WeVote

Bill

Bill

AB 2561

Operating systems and applications: privacy settings.

2025-2026 Regular Session Introduced by Avelino Valencia

AB 2561 would require OSes and apps to default to the most privacy-protective settings and prohibit changing those settings without explicit user consent.

In Senate. Read first time. To Com. on RLS. for assignment.
0
WeVote Research Nonpartisan
Bill Summary · AB 2561

Summary of AB 2561 (2025-2026) — California

Overview

  • Proposed law: AB 2561, introduced by Assembly Member Valencia on February 20, 2026.
  • Jurisdiction: California
  • Subject: Privacy settings in operating systems and applications
  • Status (as of last update): Amended and read second time; ordered returned to second reading (April 23, 2026). Co-sponsor: Avelino Valencia.

Purpose and Intent

The bill aims to strengthen consumer privacy control by ensuring that both operating systems and applications default to the most privacy-protective settings and by restricting the ability of software to override a user’s explicit privacy configurations without consent.

Key goals:
- Ensure user privacy protections are prioritized at the default level.
- Prevent unilateral changes to a user’s privacy settings by software, preserving user autonomy and consent.

Key Provisions

  1. New Chapter Created
    AB 2561 would add Chapter 22.9 to Division 8 of the Business and Professions Code, titled “Operating System and Application Privacy Settings.”

  2. Definitions

    • Application: Any software program (including mobile or desktop apps) that collects, processes, or stores personal information in the state and provides privacy settings.
    • Consent: As defined in Civil Code § 1798.145 (i.e., the consumer’s agreement to the processing of personal data).
    • Personal Information: As defined in Civil Code § 1798.145.
    • Privacy Setting: Any user-configurable option within an application’s privacy-related menu that governs the collection, use, sharing, disclosure, retention, or processing of personal information.
  3. Default Privacy Setting Requirement (Section 22683(a))

    • An operating system or an application must configure a user’s default privacy setting to the most privacy-protective option available (i.e., the highest level of privacy protection offered by the OS or app).
  4. Protection Against Undue Changes (Section 22683(b))

    • An operating system or an application shall not change or undo a user’s affirmative configuration of a privacy setting without the user’s explicit consent.

Who is Affected

  • Software developers and publishers of operating systems and applications that collect or process personal information in California.
  • End users (California residents) whose privacy settings would be set by default to the most privacy-protective option and who would require explicit consent for any changes to their configured privacy preferences.

Procedural and Timeline Aspects

  • Legislative path: The bill has been amended and moved through committee with a favorable vote (Amend, and do pass as amended) and is scheduled for further consideration as of the latest update.
  • Effective date: The text provided does not specify a precise effective date or phase-in period. If enacted, further detail would typically be provided in the bill’s final version or the enacted code language, including any delays before compliance is required.

Practical Impact

  • Businesses would need to implement mechanisms to:
    • Detect and apply the most privacy-protective default setting across OS and app privacy menus.
    • Prevent automatic or inadvertent changes to user-configured privacy settings without obtaining explicit user consent.
  • Users would gain stronger protection from default configurations that surveil or share data without clear consent.
  • The measure aligns with broader California privacy frameworks in the California Consumer Privacy Act (CCPA/CPRA) by emphasizing user control and consent in the realm of personal information processing.

Notable Considerations

  • The bill relies on definitions aligned with existing Civil Code provisions for personal information and consent.
  • It does not establish an explicit monetary penalty in the provided text; no appropriation is indicated.
  • Pending final amendments and the enacted text will clarify any exceptions, enforcement mechanisms, and regulatory oversight.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.