Multi-State Privacy Investigation Targets GPC Compliance While California Pushes “Opt Me Out Act”

Want to receive these privacy recaps in your inbox each week? Subscribe here.

United States

Three States Launch Joint Investigative Privacy Sweep Over GPC

The California Privacy Protection Agency announced that it joined the Attorneys General of California, Colorado, and Connecticut in an investigative sweep to check for business compliance with Global Privacy Control (GPC) requirements. Specifically, the coalition will be checking whether businesses are compliantly processing consumer requests to opt out of the sale of their personal information submitted via the GPC signal. 

TAKEAWAY

Although the complexity of complying with requirements to recognize GPC signals (or other Universal Opt-Out Mechanisms or Opt-Out Preference Signals) varies from state to state, it is unclear from the announcement whether the investigative sweep will involve checks beyond the surface-level recognition and response to the signal. California regulations provide the most detailed requirements, including options for responding to the signal in a “frictionless” or “non-frictionless” manner, as well as methods for businesses to address conflicts between the signal and default privacy settings or financial incentive programs. 

Recently adopted amendments to the regulations expected to take effect by the beginning of 2026 will make further changes, including a new requirement to display whether a business has processed the consumer’s opt-out preference signal, which was previously optional. As the adoption of GPC grows, whether as a result of consumer awareness or browser support (see the next entry below), it may become increasingly important for businesses to not only comply with the requirements but also to understand options available to the business under the law, which may be crucial in mitigating business impact.

California Sends “Opt Me Out Act” to the Governor

The California legislature passed AB 566, a bill that, if signed by the Governor, will require all browsers (including Google Chrome, Apple Safari, and Microsoft Edge) to include functionality configurable by consumers to enable the browser to send opt-out preference signals to businesses with which the consumer interacts through the browser. The browser will also be required to disclose to consumers how the opt-out preference signal works and its intended effect. The mandate would take effect January 1, 2027.

TAKEAWAY

Currently, although California law mandates that businesses listen for and honor opt-out preference signals, there is no mandate for browsers to enable consumers to send the signal. A limited set of browsers (including Firefox, DuckDuckGo and Brave), as well as certain browser extensions, voluntarily support the signal, but overall consumer adoption has been low, perhaps in part due to a lack of support for the signal from the larger browsers. 

This is the California legislature’s second attempt to send a bill requiring browser support of OOPS to the Governor. The first attempt (AB 3048, which mandated support by mobile operating systems in addition to browsers) was vetoed by the Governor in September 2024. 
In his veto message, the Governor cited the mandate on mobile operating systems as the reason for the veto, so it is expected that AB 566 (which does not include a mobile OS mandate) will address the Governor’s concerns.

A LITTLE MORE PRIVACY, IF YOU PLEASE

• California Delete Act Amendment Sent to the Governor. 
• UK ICO Publishes Article Debunking Online Tracking Myths
• EU Data Act Enters Into Force

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.