AB 566: The First Law to Mandate Browser-Level Opt-Out
Governor Newsom signed AB 566, known as the California Opt Me Out Act, on 8 October 2025. The law amends the California Consumer Privacy Act (CCPA) and creates an obligation that no other jurisdiction has attempted: requiring web browsers themselves to include a built-in opt-out preference signal.
From 1 January 2027, every browser available to California residents must offer a simple, clearly described setting that sends an opt-out signal to every website the user visits. Websites that collect data from California residents must detect and honour that signal by stopping the sale or sharing of personal information.
The practical effect is significant. Today, only a handful of browsers and extensions support Global Privacy Control (GPC). Once AB 566 takes effect, Chrome, Safari, and Edge will all need to provide this functionality.
How AB 566 Works: Browsers Send, Websites Obey
The law creates two distinct obligations split between browser vendors and website operators.
Browser vendors must build an opt-out preference signal into their products. The setting must be easy to locate, clearly described in plain language, and simple to configure. The California Privacy Protection Agency (CPPA) will define the technical specification, which is widely expected to align with the existing GPC standard.
Website operators carry the compliance burden of recognising and processing the signal. If your site receives an opt-out preference signal from a visitor's browser, you must treat it as a valid request to stop selling or sharing that person's personal information. This applies to cross-context behavioural advertising and targeted advertising as well.
There is no opt-out of the opt-out. The signal is binding.
GPC Today vs AB 566 Tomorrow
Global Privacy Control already functions as a recognised opt-out mechanism in multiple US states. CCPA opt-out requirements already oblige businesses to honour GPC signals. The difference AB 566 makes is on the supply side: it forces browsers to offer the signal, rather than leaving it to privacy-focused browsers and third-party extensions.
Roughly 40 million consumers currently use browsers or extensions that support GPC. That number is expected to multiply several times over once Chrome alone adds native support. Google Chrome holds approximately 65% of the US browser market. When the opt-out toggle sits inside Chrome's settings menu, adoption will shift from privacy enthusiasts to mainstream users.
| Factor | Before AB 566 (Current) | After AB 566 (January 2027) |
|---|---|---|
| Browsers with built-in opt-out signal | Firefox, Brave, DuckDuckGo | All major browsers (Chrome, Safari, Edge, Firefox, Brave) |
| Estimated users sending signal | ~40 million | Hundreds of millions (projected) |
| User action required | Install extension or switch browser | Toggle a setting in any browser |
| Legal basis for signal | CCPA regulations, state AG guidance | Statutory requirement under amended CCPA |
| Enforcement body | California AG, CPPA | CPPA (primary), California AG |
Which Businesses Are Affected
AB 566 applies to every business already subject to the CCPA. If your website sells or shares personal information of California residents, you must honour opt-out preference signals. The CCPA thresholds remain unchanged: annual gross revenue over $25 million, buying or selling data of 100,000 or more consumers, or deriving 50% or more of revenue from selling personal information.
The shift is not in who must comply but in how many consumers will be sending the signal. A website that previously saw GPC signals from 2-5% of traffic could see that figure jump to 30-50% or higher, depending on how aggressively browsers promote the setting.
That change hits advertising-dependent businesses hardest. Retargeting, cross-site tracking, and behavioural advertising all depend on the sale or sharing of personal data that opt-out signals are designed to block.
Enforcement Is Already Happening
California regulators have not waited for AB 566 to start enforcing GPC compliance. In September 2025, the CPPA fined Tractor Supply $1.35 million for ignoring GPC signals sent by visitors' browsers. The CCPA penalties framework allows fines of up to $7,500 per intentional violation, and each ignored signal from each consumer can count as a separate violation.
A joint investigative sweep announced in 2025 by regulators in California, Colorado, and Connecticut specifically targeted businesses that fail to honour GPC. Colorado and Connecticut both require recognition of universal opt-out mechanisms, making GPC non-compliance a multi-state risk.
The Ripple Effect: Other States and Federal Pressure
By January 2026, twelve US states require businesses to recognise opt-out preference signals: California, Colorado, Connecticut, Montana, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Delaware, Oregon, and Texas. The growing patchwork of US state privacy laws means that honouring GPC is no longer a California-only concern.
