Table of Contents

California’s AB 5661, the Opt Me Out Act, gives Chrome, Safari, and Edge until January 1, 2027 to ship built-in opt-out preference signal functionality. The law raises the floor for signal volume by shifting responsibility from extensions and niche browsers to OS defaults, but it explicitly shields compliant browsers from liability when sites ignore the signal. That leaves the California Privacy Protection Agency as the only entity with enforcement authority over the 86% site-level failure rate webXray measured in April 20262.

What the Opt Me Out Act Actually Mandates

Governor Gavin Newsom signed AB 5661 on October 8, 2025. The statute amends the CCPA to require any web browser serving California users to include built-in, consumer-configurable functionality that transmits an opt-out preference signal. ObservePoint’s analysis notes that this language covers the major OS-bundled browsers, not merely privacy-focused alternatives3.

The law does not name the Global Privacy Control specification directly. Instead, the CPPA will define the technical standard for an “opt-out preference signal” through rulemaking. As of May 2026, the GPC initiative lists only Brave, DuckDuckGo, and Firefox as offering native support4. That leaves Chrome, Safari, and Edge with eighteen months to add a feature that, until now, has been a competitive differentiator for privacy-focused vendors.

The Browser Liability Shield

AB 5661 contains a safe-harbor clause that is easy to overlook but central to its impact. According to the National Law Review, browser operators that provide the opt-out signal functionality are shielded from liability when a business downstream fails to honor it5. The browser’s job is to transmit the bit; what the recipient does with it is not the browser’s legal problem.

This design choice has two consequences. First, it removes the incentive for Google or Apple to delay implementation over fears of being sued for ad-tech noncompliance on sites they do not control. Second, it means the law does not, by itself, shrink the gap between signal sent and signal respected. The floor rises on signal volume, but the ceiling on site-level enforcement stays exactly where the CPPA sets it.

The April 2026 webXray Audit in Context

In April 2026, researchers at webXray published an audit of 7,634 popular websites accessed from California IP addresses2. The Record reported that Google’s ad servers failed to honor GPC opt-out signals on 86% of page loads2. The same audit found Meta at 69% and Microsoft at 50%, with 194 distinct online advertising services ignoring the signal entirely2. eMarketer’s coverage added an aggregate liability estimate: $5.8 billion in potential CCPA exposure across non-compliant advertising services6.

Google publicly disputed the findings, calling them a “fundamental misunderstanding” of how its products work2. The company did not publish a detailed rebuttal at the time of the audit’s release, so the 86% figure2 stands as the most rigorous public measurement of Google’s GPC compliance rate as of mid-2026.

CPPA’s Early-2026 Enforcement Wave

The webXray audit landed weeks after California’s first significant GPC enforcement actions, which gives the 86% figure its political weight2. On February 11, 2026, the California Attorney General announced a record $2.75 million CCPA settlement with Disney7. The violation: Disney honored GPC signals at the device level but not account-wide, meaning a user who opted out on one phone remained tracked everywhere else they were logged in.

The CPPA followed with two fines in February and March 2026. On February 27, the agency fined PlayOn Sports $1.1 million for failing to recognize and honor opt-out preference signals including GPC8. On March 5, the agency ordered Ford to pay $375,7039 for requiring email verification before processing opt-out requests, a step the CPPA described as creating “unnecessary friction.”

Together, the three actions total roughly $4.2 million in penalties789. They establish that both the Attorney General and the CPPA are willing to enforce GPC, but the volume of enforcement so far is modest relative to the scale webXray documented2.

What Changes in January 2027

When AB 5661 takes effect, the primary change is mechanical: Chrome, Safari, and Edge must ship the toggle. Users who previously needed a privacy browser or an extension to emit a GPC signal will have the option by default. That should increase signal volume by an order of magnitude, assuming the browsers implement the feature as a visible setting rather than a buried flag.

What does not change automatically is the 86% failure rate2. The law does not impose new site-level obligations beyond what the CCPA already requires. It does not create a private right of action for consumers whose signals are ignored. And the browser safe harbor means no one can sue Google for Chrome’s compliance while Google’s ad servers ignore the same signal on the open web5.

Action Items for Privacy Teams

For teams operating websites that serve California users, January 2027 is a deadline for verifying signal handling, not just browser compatibility. Three specific checks are worth running before the switch flips:

First, confirm whether your site or its third-party ad partners currently honor GPC or whatever opt-out preference signal the CPPA finalizes in rulemaking. The webXray audit found 194 advertising services ignoring the signal2; your vendor list likely intersects with that set.

Second, audit your opt-out flow for “unnecessary friction.” The Ford fine establishes that email verification, account-login requirements, or multi-step forms can be violations in themselves, even if the user eventually reaches an opt-out page9.

