California Assembly Bill 566 (AB 566), known as the “California Opt Me Out Act,” has recently cleared the state Legislature and is poised for Governor Gavin Newsom’s signature. This bill, if signed into law, will require internet browsers to integrate a consumer-configurable opt-out signal, fundamentally changing the landscape of data sharing and consumer privacy for businesses operating online.

AB 566 mandates that, beginning January 1, 2027, internet browsers like Chrome, Safari, and Edge must include a user-configurable functionality to send an opt-out preference signal. This signal will communicate a consumer’s choice to opt out of the sale and sharing of their personal information to businesses they interact with through the browser. Key provisions include:

• Browser Requirements: Browsers must offer an easy-to-locate and configure opt-out setting.
• Public Disclosures: Browser developers must clearly explain how this opt-out signal works and its intended effect.
• Developer Immunity: Browser developers will be immune from liability for violations by downstream businesses that receive the opt-out signal.
• CPPA Regulations: The California Privacy Protection Agency (CPPA) is authorized to adopt regulations to implement and administer these provisions, which will clarify technical specifics like signal format and transmission.

This legislation aims to provide individuals with a direct, observable channel to convey their opt-out preferences as they navigate websites, tying into the existing California Privacy Rights Act (CPRA) framework. The intent is to simplify the opt-out process for consumers who currently face the burden of opting out on individual websites.

Potential Impact on Ecommerce Businesses

Even though this bill’s direct requirements are placed on browser developers, it could have several implications for EIA members and ecommerce businesses:

The introduction of native, universal opt-out signals in major browsers – which currently do not offer this functionality by default – is expected to lead to a significant increase in consumers utilizing these signals. This means ecommerce businesses must be prepared to receive and honor more frequent opt-out requests.

Ecommerce businesses heavily rely on data-powered digital tools, including advertising and analytics, for growth and success. These tools enable effective ad targeting and inform marketing strategies, allowing smaller businesses to compete with larger entities. A widespread increase in opt-outs could impact the availability of data insights, potentially affecting targeted advertising effectiveness and the optimization of marketing efforts.

The legislation defines an “opt-out preference signal” as a communication of a consumer’s choice to opt out of the sale and sharing of personal information. A broad application of these signals could override existing consents, including participation in loyalty programs, impacting direct customer relationships.

AB 566 underscores the critical need for ecommerce businesses to implement robust mechanisms for detecting and honoring universal opt-out signals. As we highlighted in our recent blog post, “Multi-State Privacy Sweep Targets Ecommerce Brands on Global Privacy Control Compliance,” enforcement around Global Privacy Control (GPC) is already a high priority for regulators in California, Colorado, Connecticut, and other states. This new bill will further cement the expectation that businesses comply with such signals.

Join the EIA today to help strengthen and shape policies that affect all ecommerce businesses. Together, we can continue to create the future of ecommerce. Subscribe to EIA email updates to stay informed on key developments and their impact on your business.