In a continuing effort to give consumers control of their personal data, California’s governor recently signed into law the California Opt Me Out Act (the Act). The Act will require businesses that develop or maintain browsers operating in California (for purposes of this alert, Developers) to include easy-to-use opt-out preference signal (OOPS) functionality. This will impact not only Developers, whom the Act governs, but also businesses that collect and process the personal data of California consumers and are subject to California’s omnibus consumer data privacy law, the California Consumer Privacy Act (CCPA).
OOPS functionality is not new. An OOPS is a signal that automatically tells the websites a consumer visits not to sell or “share” the consumer’s personal data (that is, to not disclose for cross-context behavioral advertising). The CCPA provides California consumers the right to opt out of the sale and sharing of their personal data by businesses subject to the CCPA and requires these businesses to honor the OOPS as a valid way to exercise that right. This requirement, too, is not new.
What is new is that Developers who wish to operate a browser in California will be required to include OOPS functionality. There previously was no such mandate—instead, the CCPA provides that covered businesses that collect and process personal data must recognize and honor an OOPS (such as the Global Privacy Control, or GPC) if a website visitor’s browser sends it. The problem, from the California regulators’ perspective, is that because OOPS functionality can be hard to find and difficult to configure, consumers may not know to use it.
Only a few browsers (like Firefox) include a setting to enable the GPC. Most—if they offer OOPS functionality at all—require users to install a plug-in or extension. According to the California Privacy Protection Agency (CPPA), under the current state of the law, “Californians who want to protect their data online must indicate this on every website they visit or rely on one of a handful of browsers that currently offer OOPS.” The CPPA further observes that “finding and enabling these signals has been difficult.” The Act is designed to make OOPS standard and easy to use for California consumers so they can more effectively exercise their right to opt out of the sale and sharing of their data.
Starting January 1, 2027, all Developers that wish to operate a browser in California must include OOPS functionality, ensure that it is easy for the typical consumer to find and use, and publicly disclose how it works and its intended effect. While the Act does not define the parameters of these requirements, the CPPA is authorized to adopt implementing regulations, so Developers should expect further guidance.
The Act’s direct effect on Developers is clear. However, businesses subject to the CCPA as data controllers should not ignore the indirect—but potentially significant—effect the Act may have on them as it paves the way for more California consumers to exercise their opt-out rights and to do so via an OOPS. Because the CCPA already requires covered data controllers to recognize and honor an OOPS, the increased availability and ease of use promised by the Act will almost certainly mean more opt-out requests to process, track, and implement. Given the CPPA’s strong record of enforcement, it will likely be tracking compliance very closely. So, too, will the plaintiffs’ bar.
Failure to comply with an OOPS can have serious consequences for a CCPA-covered business. Earlier this year, the California attorney general announced a $1.55 million settlement with Healthline Media LLC after finding that the business failed to honor opt-out requests submitted through the GPC. As a further compliance incentive, the Act comes on the heels of an announcement that the attorneys general of California, Connecticut, and Colorado, together with the CPPA, are investigating businesses to ensure they are honoring OOPS like the GPC. For more information on this investigative sweep and whether it might implicate your business’s California operations, check out our previous alert.
[View source.]
