A version of the following public comment was submitted to members of the California General Assembly on March 26, 2026.
We share the sponsor’s goal of empowering users to control and delete their data, and we acknowledge that there is a strong market incentive for services to interoperate across platforms. However, Assembly Bill 2169 (AB 2169), in its current form, would require interoperability even if it puts users’ privacy and security at risk.
When user data is transferred to a third party, the originating platform can no longer protect it. AB 2169 would force companies to hand over user data regardless of the receiving party’s security practices. This would significantly undermine a company’s ability to safeguard user data. The bill does not restrict what a business can do with data it obtains through the interoperability interface. It requires only that businesses take “reasonable steps to meet platform integrity standards,” without specifying what those standards are or limiting how the data can be used.
The bill also applies to AI model operators and “contextual data,” which includes prompts, chat histories, uploaded files, preferences, and metadata. AB 2169 goes further than comparable bills by also sweeping in AI-generated inferences and derivative data, not just user-provided inputs. This information is often far more sensitive than typical social media exports and is more likely to contain third-party information. Opening third-party-accessible interoperability interfaces for this kind of data creates new opportunities for breaches and misuse.
The bill excludes data that other users have designated as private from interoperability transfers. But it still requires transmitting data about the user’s connections with other people, including those people’s reactions, comments, and shares on the user’s posts. Unlike comparable legislation, AB 2169 also does not allow platforms to set reasonable limits on the frequency or volume of interoperability requests, or to charge fees for access. Without any mechanism to limit this access, there is no check on abusive or excessive requests, which could be used for data scraping that overwhelms platform infrastructure.
We encourage this committee to rely on California’s existing portability framework rather than imposing an interoperability mandate. Civil Code § 1798.100(d) already ensures consumers can access and transmit their data to another entity. Requiring platforms to open their infrastructure to third parties goes further and shifts the risk onto users who have no relationship with those third parties and no ability to opt out.