Starting January 1, 2027, California's new Opt Me Out Act (Assembly Bill 566) requires web browsers to include a one-click setting that tells every website not to sell or share a visitor's personal information.
If your website serves California visitors and uses analytics, advertising pixels or any tool that shares data with third parties, your site needs to detect and honor that signal. Here is what the law does, who it affects and the plain-English steps to get ready.
What the Opt Me Out Act actually does
The Opt Me Out Act amends the California Consumer Privacy Act (CCPA). It requires any web browser operating in California, including Chrome, Safari and Firefox, to build in a setting that is easy for a reasonable person to find and turn on. When a visitor turns it on, the browser automatically sends an opt-out preference signal to every website they visit.
That signal says one thing: do not sell or share my personal information. Instead of hunting for a "do not sell" link on hundreds of sites one at a time, a Californian flips one switch and is opted out everywhere. The most common version of this signal is the Global Privacy Control (GPC).
Why people call it the cookie-free tracking law
A cookie banner asks each visitor to choose, on each site, every time. This is different. The opt-out preference signal is set once in the browser and travels with the visitor automatically.
It also is not really about cookies at all. The law is about the sale and sharing of personal information, however that happens. Advertising pixels, third-party scripts, analytics that feed ad networks and server-side data sharing can all be in scope even when no traditional cookie is set. That is why it gets called a cookie-free tracking rule. Deleting cookies does not get you off the hook. Honoring the signal does.
Who has to do something
There are two sides to this law:
- Browser makers must build the opt-out setting and make it easy to find. That part is on Google, Apple, Mozilla and the rest, not on you.
- Businesses that run websites must honor the signal when it arrives. This duty comes from the existing CCPA, which already requires covered businesses to respect opt-out preference signals. The Opt Me Out Act simply guarantees a lot more visitors will be sending one.
The CCPA generally applies to for-profit businesses that meet certain thresholds, such as significant revenue or handling the personal information of large numbers of California residents. Even if your small business sits below those thresholds today, honoring the signal is fast becoming a baseline expectation and several other states already require it. Building your site to respect it now is the safe, future-proof move.
The Opt Me Out Act at a glance
- Law
- California Opt Me Out Act, Assembly Bill 566 (Lowenthal)
- Signed
- October 8, 2025 by Governor Newsom
- Effective
- January 1, 2027
- Who builds it
- Web browser makers operating in California
- Who honors it
- Websites and businesses covered by the CCPA
- Signal
- Opt-out preference signal, commonly the Global Privacy Control (GPC)
- Enforcement
- California Privacy Protection Agency (CPPA)
What website owners should do now
- Map what your site shares. List every analytics tool, ad pixel, embed and third-party script on your site and note which ones send visitor data off to someone else.
- Make sure your site can read the signal. Your site should detect the Global Privacy Control and, when it sees it, stop selling or sharing that visitor's personal information. This is a build-level setting, not a checkbox a visitor has to find.
- Update your privacy policy. Say plainly that you honor opt-out preference signals, and explain what data you collect and share.
- Keep your "do not sell or share" option too. The browser signal is in addition to, not a replacement for, a clear opt-out choice on your site.
- Work with someone who bakes it in. The cleanest fix is a site built to respect these signals from the start, not a plugin bolted on after a complaint.
How this fits your website
Most of this lives in how your site is built and configured: which scripts load, how data is shared and whether your site listens for the opt-out signal. A clean, custom site makes that straightforward, because there is no tangle of third-party plugins quietly shipping data out the back door. At Web Chick we build sites that respect visitor privacy by default and we keep an eye on rules like this so our clients are ready well before the deadline.
Sources: California Privacy Protection Agency announcement (October 8, 2025) and the California Office of Privacy Protection at privacy.ca.gov. Last updated June 27, 2026.
