The California Privacy Protection Agency (CPPA) convened on November 7, 2025, to assess its achievements and set priorities for the upcoming year. Among the key developments was the introduction of the California Opt Me Out Act, officially known as Assembly Bill 566, which will come into effect on January 1, 2027. This legislation mandates that web browsers incorporate a built-in feature allowing users to send a universal opt-out preference signal, known as OOPS, to every website they visit. This change is designed to streamline the opt-out process for consumers, enabling them to manage their data privacy preferences at a browser level rather than individually across various sites.
The CPPA, which oversees the enforcement of California’s consumer privacy laws, emphasized the significance of this legislation. The requirement for a straightforward OOPS setting will apply to all browsers, potentially affecting users not just in California but globally. Drew Liebert, a board member of the CPPA, described AB 566 as an “internationally leaning” initiative and a major milestone for the agency. This law aligns with California’s ongoing commitment to enhancing consumer privacy rights.
Under the current framework established by the California Consumer Privacy Act (CCPA), the onus is on each user and website to manage opt-out requests. The passage of AB 566 aims to shift this responsibility, ensuring that businesses must comply with OOPS settings when activated by consumers. A recent initiative by the CPPA also targets businesses that do not honor these opt-out signals, underscoring the urgency of compliance for companies operating in California.
Despite the anticipated benefits of AB 566, challenges remain. Some stakeholders express concern that while OOPS may be recognized by websites, the signal may not be linked to identifiable users. The CPPA has indicated that the implementation of AB 566 will not necessitate additional regulations, leaving some of these issues unresolved for the time being.
Legislative Proposals for 2026
Looking ahead, the CPPA outlined several legislative proposals for the 2026 session. These include plans to establish comprehensive whistleblower protections related to technology and privacy laws. The proposed legislation aims to create an award program to incentivize whistleblowers, collaborate with whistleblower attorneys, and ensure protections against retaliation.
Additionally, the agency is considering expanding the right to delete personal information collected by businesses from third parties, rather than just directly from consumers. There are also proposals to diversify methods for submitting privacy rights requests, allowing options such as online forms in addition to email.
Support for these proposals has emerged from various organizations, including Consumer Reports and the Electronic Privacy Information Center (EPIC). However, TechNet cautioned the CPPA to be mindful of the compliance costs that businesses face, urging the agency to provide sufficient time for organizations to adapt to new regulations.
Focus Areas for Rulemaking
During the meeting, the CPPA also identified its regulatory priorities for the coming year. The board plans to initiate preliminary rulemaking activities in four primary areas:
1. **Employee Data**: The CPPA recognized that employee data has been excluded from CCPA coverage, a situation that changed in 2023. The board aims to clarify how the CCPA applies to employees and whether further regulations are necessary to aid businesses in meeting disclosure requirements.
2. **Disclosures and Notices**: While the law mandates certain disclosures, there is a growing consensus that the traditional “notice and consent” model may not be effective. The board will explore ways to enhance the clarity and usefulness of these communications, considering tools like executive summaries.
3. **Reducing Friction in Privacy Rights**: The CPPA has received feedback regarding obstacles consumers encounter when exercising their privacy rights under the CCPA. The agency intends to investigate issues such as dark patterns and difficulties in identity verification.
4. **Opt-Out Preference Signals**: Although new regulations are not required to implement AB 566, the board will assess how to harmonize existing requirements related to age verification and whether additional guidance is necessary for processing OOPS.
Phil Laird, General Counsel at the CPPA, outlined the agency’s approach for the upcoming year, emphasizing a focus on smaller, targeted rulemaking efforts rather than extensive multi-topic packages. The overarching goal remains to provide clearer guidance and facilitate compliance, supporting businesses in effectively implementing privacy requirements.
With the changes ahead, the CPPA is poised to lead California’s efforts in consumer privacy, with implications likely extending beyond state lines. As the agency works to refine its regulatory framework, the balance between protecting consumer rights and supporting business compliance will be crucial.
