ARTICLE
20 October 2025

Cybersecurity Month Legislative Update: California's 'Opt Me Out Act' Sets New Standard For Browser-Level Privacy Control

TC
Thompson Coburn LLP

Contributor

Thompson Coburn LLP logo
For almost 100 years, Thompson Coburn LLP has provided the quality legal services and counsel our clients demand to achieve their most critical business goals. With more than 400 lawyers and 50 practice areas, we serve clients throughout the United States and beyond.
Explore Firm Details
California continues to set the pace for privacy and cybersecurity regulation.
United States Technology
Brittney Mollman
Your Author LinkedIn Connections
Brittney Mollman’s articles from Thompson Coburn LLP are most popular:
  • with Inhouse Counsel
  • with readers working within the Banking & Credit, Basic Industries and Property industries

California continues to set the pace for privacy and cybersecurity regulation.

On October 8, 2025, Governor Newsom signed AB 566 (Lowenthal) into law—nicknamed the California Opt Me Out Act. The bill requires major web browsers to include a built-in, user-controlled setting allowing Californians to send an opt-out preference signal, a single switch that tells all visited websites to stop selling or sharing their personal information.

What It Means

Simpler user control: Consumers can express opt-out preferences once, at the browser level.

Enterprise impact: Companies that collect or share personal data must ensure their websites detect and honor Global Privacy Control (GPC) signals consistently.

Timeline: The law takes effect January 2027, giving organizations roughly a year to align systems and vendor relationships.

Why It Matters for Privacy & Cybersecurity

AB 566 closes the loop between privacy rights and technical enforcement. By embedding opt-outs into browsers, it removes ambiguity about when a consumer's choice applies, reducing exposure from inconsistent cookie-banner behavior and excessive third-party tracking. For cybersecurity teams, fewer uncontrolled data flows mean smaller attack surfaces and simpler vendor ecosystems.

Practical Steps

Test for signal recognition: Validate that your sites honor GPC/OOPS signals across browsers.

Update vendor terms: Require ad-tech and analytics partners to process universal signals appropriately.

Align UX and notices: Clearly disclose how universal opt-outs are handled; eliminate redundant consent prompts.

Plan now for 2027: Track browser implementation schedules and budget engineering cycles early.

Additional Context

AB 566 arrived alongside SB 361 (strengthening data-broker disclosures) and AB 656 (mandating full deletion of social-media data upon account closure)—a trio reinforcing California's push for transparency, user control, and fair data practices.

Thompson Coburn's Cybersecurity, Privacy and Data Governance counsel can assist with the development and execution of a plan to ensure your organization is ready in 2027.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Brittney Mollman
Brittney Mollman
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More