California Governor Gavin Newsom signed the California Opt Me Out Act (AB 566)  into law on October 8, 2025. As we previously reported, the Opt Me Out Act is a first-in-the-nation law requiring web browsers to include a built-in opt-out preference signal that lets consumers automatically tell websites not to sell or share their personal data.

Specifically, this law requires browsers operating in California, including popular ones like Google Chrome, Mozilla Firefox and Apple Safari (which do not currently offer this by default), to implement an easy-to-locate and configure Opt-Out Preference Signal (OOPS). When enabled, this single browser control automatically tells visited websites to stop selling or sharing the user’s personal information. This allows Californians to protect their data, such as browsing history and purchase history, across the entire internet with a single step.

This new requirement, effective January 1, 2027, builds on California’s CCPA framework and marks a major step toward giving consumers real-time control over online tracking. But it also adds new complexity for ecommerce businesses that must detect and honor these signals.

What’s Changing

• Browser-based signals become mandatory: Browsers used by Californians must include an “Opt Me Out” feature that communicates a consumer’s choice to every website they visit.
• Businesses must honor the signal: Ecommerce sites that collect or share personal data from California residents must recognize and comply with it.
• Non-compliance risks enforcement: The California Privacy Protection Agency (CPPA) will oversee rulemaking and enforcement, with penalties for failure to respect the signal.

What It Means for Ecommerce Businesses

For small and medium-sized ecommerce companies, this change has real operational and marketing implications:

1. Increased compliance demands: Your systems must detect and respond to browser-level opt-out signals automatically. Ecommerce businesses should begin their preparations now to ensure they can detect and honor these new signals consistently.
2. Marketing and targeting limits: The introduction of native, universal opt-out signals in major browsers is expected to lead to a significant increase in consumers utilizing these signals. This means that every ecommerce business must be prepared to receive and honor a higher volume of automatic opt-out requests. Expect more California users to be excluded from data-driven advertising and retargeting efforts.
3. More state-by-state variation: Other states are likely to follow California’s lead, creating a patchwork of compliance standards.
4. Compliance is crucial: Regulators have already levied large fines (for example, against Sephora and Honda) for non-compliance, demonstrating the serious financial and reputational risk involved.

California’s move reflects a broader shift toward consumer-driven privacy and ecommerce businesses will feel it first. This new law transforms browser-level privacy from a niche feature into a mandatory, enforceable standard. For EIA members, adapting to this shift is essential not just for compliance, but for maintaining customer trust in an increasingly privacy-conscious digital marketplace. 

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.