California enacts first-in-the-nation browser opt-out requirements

On October 8, 2025, California Governor Gavin Newsom signed AB 566, the California Opt Me Out Act. The Opt Me Out Act amends the California Consumer Privacy Act (“CCPA”) to require browsers to offer functionality that automatically communicates a consumer’s privacy preferences to websites through an opt-out preference signal. The Opt Me Out Act was sponsored by the California Privacy Protection Agency (“CPPA”) and will take effect on January 1, 2027.

Key Definitions

As an amendment to the CCPA, the Opt Me Out Act relies on several key terms from the CCPA, including personal information, sale, and share.

  • “Personal Information” is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (Cal. Civ. Code § 1798.140(v)(1)). Personal Information includes, but is not limited to, identifiers such as real names, aliases, unique personal identifiers, IP addresses, email addresses, or other similar identifiers; biometric information; browsing history, search history, and information regarding a consumer’s interaction with an internet website application or advertisement; geolocation data; and sensitive personal information.
  • “Sale” is defined as “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration.” (Cal. Civ. Code § 1798.140(ad)(1)).
  • “Share” is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.” (Cal. Civ. Code § 1798.140(ah)(1)).

Current Requirements

Currently under the CCPA and its regulations, the obligation to honor consumer opt out signals falls on each individual website. California regulations currently require businesses to honor opt-out preference signals, providing consumers with a method to automatically exercise their right to opt out of sales or shares. Additional regulations require businesses to honor signals such as those provided by the Global Privacy Control (“GPC”).

The California Attorney General has been active in enforcing the CCPA’s requirements, beginning with a 2022 enforcement action against Sephora for failure to disclose the sale and sharing of personal information and failure to process user requests to opt out of sale. The CPPA also has enforcement authority and has levied multimillion dollar fines for failure to provide effective mechanisms to opt out, including most recently a $1.35 million fine against Tractor Supply Company in September 2025.

Under the Opt Me Out Act, browsers will be required to provide that configuration. Making these choices at the browser level will provide consumers with easier access to tools to signal their privacy preferences. Gov. Newsom vetoed a similar bill in 2024, expressing concern that the 2024 version of the bill would place requirements on mobile operating systems that were not technically feasible.

Compliance Best Practices

While California is the first state requiring browsers to provide this kind of functionality, additional state privacy laws in Connecticut, New Hampshire, Montana, Nebraska, New Jersey, Minnesota, Maryland, Delaware, Oregon, and Texas all require or will soon require businesses to recognize and honor opt-out preference signals like GPC. Some key compliance best practices include:

  • It is important for businesses that sell or share consumer personal information to ensure they have the capability of recognizing these signals. States such as California and Colorado already require businesses honor GPC signals.
  • Disclosures and privacy policies should be updated to reflect these consumer rights and provide the functionalities required by law. While these rights do not apply nationwide, 19 states have passed comprehensive privacy laws as of October 2025. A comprehensive compliance program must address compliance in all 19 states.
  • Businesses should regularly test the functionality of these opt outs to ensure consumer choices are being honored. State regulators are enforcing these provisions. Additionally, organizations like the Better Business Bureau assess opt out functionality.

If you have questions about your company’s compliance with privacy regulations, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.