California Becomes First State to Mandate Built-In Browser Privacy Controls

Key Takeaways

• AB 566 Signed into Law: Governor Gavin Newsom has signed the California Opt Me Out Act (AB 566), making California the first state to require browsers to offer users a one-step privacy opt-out feature.
• Simplified Privacy Controls: The law mandates that browsers operating in California include a built-in, easy-to-use opt-out preference signal (OOPS) allowing users to automatically tell websites not to sell or share their personal data.
• Empowering Consumers: Backed by the California Privacy Protection Agency (CPPA), the legislation closes a major usability gap, ensuring Californians can exercise their data rights without navigating multiple sites or settings.
• Effective 2027: The law takes effect in January 2027, requiring browsers to integrate privacy preference settings that apply across websites.
• National Precedent: California leads the U.S. once again on privacy innovation, setting a potential template for other states to follow.

Deep Dive

California Governor Gavin Newsom has recently signed into law the California Opt Me Out Act (AB 566), sponsored by the California Privacy Protection Agency (CPPA). The law cements California’s leadership in digital privacy by requiring all browsers operating in the state to include a built-in, one-click mechanism for users to opt out of data sales and sharing online.

While the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) already grant residents the right to opt out of data sharing, exercising that right has often been cumbersome. Consumers currently must indicate their preferences on each website individually or rely on limited browser tools that support opt-out preference signals (OOPS).

Under the new law, browsers will be required to make these controls directly accessible to all Californians, ensuring that privacy rights can be exercised “at scale” with a single setting.

“Every Californian deserves control over their personal information without having to jump through countless hoops,” said Tom Kemp, Executive Director of the CPPA. “This law puts the power back in consumers’ hands and makes exercising your privacy rights as simple as clicking a button in your browser.”

The CPPA’s Deputy Director of Policy & Legislation, Maureen Mahoney, added that the measure underscores the importance of practical accessibility: “This law recognizes that privacy rights are meaningless if they’re too difficult to use. California is once again leading the nation in protecting consumers’ digital privacy.”

When the Opt Me Out Act takes effect in January 2027, consumers will be able to activate an opt-out preference in their browser settings, automatically notifying websites not to sell or share their personal data. The protection extends to information such as browsing history, geolocation, purchase data, and user interests — all at the browser level, without repetitive steps across individual sites.

By setting a new precedent for built-in privacy functionality, California’s approach could influence national and even global standards for consumer privacy technology. With the state already home to some of the most advanced privacy legislation in the world, AB 566 reinforces California’s role as the testbed for the next generation of data protection frameworks.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.