Update Applicable to:	Effective Date
Browser Developers and Businesses Operating Websites Accessed by California Consumers to Honor Opt-Out Signals	January 1, 2027

What happened?

On October 8, 2025, Governor Gavin Newsom Signed Assembly Bill (AB) 566, Creating the California Opt Me Out Act.

AB 566 amends the California Consumer Privacy Act (CCPA) to require browser developers (e.g.: Google, Microsoft, etc.) to provide consumers with a simple way to stop the sale or sharing of their personal information.

Overview:

This law simplifies privacy controls for consumers and reduces compliance risks for businesses by standardizing opt-out signals at the browser level. CPPA enforcement may include fines of up to $7,500 per violation.

Summary of Provisions

• Definitions (Section 1798.136(e)):
  
  • Web Browser: Software used to access and navigate websites.
  • Opt-Out Preference Signal: A technical signal that communicates a consumer’s choice to block sale or sharing of personal data.

• Universal Opt-Out (Section 1798.136(a)(1)-(2)): By January 1, 2027, any business that develops or maintains a browser must include an easy-to-find setting allowing users to send an opt-out preference signal (OOPS) to all websites they visit.

• Transparency (Section 1798.136(b)): Browser providers must clearly disclose how the opt-out signal works and its intended effect.

• Regulatory Authority (Section 1798.136(c)): The California Privacy Protection Agency (CPPA) may issue regulations to implement and enforce these requirements.

• Effective Date (Section 1798.136(f)): The law becomes operative January 1, 2027.

• Liability Shield (Section 1798.136(d)): Browsers that comply with the law are not liable if websites fail to honor the signal.

What do employers have to do? Beginning January 1, 2027, businesses that collect or process personal data from California residents must detect and honor browser-based opt-out preference signals (OOPS). Failing to honor the signal could include:

• Ignoring the Signal Entirely
  • Not recognizing or processing the opt-out signal sent by the browser.
  • Continuing to sell or share personal information despite receiving the signal.

• Partial or Incomplete Compliance
  • Detecting the signal but failing to stop all forms of data sale or sharing.
  • Applying the opt-out only to certain data types or channels (e.g., excluding third-party ad networks).

• Technical Failures
  • Misconfigured systems that fail to route or act on the signal.
  • Inadequate integration with consent management platforms or data flow systems.

• Lack of Transparency or Misleading Disclosures
  
  • Not updating your privacy policy to reflect how you handle opt-out signals.
  • Failing to inform users that their opt-out preferences are being respected.

• Vendor Non-Compliance
  
  • Using third-party vendors who continue to process or share data despite receiving the opt-out signal.
  • Not updating contracts to require vendors to honor OOPS.

How to Comply? To stay compliant and avoid enforcement actions from the California Privacy Protection Agency (CPPA):

1. Audit Your Data Flows

• Identify all points where personal data is collected, processed, shared, or sold.
• Map how data moves through your systems and third-party services.

2. Implement Signal Detection

• Ensure your website and backend systems can detect browser-based opt-out signals (e.g., Global Privacy Control).
• Use tools or middleware that can interpret and act on these signals.

3. Review and Update Vendor Contracts

• Require vendors to honor opt-out signals.
• Include compliance clauses and audit rights in contracts.

4. Update Your Privacy Policy

• Clearly explain how you detect and respond to opt-out signals.
• Include information about user rights and how they can verify their preferences are respected.

Source References

• California AB 566 – California Consumer Privacy Act of 2018: opt-out preference signal

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.