AB 566 (California Opt Me Out Act) amends the Civil Code to require browser developers and maintainers to include a consumer-configurable feature that sends an opt-out preference signal to businesses with which a consumer interacts. The feature must be easy for a reasonable person to find and configure, and the browser maker must publicly disclose how the signal operates and its intended effect.
The bill also grants browser developers immunity from liability for violations of the CCPA (and related title provisions) committed by businesses that receive the signal, authorizes the California Privacy Protection Agency to adopt implementing regulations, and becomes operative on January 1, 2027. For compliance officers and product teams, AB 566 turns browsers into an explicit technical channel for consumers to express opt-out choices and allocates implementation and enforcement responsibilities across browsers, recipients, and the state agency.
At a Glance
What It Does
The bill mandates that any business that develops or maintains a web browser must include functionality that lets a consumer enable an opt-out preference signal and transmit it to businesses the consumer visits. It requires clear public disclosures from the browser maker about how the signal works and lets the California Privacy Protection Agency issue regulations to flesh out the details.
Who It Affects
Browser developers and maintainers (large vendors and smaller browser projects), website operators and online advertisers that receive requests from browsers, and the California Privacy Protection Agency, which gains rulemaking authority to implement the requirement. Consumer-facing product and legal teams will need to coordinate on UI, signal format, and public disclosures.
Why It Matters
The statute creates a formal, statewide expectation that browsers be a channel for expressing CCPA opt-out choices, which pushes adoption of a machine-readable opt-out mechanism across the ecosystem and shifts some practical responsibility for signaling away from consumers toward platform-level controls.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
AB 566 inserts a new Section 1798.136 into the Civil Code and focuses narrowly on browsers as a delivery mechanism for CCPA opt-out instructions. It does not rewrite the CCPA's core standards; instead, it requires browser software to include a configurable control that sends an "opt-out preference signal" to businesses a consumer visits.
That signal is defined in the bill as one that complies with the title and communicates the consumer’s choice to opt out of sale and sharing of personal information.
The bill requires two practical things of browser makers. First, the opt-out control must be straightforward for a reasonable person to locate and turn on or off — the statute uses the "easy to locate and configure" standard rather than prescribing specific UI elements.
Second, browser makers must publish an explanation for users describing how the signal operates and what effect enabling it is intended to have. The statute does not itself prescribe the signal format or technical protocol; instead it authorizes the California Privacy Protection Agency to promulgate implementing regulations to resolve technical and operational details.AB 566 also creates a liability allocation: a browser developer that implements the required functionality is insulated from liability under the title for any failure by recipients to follow the signal.
That means browser teams gain legal cover for implementing and sending signals, while enforcement of whether a business honored the opt-out still sits within the existing CCPA framework and the administrative authority of the state agency.
The Five Things You Need to Know
The statute is operative January 1, 2027 — browser functionality must be in place by that date.
It prohibits a business from developing or maintaining a browser that lacks consumer-configurable functionality to send an opt-out preference signal to businesses the consumer interacts with.
The required browser control must be easy for a reasonable person to locate and configure, an explicitly stated usability standard.
Browser makers must publicly disclose how the opt-out preference signal works and are granted immunity from liability under the title for violations committed by businesses that receive the signal.
The California Privacy Protection Agency may adopt regulations to implement the requirement; the bill defines an opt-out preference signal as one that communicates a consumer’s choice to opt out of sale and sharing under the title.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Mandatory opt-out-signal functionality in browsers
This subsection imposes the substantive requirement: any business that develops or maintains a browser must include functionality that enables a consumer to send an opt-out preference signal to businesses they interact with. Practically, this converts a consumer’s opt-out decision into a machine-readable signal emitted by the browser; it applies to browser vendors rather than to websites or third-party scripts.
Usability requirement — easy to locate and configure
The statute mandates a user-facing usability standard: the opt-out control must be easy for a reasonable person to find and configure. The bill intentionally avoids prescribing UI specifics and leaves the operationalization of "easy" to subsequent regulation or enforcement, which will force product and legal teams to make design choices that can later be scrutinized by regulators or litigants.
