About the California Opt Me Out Act
California has long recognized global/browser-level opt-out signals as a valid way to exercise statutory rights, but compliance previously relied on voluntary support by niche browsers or extensions (e.g., Brave, DuckDuckGo), coupled with businesses’ duty to honor recognized signals. AB 566 changes the game by mandating that browsers themselves include a native, consumer-configurable opt-out setting a one-click control that radically lowers friction for users and increases the volume and consistency of machine-readable opt-out instructions that businesses must process.
What Exactly Did California Pass?
Scope and Core Requirement
AB 566, the California Opt Me Out Act, requires any browser operating in California to offer an easy-to-use setting that enables a consumer to send an opt-out preference signal to websites they visit. When enabled, the signal instructs sites not to “sell” or “share” personal information, aligning the technology with statutory rights under the CCPA/CPRA.
Effective Date and Regulatory Authority
The statute takes effect January 1, 2027, and expressly empowers the CPPA to adopt regulations necessary to implement and administer the law, indicating that technical specifications and enforcement contours will be clarified before go-live. Captain Compliance can automate the compliance requirements for those who want to make sure that their clients or their own business is on track with these new requirements (book a demo or call above).
Clarifying the Bill Number (AB 566 vs. “AB 556”)
Some legal updates misreported the bill number as “AB 556.” The enacted law is AB 566 (Lowenthal), as confirmed by the Governor’s announcement and the CPPA’s publication.
Are Mobile Browsers Excluded in the California Opt Out Law?
Mobile Operating Systems Were Dropped But….. Mobile Browsers Are In
Earlier discussions included possible obligations on mobile operating systems, but the final enrolled text focuses on browsers. Practically, that means mobile browsers (e.g., Safari on iOS, Chrome on Android) fall within scope when they operate in California, whereas iOS or Android as operating systems are not directly mandated by AB 566.
What Does This Mean Outside California?
Legal Effect for Non-California Residents
AB 566 is a browser requirement that applies where a browser operates in California. It does not, by itself, create new opt-out rights for non-California residents. Whether a business must honor a given browser signal for a user outside California continues to depend on which state law applies to that user and the controller’s obligations under those laws. That said, browser vendors frequently ship features globally, which can normalize user expectations and encourage broader business compliance beyond California’s borders.
Interaction with Other State UOOM Regimes
Several states already require controllers to recognize a Universal Opt-Out Mechanism (UOOM). For example, Colorado and Connecticut both mandate honoring approved signals (including GPC) and recently joined California in a tri-state enforcement sweep focused on GPC/UOOM compliance an effort that underscores how AB 566 complements, rather than replaces, controller duties.
Impact on Opt-Out Requests and DSARs
Opt-Out Flow Volume and Fidelity
Because the opt-out preference signal becomes a one-time browser toggle, businesses should anticipate higher volumes of machine-readable opt-out events. These are legally meaningful instructions under California law and several sister statutes, and systems must capture, propagate, and persist them across adtech, analytics, and downstream processing. Captain Compliance’s GPC enabled and consent management platform will resolve for this.
DSAR Operational Considerations
A browser-level opt-out does not replace Data Subject Access Requests (DSARs); rather, it coexists with them. Expect spillover: once users suppress targeted advertising or data “sales/shares,” many will file additional access, deletion, or correction requests. California is also launching a state-run data-broker deletion portal in January 2026, further raising consumer expectations about visibility and control. As companies like Privacy Hawk grow expect to start receiving thousands of requests a month into your inbox and soon you’ll start seeing private right of action lawsuits over non-responses. The solution of course is our data subject request automation platform.
Reconciling Conflicts and Persistence
Controllers should implement a preference hierarchy to reconcile collisions (e.g., banner consent vs. an active GPC signal). Emerging state guidance and enforcement sweeps have emphasized that universal signals generally must be honored unless the consumer later gives a clear, unambiguous, revocable opt-in that post-dates the UOOM; engineering teams should log timestamps and provenance and default to the privacy-protective outcome when ambiguity exists.
Book a demo with one of our data privacy experts who can help with all the different California privacy compliance requirements and we offer free integration into your systems.
