On October 8, 2025, California’s Governor Newsom signed AB 566—the California Opt Me Out Act—into law. The California Opt Me Out Act, using the same definitions as the CCPA, requires any business that develops or maintains an internet browser to build in an opt-out preference signal (“OOPS”) functionality. The law takes effect on January 1, 2027.
CCPA Currently Requires Businesses to Recognize OOPS for Opt-Out Rights
California has not previously required browsers to send OOPS, but since January 2025, it has required businesses to recognize and honor certain OOPS, including the Global Privacy Control (“GPC”), as indicating a valid exercise of consumers’ rights to opt-out of sale and sharing of personal information and to limit use of sensitive personal information.
CCPA regulations lay out the technical specifications for OOPS which businesses must recognize, as well as related requirements such as how businesses must prioritize choices via OOPS over business-specific settings and notify consumers of OOPS recognition.
The enactment of the California Opt Me Out Act comes on the heels of a joint enforcement sweep by California’s Privacy Protection Agency (“CPPA”) and Attorneys General of California, Colorado, and Connecticut investigating potential failure of numerous businesses to honor OOPS and universal opt-out mechanisms through recognition of GPC signals set by consumers.
Requirements Under the California Opt Me Out Act
The law does not require internet browser businesses to have OOPS functionality on by default. Instead, the law only requires that their browsers allow consumers to send OOPS to businesses the consumer interacts with through that browser. Such business must also make clear to a consumer how the opt-out preference signal works and the intended effect of the opt-out preference signal.
Compliance Limited to Businesses Developing or Maintaining Browsers
The Opt Me Out Act only applies to CCPA “businesses” that develop or maintain an internet browser, and it did not amend the thresholds for what constitutes a CCPA “business.” If your organization develops or maintains internet browsers but is not a CCPA “business,” or if your organization is a CCPA “business” but does not develop or maintain internet browsers, then the Opt Me Out Act will not apply.
Impact on Other Businesses
If your organization is not directly in-scope, but you are a website owner or advertiser, you should note that the Opt Me Out Act may require you to recognize OOPS signals from a broader number of internet browser companies. While many are aware of the top internet browsers, there are hundreds of browsers that may fall under the CCPA thresholds for its definition of a “business.” The law’s disclosure requirements instructing consumers how to turn on OOPS combined with more browsers implementing OOPS may also result in a larger number of consumers enabling the OOPS signals.
The Opt Me Out Act also prevents businesses from shifting any CCPA OOPS liability to these internet browser providers. Each business remains responsible for complying with its existing OOPS obligations.
Further CPPA Regulations, and Impact on Other States’ OOPS Requirements, Are Likely
CPPA is authorized to adopt implementing regulations under the Opt Me Out Act, and historically CPPA has implemented regulations under such grants of authority for the other privacy laws it is charged with enforcing. With only the data broker deletion mechanism rulemaking underway and now near final, it’s likely CPPA will have bandwidth to execute regulations for how businesses developing or maintaining internet browsers must integrate OOPS functionalities.
Browser requirements may also be the start of a trend of similar laws across the 20+ states with comprehensive privacy laws. The same day that the Opt Me Out Act was signed into law, CPPA announced that the Consortium of Privacy Regulators was joined by Minnesota and New Hampshire, bringing their ranks to ten member-states. With almost all of these 20+ states mandating at least some level of OOPS recognition, other Consortium members may follow suit and attempt to pass through similarly browser-directed laws in the next legislative session.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on global privacy, data security, and AI law. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law.
Cameron Cantrell is an Associate at Hintze Law PLLC, counseling companies on global data protection issues, including health (consumer, biotech, genetics), business (CCPA, GDPR), and areas of ongoing federal regulation (HIPAA, GLBA, the DOJ Cross-Border Data Transfers Rule, human subject research).