protecting people. DROP and AB 566 do the opposite: they reduce the number of parties who get to hold your data by default. That’s the tell for whether a privacy law is real or theater.


Where It’s Still Incomplete

Two gaps worth flagging so this doesn’t read as a victory lap:

  • DROP only covers registered data brokers. Anyone operating outside California’s broker registry, or overseas, isn’t touched. Enforcement depends on the CPPA actually chasing non-compliant brokers, and the agency’s fine track record is still being built.
  • AB 566 governs browsers, not apps, not IoT devices, not the ad-tech stacks running inside apps that never touch a browser opt-out signal at all. It closes one major door, not the whole house.

Neither of these gaps is a reason to dismiss the wins — they’re a reason to keep pushing on the next bill.


What You Can Do

  1. Use DROP now if you’re a California resident — one request clears you from the state’s registered broker list. Start here.
  2. Check your browser for the Global Privacy Control / opt-out signal setting once AB 566 rolls out fully, and make sure it’s on.
  3. Watch CPPA enforcement — the real test of DROP isn’t the launch, it’s whether brokers who ignore deletion requests actually get fined. We’ll keep tracking it.
  4. Talk to your crew — most people still don’t know DROP exists. Share this. The tool is only as good as its adoption.

The default should always be that your data belongs to you. This year, for once, the law agrees.

We keep us safe.