Public disclosure obligation
Browser developers must explain in public-facing materials how the opt-out preference signal functions and the intended effect when consumers enable it. This creates a transparency duty aimed at reducing user confusion and gives regulators and consumers a baseline to assess whether disclosures align with actual browser behavior.
Regulatory authority and effective date
The California Privacy Protection Agency receives explicit authority to adopt regulations to implement the section, which will be the primary vehicle for specifying technical formats, verification mechanisms, and compliance timelines. The section becomes operative on January 1, 2027, giving the agency and industry a defined runway to develop technical standards and disclosures.
Liability shield and definitions
The bill grants browser developers a defense: if the browser implements the required functionality, the developer is not liable under the title for violations by businesses that receive the opt-out signal. The definitions portion limits the statute to interactive software used to navigate websites and defines the opt-out preference signal as one that communicates a choice to opt out of sale and sharing; those definitions constrain scope but leave key design questions — such as exact signal format and authentication — unresolved.
This bill is one of many.
Codify tracks hundreds of bills on Privacy across all five countries.
Explore Privacy in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Consumers who want a persistent, browser-level way to express CCPA opt-out preferences — they gain a standardized channel to communicate opt-out intent without configuring each website individually.
- Privacy-focused browser projects and vendors that ship this feature cleanly — they may gain a market advantage and clearer marketing claims about built-in CCPA controls.
- Privacy advocates and watchdogs — the law creates a formal mechanism to test whether businesses respect machine-readable opt-out signals and a regulatory path to establish standards.
- Compliance teams at large websites and ad tech platforms — having a standardized signal can simplify automated handling of opt-out preferences once the signal format and verification rules are established.
Who Bears the Cost
- Browser developers and maintainers — they must design, build, document, and maintain a configurable opt-out signal and disclosures; smaller projects may face nontrivial engineering and legal costs.
- Website operators, advertisers, and data brokers — they will need to detect, authenticate, and respect incoming opt-out signals under existing CCPA obligations, and adapt systems and consent frameworks accordingly.
- California Privacy Protection Agency — the agency will carry the regulatory burden of specifying technical standards, enforcement guidance, and dispute-resolution processes.
- Product and legal teams for cross-border services — reconciling California’s requirements with other jurisdictions’ privacy rules and global browser standards will add complexity and potential operational costs.
Key Issues
The Core Tension
The central dilemma is between empowering consumers via a platform-level, machine-readable opt-out signal and ensuring reliable enforcement: the bill makes browsers responsible for sending clear signals while insulating them from downstream compliance, which reduces deployment risk for browsers but places the burden of honoring and enforcing opt-out obligations on recipients and regulators — a trade-off that may delay practical effect unless standards and enforcement follow quickly.
AB 566 creates a clear policy direction but leaves substantial technical and legal work for regulators and the market. The statute requires the functionality and a transparency disclosure but does not define the signal format, authentication or verification mechanisms, or how businesses should validate the origin and scope of a received signal.
Those gaps increase near-term uncertainty: browser teams must choose technical designs that they can defend to regulators, while recipient businesses must decide how to treat signals of uncertain provenance.
Granting browser developers immunity for recipients' violations reduces a deployment risk for platform vendors but shifts substantive enforcement onto recipients and the California Privacy Protection Agency. That allocation could blunt incentives for recipient businesses to act quickly: browsers can ship the feature and rely on immunity, while recipients may delay implementation until the agency issues clear rules or enforcement actions create legal pressure.
The statute also anchors the signal to CCPA concepts of "sale" and "sharing," which may limit the signal’s reach relative to broader privacy preferences and could create interoperability issues with global initiatives (for example, versions of Global Privacy Control) unless the agency explicitly harmonizes standards.
Finally, the "easy to locate and configure" standard is workable as a user-protection principle but invites subjective disputes. What is "easy" for one demographic may not be for another; regulators will have to translate that phrase into measurable criteria (menu depth, default settings, labeling, accessibility) to avoid inconsistent enforcement and litigation over whether a browser meets the statutory bar.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.