Governor Gavin Newsom recently signed Assembly Bill 566, also known as the California Opt Me Out Act, into law. This legislation marks a significant shift in how consumers exercise their privacy rights online under the California Consumer Privacy Act (CCPA), and it’s one that businesses should start preparing for now.
What Does AB 566 Do?
Effective January 1, 2027, AB 566 amends the CCPA to require that web browsers include a built-in opt-out preference signal. This signal allows users to opt out of the sale or sharing of their personal data for targeted advertising – automatically and universally – without having to navigate individual site settings.
This is a major shift from the current landscape, where only a handful of browsers or browser extensions support opt-out preference signal standards like Global Privacy Control (GPC). Once AB 566 takes effect, every major browser, including Chrome, Safari, and Edge will need to offer this functionality. While the signal doesn’t need to be turned on by default, it must be available to users. When activated, it sends a clear message to every website visited: Do not sell or share my personal information.
Why Businesses Should Pay Attention
If your business is subject to the CCPA or similar state privacy laws, you’re likely already required to honor opt-out signals. But with AB 566, the volume of these signals is expected to surge. As browser support becomes universal, consumers will be able to opt out with a single click—making privacy rights easier to exercise and harder to ignore.
This will likely have a direct impact on digital marketing strategies, particularly those relying on retargeting and behavioral advertising. The new law could trigger a flood of opt-out requests that businesses must be equipped to process.
Key Considerations for Implementation
- Technical Readiness: Businesses should assess whether their current systems can automatically detect and respond to opt-out signals. If not, now is the time to invest in scalable solutions.
- Signal Standardization: While AB 566 doesn’t mandate a specific opt-out mechanism, alignment around standards like GPC could help reduce confusion and ensure consistent compliance.
- Consumer Education: The law requires browsers to inform users how the opt-out signal works. Businesses may also want to proactively educate users on what opting out means for their data and experience.
- Mobile Browsers: The law doesn’t explicitly address mobile environments, but its definition of “browser” may include mobile web browsers and embedded app browsers. Expect further guidance from regulators.
What Comes Next?
The California Privacy Protection Agency (CPPA) is authorized to issue regulations to support AB 566’s implementation. Businesses should monitor these developments closely, especially regarding how opt-out signals will be configured and whether they’ll be turned on by default.
If your organization hasn’t yet built robust systems to ingest and honor browser-based opt-out signals, the clock is ticking. With less than 15 months until AB 566 takes effect, now is the time to future-proof your privacy infrastructure.
As always, if you need help navigating this evolving regulatory landscape, we’re here to help.
