How the California Opt Me Out Act (AB 566) Will Impact the AdTech Ecosystem

Governor Newsom has signed into law AB 566, also known as the California Opt Me Out Act. This law significantly alters the landscape of how consumers will communicate their privacy preferences under the California Consumer Privacy Act (CCPA), and while the law primarily places new obligations on browser developers, it will have a profound practical impact on businesses that operate internet websites and rely on cookies, pixels and similar technologies as part of their marketing strategy.

Put simply, the law mandates that browsers must include functionality allowing consumers to configure an “opt-out preference signal”. The CCPA already obligates website operators to recognize opt-out signals, but prior to this law, browser developers were not previously legally obligated to build this functionality into their browsers. Therefore, businesses need to continue to take the compliance steps to recognize opt-out signals and be prepared for a significant uptick in those requests as opt out signals become available on all browsers.

What Website Operators Need to Know

1. Standardized and Pervasive Opt-Out Signals: The central function of the new browser requirement is to enable the browser to send an opt-out preference signal to businesses with which the consumer interacts through the browser and to make sure this functionality is available on all browsers. This means that by January 1, 2027, the likelihood of receiving an automated, standardized opt-out signal will increase dramatically.
2. The Signal’s Required Effect: The "opt-out preference signal" is specifically defined as a signal that complies with the CCPA and communicates the consumer’s choice to opt out of the sale and sharing of the consumer’s personal information. Since the CCPA grants consumers the right to direct a business that sells or shares personal information not to do so, receiving businesses must be prepared to automatically recognize and honor these signals by stopping the sale or sharing of that consumer's personal information. Note that under the CCPA, “share” is defined as the disclosure of personal information for cross-contextual (e.g., targeted) advertising. 
3. Reinforced Compliance Requirement: The purpose of the Opt Me Out Act is to further the intent of the CCPA. The California Privacy Protection Agency (CPPA), which has been laser-focused on cookie compliance is explicitly authorized to adopt regulations as necessary to implement and administer the law. This regulatory authority confirms that the CPPA will oversee how browser developers integrate the signal, and how businesses receive and process the newly mandatory browser signals.
4. Safe Harbor for Browser Developers: The law includes an important provision: a business that develops or maintains a compliant browser shall not be liable for a violation of the CCPA by a separate business that receives the opt-out preference signal. This immunity provision underscores that the burden of honoring the signal remains squarely on the website operator.

Next Steps for Website Operators 

While the technical burden of generating the signal falls on browsers, the legal compliance burden of recognizing and processing it falls on website operators.  Most websites use adtech cookies for analytics, personalization, and advertising, which makes this requirement broadly applicable. If your business uses cookies or similar technologies in connection with your website(s), we recommend taking the following steps well ahead of the January 1, 2027 operative date:

1. Audit Current Capabilities: Assess whether your current systems (whether built in-house or vendor-provided, as is more often the case) for managing cookie preferences and processing opt-out signals (e.g., Global Privacy Controls or GPCs) are equipped to automatically recognize and respond to a mandatory, standardized opt-out preference signal.
2. Prepare for Regulatory Clarity: Closely monitor communications from the CPPA regarding anticipated regulations. These regulations will provide necessary details on the technical specifications businesses must follow to properly receive and honor the "opt-out preference signal".
3. Operationalize Opt-outs: Ensure that internal mechanisms are in place to cease the "sale and sharing" of personal information whenever a valid opt-out preference signal is received.