CA’s New Web Privacy: Opt-Out Now

A New Era of Digital Privacy in California

California residents are about to gain unprecedented control over their digital privacy, thanks to the signing of two groundbreaking privacy laws—SB 361 and AB 566. Governor Gavin Newsom approved these measures in October 2025, setting the stage for what experts are calling the most consumer-friendly privacy legislation in the United States. The new laws significantly expand upon the existing California Consumer Privacy Act (CCPA), offering residents a simpler and more comprehensive way to protect their personal data.

Starting January 1, 2027, Californians will be able to opt out of extensive data collection with just a few clicks, thanks to a universal browser-based system that will apply to all websites. This represents a major leap forward from the often tedious and confusing opt-out processes that currently plague internet users.

How the New Privacy System Works

The California Opt Me Out Act (AB 566)

AB 566, also known as the California Opt Me Out Act, introduces a revolutionary approach to privacy protection by requiring all web browsers to include a built-in setting that sends opt-out preference signals (OOPS) to websites. This technical mechanism will allow users to automatically communicate their privacy preferences to every website they visit, rather than having to navigate individual privacy settings on each site.

“This groundbreaking bill, sponsored by the CPPA, requires browsers to support opt-out preference signals (OOPS), making it significantly easier for Californians to exercise their individual privacy rights,” noted privacy advocate Robin Berjon in a recent LinkedIn post.

The law specifically targets third-party data sales, which have become a cornerstone of the modern digital advertising ecosystem. With the new system, users will be able to block the sale or sharing of their personal data with a single browser setting, according to Undercode News, which called the law a “paradigm shift in digital privacy.”

Strengthening Data Broker Oversight (SB 361)

SB 361 focuses on enhancing transparency and oversight of data brokers—companies that collect personal information from various sources and sell it to other businesses. The law expands upon California’s existing Data Broker Registration Law (also known as the Delete Act) by requiring data brokers to provide more detailed information about what personal data they collect and who has access to it.

This enhanced transparency will give Californians better insight into how their personal information is being collected and shared, allowing them to make more informed decisions about their digital privacy.

Building on California’s Privacy Legacy

California has long been at the forefront of consumer privacy protection in the United States. The state’s original CCPA, which took effect in 2020, was the first comprehensive privacy law in the country and served as a model for similar legislation in other states and countries. However, as Lucas Ropek noted in Gizmodo, the practical implementation of the CCPA left something to be desired, with “loopholes in the law creat[ing] a situation in which every single time a web user visits a website, they are forced to go through the annoying process of selecting their privacy preferences.”

The new laws address these shortcomings by creating more user-friendly mechanisms for exercising privacy rights. While the CCPA gave consumers the right to request deletion of their data and to know what information companies had collected about them, the new legislation focuses on making the opt-out process more seamless and effective.

Enforcement by the California Privacy Protection Agency

The California Privacy Protection Agency (CPPA) will be responsible for enforcing the new privacy requirements. Created as part of the CCPA in 2020, the CPPA has already demonstrated its commitment to protecting consumer privacy with significant enforcement actions, including a record $1.35 million fine against Tractor Supply Company for alleged CCPA violations.

As noted by the law firm Foley & Lardner LLP, AB 566 “adds a section to the California Privacy Protection Agency (CCPA) to include functionality that allows the browser to send the opt-out preference signal. [It requires] browsers to make the functionality easy to use and configure.”

The agency’s expanded authority under the new laws will allow it to ensure that both browser vendors and websites comply with the opt-out requirements, setting a precedent that other states and potentially the federal government may follow.

Industry Reactions and Technical Challenges

Not surprisingly, the new privacy requirements have drawn mixed reactions from industry stakeholders. The California Chamber of Commerce has opposed AB 566, arguing that it represents an “onerous mandate” that lacks clarity, regulates browsers that aren’t “consumer-facing,” and is hard to implement.

In a detailed analysis published by The Business Journal, it was revealed that Google had organized behind-the-scenes opposition to the privacy proposal, coordinating with various business groups to express concerns about the legislation. The tech giant reportedly argued that the measure lacked technical feasibility and would create confusion for consumers.

However, privacy advocates and consumer groups have largely praised the new laws. The Center for Democracy & Technology (CDT) applauded the signing of AB 566, stating that it “empowers Californians to exercise their existing privacy rights through their browsers.”

Some privacy-focused browsers like DuckDuckGo, Brave, and Firefox already include similar privacy features, suggesting that the technical implementation is feasible. However, the law will require all browsers—including major platforms like Chrome and Safari—to implement these opt-out signals, potentially creating a more uniform privacy experience across the web.

Implications for Consumers and Businesses

For California residents, the new laws promise to dramatically simplify the process of protecting their digital privacy. Instead of having to navigate complex privacy settings on dozens of websites, users will be able to set their preferences once in their browser and have those preferences automatically communicated to every website they visit.

The impact on businesses, particularly those in the digital advertising industry, could be significant. Many companies rely on the collection and sale of personal data to fund their services, and the widespread adoption of opt-out preference signals could reduce the amount of data available for targeted advertising.

However, as Malwarebytes noted, the laws are designed to give users “real control over their personal data” without completely dismantling the digital economy. The focus is specifically on third-party data sales rather than first-party data collection, meaning that companies will still be able to collect data directly from users who engage with their services.

Looking Ahead

As California once again leads the nation in privacy protection, other states are likely to follow. Already, several other states have enacted or are considering similar privacy legislation, and the success of California’s approach could accelerate this trend.

The January 1, 2027 implementation date gives browser vendors and website operators time to adapt their systems to comply with the new requirements. However, given the technical complexity of implementing opt-out preference signals across diverse browser platforms, some companies may face challenges in meeting the deadline.

California’s continued leadership in privacy protection reflects the state’s broader role as a trendsetter in technology policy. As digital privacy becomes an increasingly important concern for consumers nationwide, the Golden State’s experiment with universal opt-out mechanisms may provide a model for future privacy legislation at both the state and federal levels.

For now, California residents can look forward to having unprecedented control over their digital privacy—just in time for the 2027 browsing season.

Sources

• Gizmodo: California Lets Residents Opt-Out of a Ton of Data Collection on the Web
• Foley & Lardner LLP: California Governor Newsom Signs Browser Opt-out Signal Bill
• Captain Compliance: California Opt Me Out Act (AB 566) Law
• The Business Journal: How Google organized opposition to a California privacy proposal
• Malwarebytes: California just put people back in control of their data
• Undercode News: California’s 2025 Privacy and AI Laws Are Here