Blog
California Mandates Global Privacy Control in All Browsers by 2027 as Switzerland Issues Cookie Paywall Guidelines
October 13, 2025

Want to receive these privacy recaps in your inbox each week? Subscribe here.
California Governor Newsom signed legislation requiring all browsers to support opt-out preference signals by January 2027, a move that could significantly increase consumer adoption of Global Privacy Control and reshape targeted advertising practices.
Meanwhile, Switzerland’s data protection authority issued updated guidance clarifying when cookie paywalls comply with voluntary consent requirements.
Read more about those two major data privacy news stories, along with my takeaways, below.
United States
California Governor Signs Bill Requiring Browser Support of GPC
Governor Newsom has officially signed the “Opt Me Out Act,” which will require all browsers to include functionality enabling consumers to send opt-out preference signals to websites they visit. The law will take effect January 1, 2027.
TAKEAWAY
Although the Opt Me Out Act does not impose any requirements on businesses other than browsers, it could significantly impact all businesses that rely on targeted advertising (whether as a publisher, an advertiser, or an adtech company) or any other activity that relies on the sale or sharing of personal information under California law.
The California Consumer Privacy Act has required businesses to recognize and respond to opt-out preference signals, such as the Global Privacy Control, since the law took effect in 2020. However, due to low consumer adoption, this requirement has not significantly impacted opt-out rates for most businesses. Low consumer adoption may be partially the result of low browser adoption, since most major browsers (including Google Chrome, Apple Safari, and Microsoft Edge) have elected not to support it.
Beginning in January 2027, however, all browsers will be required to support the signal. They must also make it easy for a reasonable person to locate and configure it, and clearly disclose in public statements how the opt-out preference signal works and its intended effect.
Switzerland Publishes Updated Cookie Guidance, Including Cookie Paywall Criteria
Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) updated its January 2025 cookie guidance with new clarifications regarding the use of cookies for personalised advertising, location data collection, and cookie paywalls, among other changes that have been raised with the Commissioner in practice.
Notably, the updated guidance includes a section on cookie paywalls, where data subjects are given the choice between consenting to all processing by cookies and similar technologies or paying a fixed price for a subscription to view the website’s content. The guidance specifies that the voluntary (and therefore legal) nature of consent as part of a cookie paywall depends on whether the financial contribution is proportionate and (2) does not undermine the data subject’s fundamental right to data protection. and (2) does not undermine the data subject’s fundamental right to data protection.
In particular, website operators must ensure that the price they charge is proportionate to the loss of income they incur by not disclosing data to third parties.
TAKEAWAY
Switzerland’s guidance on cookie paywalls (sometimes referred to as “pay or consent” or “pay or ok” models) is largely consistent with previous guidance and opinions from other European authorities. For example, guidance from the UK ICO says that consent or pay models can be compliant if the consent is freely given.
The determination of whether consent is freely given should be assessed, according to the ICO, based on a number of provided factors, including whether there is a power imbalance between the platform and its users, the appropriateness of any fee (in particular where there is a power imbalance), and whether the same core service is included under either option.
Similarly, an opinion from the European Data Protection Board in April 2024 concluded that “pay or consent” models relating to behavioral advertising by large online platforms may be valid if the consent is freely given, informed, and an unambiguous indication of wishes, and that the platform complies with all other rules and principles provided by the GDPR.
To assess each requirement, the opinion outlined factors for large online platforms to consider. These include:
- Whether an equivalent alternative (different only to the extent necessary as a consequence of the controller not being able to process personal data for behavioural advertising purposes) is offered for an appropriate fee to those who do not consent (a concept built on the CJEU’s Bundeskartellamt judgment)
- Whether any fee imposed inhibits data subjects from making a genuine choice or nudges them toward consent
- Whether data subjects are provided, prior to making a choice, with clear information about the processing activities linked to each of the options
- And whether separate (not bundled) consents are required and defined for the processing activities that allow the service to be accessed for free, and the processing of personal data for different purposes.
Finally, guidance issued by the French CNIL in 2022 suggests that the legality assessment of cookie walls should consider whether a fair alternative to access the content is available, whether any payment required for users to refuse cookies is a “reasonable price”, whether the cookie wall is limited to the purposes that allow for fair remuneration, and whether the selection of the paid alternative results in appropriate limitation of unnecessary tracers.
A LITTLE MORE PRIVACY, IF YOU PLEASE
- Understanding the CJEU ruling on data controller accountability and pseudonymized data
- A journey in AdTech and Privacy: Interview with Brian Kane, COO at Sourcepoint
- Minnesota and New Hampshire Join Bipartisan Consortium for Privacy Enforcement
- California Signs Amendments Expanding the Scope of the Delete Act
- Austrian DPA Finds Microsoft 365 Education Illegally Tracks Students Without Consent
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
California Mandates Global Privacy Control in All Browsers by 2027 as Switzerland Issues Cookie Paywall Guidelines
October 13, 2025California requires all browsers to support opt-out signals by...
Maryland’s stricter privacy law and $1.3M California fine signal a new compliance era
October 6, 2025Maryland's stricter privacy law takes effect while California issues...
California Privacy Rules Expand in 2026; ICO Backs Meta’s Consent Model as Global Standards Shift
September 29, 2025California Privacy Rules Expand in 2026; ICO Backs Meta's...
Latest White Papers
Connecting Legal & Marketing Teams on Consent and Preferences
February 4, 2025Break down data silos and unlock better collaboration. Marketing...
Navigating Sensitive Data in the U.S.
February 4, 2025Download our comprehensive guide to learn how different states...
Enterprise Guide To Cookie management & Tracker List Curation
July 1, 2024How to review the tracking tech on your websites...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.