AB 566 is unique because it targets browser vendors rather than just website operators. If Chrome, Safari, and Edge add opt-out toggles to satisfy California law, those features will be available to users everywhere. A browser vendor is unlikely to build separate versions for California residents. The practical result is that AB 566 sets a national - and potentially global - standard.
Federal privacy legislation has stalled repeatedly, but widespread browser-level opt-out signals could reduce pressure for a federal solution or, conversely, build momentum for one.
Preparing Your Website Before January 2027
Start by checking whether your site already detects and honours GPC. The signal arrives as an HTTP header (Sec-GPC: 1) and a JavaScript property (navigator.globalPrivacyControl). If your site ignores both, you have work to do.
Your technical implementation of GPC should suppress the sale and sharing of personal information when the signal is present. That means blocking marketing pixels, disabling cross-site tracking cookies like _fbp and _gcl_au, and ensuring that your Google Consent Mode configuration reflects denied consent for ad storage and ad personalisation.
A practical checklist:
- Detect
Sec-GPC: 1on the server side andnavigator.globalPrivacyControlon the client side - Map the signal to your consent management platform so it triggers the same behaviour as a manual opt-out
- Block marketing cookies and tracking scripts when the signal is active
- Confirm that Google Analytics 4 falls back to cookieless measurement or consent mode modelling
- Audit third-party scripts to ensure none continue sharing data after receiving the signal
- Document your GPC handling process for regulatory enquiries
Impact on Consent Rates and Analytics
The most immediate business impact will be a sharp drop in the pool of users whose data can be sold or shared. If 40-60% of your California traffic starts sending an opt-out signal, your retargeting audiences shrink, your attribution models lose coverage, and your marketing ROI measurement becomes less precise.
This is not entirely new territory. European websites operating under GDPR have dealt with high opt-out rates for years. The strategies that work in Europe - server-side tagging, first-party data collection, and conversion modelling - will become equally relevant for California-focused campaigns.
Cookie consent banners do not disappear because of AB 566. The law addresses the sale and sharing of personal information, but GPC does not replace consent banners required under other frameworks. If your site serves visitors in the EU, you still need a GDPR-compliant opt-in banner. AB 566 adds a layer on top of existing requirements rather than replacing them.
Frequently Asked Questions
Does AB 566 require my website to support GPC by January 2027?
AB 566 requires browsers to include an opt-out preference signal. Your obligation as a website operator is to detect and honour that signal when it arrives. The CCPA already requires businesses to honour opt-out preference signals, so the practical effect is a massive increase in the volume of signals you will receive.
Will Chrome and Safari actually add opt-out signal support?
AB 566 makes it a legal requirement for any browser available to California residents. Google Chrome, Apple Safari, and Microsoft Edge will all need to include the functionality by 1 January 2027 or face enforcement action from the CPPA.
Can I still use targeted advertising if a visitor sends an opt-out signal?
You must stop selling or sharing that visitor's personal information for targeted advertising purposes. You can still show contextual ads that do not rely on personal data, and you can use first-party data for on-site personalisation that does not involve sharing with third parties.
Does AB 566 apply to businesses outside California?
AB 566 applies to any business subject to the CCPA, regardless of where the business is located. If you collect personal information from California residents and meet the CCPA thresholds, you must honour opt-out preference signals from those residents.
How is AB 566 different from existing GPC requirements?
Existing CCPA regulations already require businesses to honour GPC. AB 566 shifts the burden to browser vendors by requiring them to build the signal into their products. The result is dramatically higher adoption, which means more of your visitors will be sending the signal.
What happens if my website ignores the opt-out signal?
The CPPA can impose fines of up to $2,500 per unintentional violation and $7,500 per intentional violation. Each ignored signal from each consumer may count as a separate violation. California fined Tractor Supply $1.35 million in 2025 for failing to honour GPC signals.
Take Control of Your Cookie Compliance
AB 566 will send opt-out signals from millions of browsers that currently stay silent. Preparing now means fewer surprises in January 2027. Kukie.io can detect whether your site honours GPC signals, scan your cookies, and help you configure consent handling that respects both opt-out signals and opt-in requirements.