Third, document your GPC handling logic. The Disney settlement turned on a narrow technical distinction (device-level versus account-wide honoring)7. A defensible privacy posture requires clear internal documentation of how the signal propagates across your user account graph and device fleet.

The law gives browsers a pass. It does not give sites one.

Frequently Asked Questions

What happens if the CPPA adopts a different technical standard than GPC?

AB 566 does not codify GPC as the required signal. If CPPA rulemaking adopts a different specification—for example, one that carries richer preference metadata than GPC’s single boolean—browsers would need to implement that standard instead, and sites that invested in GPC-only detection logic would need to update their signal-handling code. The law’s flexibility here is intentional but creates a coordination problem: browser vendors, ad-tech intermediaries, and site operators must all converge on the same specification once finalized.

How does the per-violation penalty math produce the $5.8 billion estimate?

The CCPA authorizes civil penalties of $2,500 per violation and $7,500 per intentional violation. The $5.8 billion figure extrapolates those per-incident amounts across the total population of non-compliant ad-server calls webXray observed across 7,634 sites—meaning it scales with request volume, not company count. A single mid-size publisher whose ad stack routes through multiple non-compliant demand-side partners could accumulate thousands of individual violations per day at these statutory rates.

The EU’s ePrivacy framework requires affirmative opt-in consent before tracking begins, enforced through member-state regulators with GDPR-level penalties reaching 4% of global turnover. California’s model is opt-out: tracking proceeds by default until the user or browser actively signals refusal. AB 566 automates the refusal signal but does not flip the default to opt-in, so the fundamental consent architecture remains unchanged from the pre-2027 baseline.

Can the CPPA realistically close the compliance gap at its current enforcement pace?

Through early 2026, the CPPA and California AG together produced roughly $4.2 million in penalties across three enforcement actions. The webXray audit identified 194 non-compliant advertising services. At approximately one action per month, systematic coverage of those violators would take over 16 years absent a significant expansion in the CPPA’s staffing, budget, or automated investigation capabilities.

Footnotes

  1. California Governor Signs New Law Requiring In-Browser Opt-Out Preference Signal 2 3 4 5

  2. Big Tech Fails to Opt Out Users Requesting Not to Be Tracked 2 3 4 5 6 7 8 9 10 11

  3. California Opt Me Out Act AB566 Browser Opt-Out

  4. Global Privacy Control

  5. California Opt Me Out Act: New Era of Browser Privacy Options 2

  6. Big Tech Platforms Continue Tracking Users Who Opt Out, Audit Finds 2

  7. California Attorney General Announces Largest CCPA Settlement 2 3

  8. CalPrivacy Fines PlayOn Sports $1.1M for CCPA Opt-Out and Notice 2

  9. Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Process 2 3

Topics:
global-privacy-control ccpa browser-privacy california-privacy ad-tech-compliance cppa-enforcement

Sources

  1. California Governor Signs New Law Requiring In-Browser Opt-Out Preference Signalanalysisaccessed 2026-05-18
  2. Big Tech Fails to Opt Out Users Requesting Not to Be Trackedanalysisaccessed 2026-05-18
  3. California Opt Me Out Act AB566 Browser Opt-Outanalysisaccessed 2026-05-18
  4. Global Privacy Controlprimaryaccessed 2026-05-18
  5. California Opt Me Out Act: New Era of Browser Privacy Optionsanalysisaccessed 2026-05-18
  6. Big Tech Platforms Continue Tracking Users Who Opt Out, Audit Findsanalysisaccessed 2026-05-18
  7. California Attorney General Announces Largest CCPA Settlementanalysisaccessed 2026-05-18
  8. CalPrivacy Fines PlayOn Sports $1.1M for CCPA Opt-Out and Noticeanalysisaccessed 2026-05-18
  9. Ford to Change Practices, Pay Fine for Adding Unnecessary Friction to Opt-Out Processprimaryaccessed 2026-05-18

Related Articles

Culture & Society

Google Ignores California's Global Privacy Control 86% of the Time: webXray's 7,000-Site Audit

webXray's March 2026 audit found Google ignored California's GPC opt-out in 86% of cases, with Meta at 69% and Microsoft at 50%, exposing systemic CCPA noncompliance.

 Culture & Society

Apple's $250M Siri Settlement: iPhone 16 Buyers Get $25 to $95 for Undelivered AI

Apple's $250M settlement over undelivered WWDC 2024 Siri features pays iPhone 15 Pro and 16 buyers $25-$95 per device, setting a legal precedent for AI marketing liability.

 Culture & Society

Canada's Joint Privacy Ruling: OpenAI Trained ChatGPT on Medical and Ideological Data Without Consent

Canadian regulators ruled OpenAI trained ChatGPT on medical and ideological data without consent, violating five privacy laws and shifting burden to AI vendors.

Enjoyed this article?

Stay updated with our latest insights on AI and technology.

More Articles Subscribe via RSS