The California Privacy Protection Agency (CalPrivacy) is considering potential regulatory changes related to opt-out preference signals, and is accepting preliminary comments from stakeholders (including businesses) through April 6, 2026.
Background: What Is an Opt-Out Signal?
Several state privacy laws, including the California Consumer Privacy Act (CCPA), give consumers the right to require that a business limit the sale or sharing of their personal information for “cross-context behavioral advertising” or “targeted advertising.”
One common method is the requirement to honor a Global Privacy Control (GPC) (also known as an “opt-out preference signal” (“OOPS,” “opt-out signal,” or a “universal opt-out mechanism- UUOM”), a browser-based mechanism that sends an automated signal to websites.
Using an opt-out signal allows an automatic exercise of the consumer’s right to opt-out of sale/sharing (by interacting with a business online), as opposed to the submission of individual requests to businesses.
CCPA Requirements Related to Opt-Out Signals
As of January 1, 2026, businesses subject to the CCPA not only have to honor opt-out signals but also show consumers that their opt-out signal has been processed.
Also, in October of 2025, California enacted the California Opt Me Out Act, requiring all web browsers to be able to send an “opt-out preference signal” to businesses by January 1, 2027. Businesses can expect increased consumer use of the GPC and must be ready to recognize and honor GPC signals automatically.
For more, see Opt-out Signals no Longer Just Noise: State Privacy Law Requirements Taking Shape, Show Me That You’ve Opted Me Out: New CCPA Rules Require Businesses to Prove Compliance, and Multi-State Privacy Enforcement Sweep Highlights GPC Compliance Obligations.
What Input is CalPrivacy Seeking from Businesses Related to the Opt-Out Signal?
- What challenges do businesses face in processing opt-out signals, such as the GPC?
- How are businesses applying the opt-out signal to “known” customers and pseudonymous profiles, and across different browsers, devices, or identifiers?
- Is there anything that requires more clarity or guidance as a regulation relating to the opt-out signal?
