Get Demo Try for Free
Solutions
Resources
Company
Pricing
Partners
Try for Free Get Demo

How California’s New Browser Opt Out Law (AB 566) Will Change Privacy Compliance in 2027

Blog
October 17, 2025
State of California with legal and signal icons

Table of Contents

Tags

California has once again taken the lead in shaping the future of digital privacy. Governor Gavin Newsom has signed new legislation, AB 566, also known as the California Opt Me Out Act, that will require browsers to include a built-in opt-out preference signal (OOPS), giving users the ability to automatically stop data sales and sharing directly from their browser.

This new requirement, which updates the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), goes into effect on January 1, 2027. It expands California’s privacy framework to include browser-level opt-out signals, redefining how consent and user preferences are handled online.

 

California’s Global Influence

Most browser companies operate out of California, but the state’s impact beyond that is substantial. If it were its own country, California’s economy would rank as the fifth largest in the world, behind only the United States, China, Germany, and Japan.

 

Comparison of country economy sizes with California 5th.

 

That scale means California’s privacy decisions reach far beyond its borders. Approximately one in every eight U.S. web visit originates from California. Any company with a digital presence that serves American traffic will now need to ensure compliance with this new browser opt-out requirement.

In practice, this means that millions of users will have the ability to express their privacy preferences once, at the browser level, and expect every website to honor them automatically.

What the New Law Requires

Beginning January 1, 2027, browsers serving California users will be required to include a built-in setting that lets consumers send an opt-out preference signal indicating they do not want their personal information sold or shared.

Websites that collect or process personal data from California residents will be legally obligated to detect and honor that signal.

The law also provides immunity from liability for developers and maintainers of browsers that include this functionality, meaning they are not responsible for violations committed by the businesses that receive the signal.

In practice, the obligation to comply will rest with the websites themselves.

The new requirement builds on the broader concept of a browser-based opt-out preference signal (similar in spirit to existing standards such as Global Privacy Control), but the exact technical specifications will be defined by the California Privacy Protection Agency (CPPA) through future rulemaking.

Why This Matters to Analytics, Marketing, and Privacy Teams

The implications of this change reach deep into how organizations manage their websites and data governance processes.

  1. New compliance responsibility
    Businesses will need to ensure that their websites can accurately detect and honor valid opt-out preference signals sent from user browsers. This includes verifying that all relevant pages, tags, and cookies behave in accordance with user choices.
  2. The end of manual verification
    Once browsers begin sending opt-out signals automatically, manual testing will no longer scale. Automated validation will become essential to confirm that user preferences are being correctly applied across digital properties.
  3. Greater enforcement rise
    Because the law grants immunity to browser developers and maintainers, the responsibility for compliance will rest with the businesses receiving those signals. Companies that fail to honor user opt-out preferences may face enforcement action under the California Consumer Privacy Act (CCPA) as amended.

Why This Matters to ObservePoint Customers

ObservePoint helps organizations automate the testing and monitoring of their websites, including privacy compliance, cookie governance, and tag management.

This new California requirement highlights why those capabilities are increasingly critical. As browsers begin sending opt-out preference signals automatically, organizations will need to:

  • Continuously verify that consent settings and cookie behaviors align with user preferences.
  • Test and monitor website behavior from different geographic and regulatory contexts.
  • Generate clear, auditable records demonstrating compliance with privacy requirements.

ObservePoint makes these processes scalable and repeatable. As privacy regulations evolve, automation will be key to maintaining consistent, verifiable compliance across complex digital ecosystems.

How to Prepare Today

  1. Audit your digital ecosystem
    Identify every tag, cookie, and third-party technology running on your website.
  2. Test privacy behavior regularly
    Simulate visits from California users and confirm that opt-out signals are being correctly detected and honored.
  3. Implement continuous monitoring
    Treat privacy compliance as an ongoing process, not a one-time audit.
  4. Invest in automation and reporting
    Use automated tools to ensure every browser and user scenario receives the correct privacy treatment.

See how ObservePoint automates privacy monitoring, including GPC-signal testing, with a free account.

The Bottom Line

California’s new browser-based opt-out requirement represents a major evolution in online privacy. It gives users more control, places new accountability on websites, and underscores the importance of automated compliance verification.

For organizations, this is both a challenge and an opportunity. By adopting strong data governance and automation practices now, companies can stay compliant, protect consumer trust, and operate confidently in a privacy-first future.

Frequently Asked Questions

What is California’s new browser opt-out law (AB 566)?
AB 566, also known as the Opt Me Out Act, is a 2025 amendment to the California Consumer Privacy Act (CCPA). It requires browsers that serve California users to include a setting that allows consumers to send an opt-out preference signal that tells websites not to sell or share their personal data.

When does the new requirement take effect?
The browser requirement in AB 566 takes effect on January 1, 2027. By that date, browsers must include the opt-out setting, and websites that collect data from California residents will need to detect and honor the signal.

What is an opt-out preference signal?
An opt-out preference signal is a browser or device setting that communicates a user’s choice to opt out of data sales or sharing. The California Privacy Protection Agency (CPPA) will define the technical standard, which is expected to function similarly to existing signals such as Global Privacy Control (GPC).

Who is responsible for compliance under AB 566?
Browser developers and maintainers are required to include the opt-out setting but are granted immunity from liability for violations committed by websites. The obligation to honor the signal and the potential penalties for noncompliance fall on the businesses that receive it. Enforcement authority rests with the California Privacy Protection Agency (CPPA), which was established under the California Privacy Rights Act (CPRA).

Recent Posts

Angled icons of a scale, wheelchair, hearing, eyesight, cognition, and clicking with a finger.
October 3, 2025

Accessibility Lawsuits Are Surging: Here’s How to Stay Ahead
Cookie icon in black over a yellow background
October 2, 2025

The ICO is Cracking Down on Cookie Compliance — Is Your Website Ready?
Rows of icons indicating different website functions on a yellow background
September 12, 2025

ObservePoint’s Hot Product Summer
Snail with EDPB icon
August 14, 2025

We Tried The EDPB Website Auditing Tool: It Doesn’t Cut It
View All