TL;DR:

  • What passed: California’s Assembly unanimously passed AB 2561 on May 14, 2026: 77 votes in favor, zero against. The bill requires every operating system and application to configure default privacy settings to the most protective option available. [1][2]
  • What it bans: Apps cannot undo a user’s privacy settings without explicit consent. No more stealth resets after updates. No more dark patterns that trick you into opting back in. [1]
  • Where it stands: Headed to the California Senate. Assigned to the Senate Rules Committee. If it passes and the governor signs it, this becomes the strongest privacy-by-default law in the United States. [2]
  • Why it matters: Every privacy law until now has been opt-out. You have to find the setting, navigate the menus, and actively protect yourself. AB 2561 flips that. Protection is the starting point. Surveillance becomes the thing you have to opt into.

What AB 2561 Would Actually Change on Your Phone

Right now, when you download Instagram, location tracking is on. Ad personalization is on. Activity sharing is on. Your data gets harvested from the moment you hit “Accept.” If you want privacy, you go digging through Settings → Privacy → Ad Preferences → Data Sharing → a toggle buried four menus deep that Meta hopes you’ll never find.

AB 2561 reverses this. Here’s what it would look like in practice:

  • Instagram: Location tracking off by default. Ad personalization off. Activity status hidden. You’d have to actively choose to share your data, not actively choose to stop.
  • Google Maps: Location history off. Web & app activity tracking off. Personalized ads off. Google would need explicit consent to turn any of these on.
  • TikTok: Personalized ads off. Data sharing with third parties off. Interest-based targeting off. The recommendation algorithm would still work, but it couldn’t feed your behavioral data to advertisers without asking first.
  • Your smart TV: ACR (automatic content recognition) off. Viewing data collection off. Ad tracking off. Samsung, LG, and Vizio currently ship TVs that watch what you watch. That stops.
  • Your phone’s OS: Both iOS and Android would need to ship with the most restrictive privacy defaults. Apple is already close. Google is not.

The Bill in Plain English

AB 2561, authored by Assembly Member Valencia, adds Chapter 22.9 to the California Business and Professions Code. It does two things [1]:

Rule 1: Every operating system and application must “configure a user’s default privacy setting to be the most privacy protective setting offered.”

Rule 2: No operating system or application can “undo a user’s affirmative configuration of a privacy setting without the user’s explicit consent.”

That second rule is just as important as the first. Right now, apps routinely reset your privacy choices after updates. You turned off tracking in March? The April update turned it back on and buried the notification in a changelog nobody reads. AB 2561 makes that illegal.

The bill defines a “privacy setting” as any user-configurable option that governs the “collection, use, sharing, disclosure, retention, or processing” of personal information. That covers basically every toggle in every privacy menu on every app. [1]

Why Opt-Out Privacy Has Failed

The entire digital economy is built on a bet: that most people won’t change their default settings. The ad tech industry knows this. That’s why every privacy control is buried, every opt-out is confusing, and every dark pattern exists.

The numbers prove the bet works. Studies consistently show that roughly 95% of users never change default settings. When Apple gave iPhone users a single clear prompt asking whether to allow app tracking in 2021, 75% said no. The opt-out rate was so devastating that Meta lost $10 billion in ad revenue in a single year.

That’s the difference between opt-out and opt-in. When you have to actively choose surveillance, almost nobody does.

AB 2561 would apply that logic to every app, every operating system, every privacy setting. Not just tracking. Everything.

What This Means for the Ad Tech Industry

If AB 2561 becomes law, the behavioral advertising industry loses its biggest advantage: inertia.

Data brokers, ad networks, and surveillance-dependent platforms have spent two decades building business models on the assumption that default settings equal consent. AB 2561 destroys that assumption. Every user starts private. Every data collection point requires an active choice.

California represents roughly 12% of the US population and an outsized share of tech revenue. When California passed the CCPA in 2018, most major tech companies applied the privacy rights nationwide rather than maintain two systems. AB 2561 would likely force the same calculation: build privacy-by-default for California or build it for everyone.

That’s why this bill matters beyond California. It’s a de facto national privacy default standard.

The Vote and What’s Next

AB 2561’s path so far:

  • February 20, 2026: Introduced by Assembly Member Valencia [2]
  • April 22, 2026: Passed the Assembly Privacy and Consumer Protection Committee: 15 ayes, 0 noes [2]
  • April 23, 2026: Amended [2]
  • May 14, 2026: Passed the full Assembly: 77 ayes, 0 noes [2]
  • Now: Assigned to Senate Rules Committee. Awaiting Senate committee assignment and hearing. [2]

A 77-0 vote is remarkable. This wasn’t a party-line fight. Every Republican and every Democrat in the California Assembly voted yes. That kind of unanimity makes the Senate path easier, but the lobbying blitz is coming. Expect the ad tech industry to pour resources into the Senate committee process.

California’s Privacy Enforcement Machine

AB 2561 doesn’t exist in a vacuum. California has been building privacy enforcement infrastructure for years:

  • The CCPA (2018) and CPRA (2020) gave Californians the right to know, delete, and opt out of data sales
  • The California Privacy Protection Agency (CPPA) was created to enforce these rights with dedicated staff and budget
  • AB 3048 (2024) required browsers and devices to support opt-out preference signals
  • The Data Broker Strike Force has been actively hunting unregistered data brokers [3]
  • A $12 million penalty against GM for selling OnStar driver data showed the state will hit companies where it hurts [4]

AB 2561 is the next logical step. California has the rights framework, the enforcement agency, and the track record. Now it wants to make privacy the default, not the exception.

What You Can Do Right Now

  • Don’t wait for the law. Go to your phone’s privacy settings right now and set everything to the most restrictive option. On iPhone: Settings → Privacy & Security. On Android: Settings → Privacy.
  • Turn off ad personalization. On iPhone: Settings → Privacy → Apple Advertising → turn off Personalized Ads. On Android: Settings → Privacy → Ads → Delete advertising ID.
  • Disable app tracking. On iPhone: Settings → Privacy → Tracking → turn off “Allow Apps to Request to Track.”
  • Check your TV. Samsung, LG, Vizio, and most smart TV brands have content recognition settings buried in their menus. Find them. Turn them off.
  • If you’re in California: Contact your state senator. AB 2561 is in the Senate now. Tell them you support privacy by default. A 77-0 Assembly vote means the momentum is there.

The Bottom Line

For 20 years, the tech industry has relied on one trick: bury the privacy setting and bet that you won’t find it. AB 2561 calls that bet.

If it passes the Senate and gets signed into law, every app on your phone would ship locked down. You’d choose what to share, not what to hide. The ad tech industry would have to ask for your data instead of taking it.

Seventy-seven California Assembly members voted yes. Zero voted no. The Senate is next.

Previously: California Launches Data Broker Strike Force | GM Hit With $12 Million California Privacy Penalty for Selling Driver Data

References

  1. California Legislature: AB-2561 Operating systems and applications: privacy settings (full bill text)
  2. California Legislature: AB-2561 bill status and vote history
  3. State of Surveillance: California Launches Data Broker Strike Force
  4. State of Surveillance: GM Hit With $12 Million California Privacy Penalty