The California “Opt Me Out Act” (AB 566): Preparing Your Business for Browser-Level Opt-Outs

Rikka Law blog post illustration: The California “Opt Me Out Act” (AB 566): Preparing your Business for Browser-level...
Headshot photo of Charlyn Ho, CEO Rikka Law Group | Co-Founder Enzio.ai at Rikka Law
Charlyn Ho
CEO Rikka Law Group | Co-Founder Enzio.ai
October 28, 2025·Insights

California has once again set the pace for digital privacy regulation with the signing of AB 566, the California Opt Me Out Act (the “Act”), on October 8, 2025. The California Privacy Protection Agency (CPPA) sponsored the Act stating that it closes a major gap in privacy protections. The Act amends the California Consumer Privacy Act (CCPA) and makes it easier for state residents to exercise their right to opt out of the sale or sharing of their browsing data. Specifically, any company that develops or maintains a consumer web browser in California must include a user-configurable setting that allows a browser user to send an “opt-out preference signal” to all websites they visit. The idea: instead of a consumer having to opt-out of data sales or sharing on each website individually, the browser can send a universal signal.

The browser developer must also clearly disclose how that setting works and what it is intended to do. And if the browser implements the function correctly, the browser maker is shielded from liability for downstream non-compliance by websites that ignore the signal. AB 566 doesn’t change the core opt-out right; it changes the mechanism by which consumers express it. The law takes effect on January 1, 2027, giving companies just over a year to prepare

Why This Matters for Ad Tech

For the ad-tech industry this law is significant not just because it adds another layer of privacy regulation, but because it shifts how control is exercised in the digital ecosystem, from individual opt-out links on each site, to a browser-level switch that sends a universal signal.

Some practical implications include:

  1. Volume of opt-outs may increase
    When consumers can exercise privacy choices through a single, easy-to-find browser switch, more of them are likely to use it. While only a few browsers, (such as Firefox, DuckDuckGo, and Brave) and certain privacy extensions currently support the opt-out preference signal, the Act will expand that capability across the ecosystem. The game-changer is scale: once the opt-out becomes a one-time browser toggle, businesses should expect a significant increase in machine-readable opt-out events.
  2. Integration and detection readiness
    If a browser sends an opt-out preference signal, your systems must: (a) recognize the signal; (b) route it appropriately in your stack; (c) stop selling/sharing or using personal information for targeting in line with the signal. So, you’ll need to audit detection logic, vendor contracts, and downstream flows. Even though AB 566 is specific to browser developers, the business receiving the signal must still honor the opt out request as required under the CCPA.
  3. Vendor ecosystem and contracts would shift
    If your business works with data brokers, ad networks, or analytics providers, every partner in that chain needs to be ready for signal-driven opt-outs. Start by updating contracts to explicitly require that vendors honor these signals or pass those signals down, as applicable. Then recognize that vendor certifications and audits will become critical. Even if you handle opt-outs perfectly, a single partner that fails to recognize the signal or misprocesses the request creates downstream liability for your business.
  4. Opportunity for compliance and trust-building
    Rather than viewing this purely as a cost, companies that move early can turn this into a market differentiator: “we honor universal opt-out signals, we respect consumer privacy at scale, our data flows are signal-aware.” That builds trust with consumers and regulators.

What Your Roadmap Should Look Like:

  1. Map your data flows:
    Identify where personal information is sold/shared, used for cross-context behavioral advertising, or otherwise processed where an opt-out signal could affect you.
  2. Update detection logic:
    Ensure your platform can recognize browser-level signals (e.g., signals aligned with Global Privacy Control (GPC)) and act accordingly. The good news is that technical infrastructure exists to support this. Major Consent Management Platforms (CMPs), including OneTrust, SourcePoint, and Osano, offer GPC support, though proper configuration and testing would still be necessary.
  3. Vendor/partner audit:
    Review contracts with supply-chain partners (data providers, ad-networks, analytics companies, consent management tools) to ensure they are signal-aware, commit to honoring opt-out signals, and provide you with the visibility/assurance you need.
  4. Update consumer-facing disclosures:
    Your privacy policy, cookie policy, and targeting opt-out links need to include language around how you honor browser-level opt-out signals, what happens when you receive them, and how a user can confirm.
  5. Monitor regulation and guidance:
    The CPPA is authorized to adopt regulations implementing AB 566. Stay current on technical specs and what the signal format will be.

Final Thoughts

Focus on building robust detection and response systems now, creating an internal data map, checking vendor documentation, and, perhaps most importantly, clearly understanding the exact practices that these opt-outs apply to in your business. You should regularly test the functionality of these opt outs to ensure consumer choices are being honored.

At Rikka, we help clients stay ahead of regulatory and market shifts like this one. If your organization needs guidance on implementing opt-out signal compliance or adapting your contracts, privacy policy and technology stack, we’re here to help you navigate these changes with clarity and confidence.