In its November 7, 2025, Board meeting, the California Privacy Protection Agency (“CPPA” or “CalPrivacy” as it’s now known), looked back on its 2025 session and gave us a preview into what’s in store for 2026.
Among this year’s highlights for the Agency was the California Opt Me Out Act, Assembly Bill 566, which was signed into law by the Governor last month and goes into effect on January 1, 2027.
The California Opt Me Out Act
AB 566, sponsored by CalPrivacy, requires companies that develop or maintain web browsers to offer a built-in setting that lets website users send a universal opt-out preference signal (“OOPS”) to every website they visit, so consumers can opt out on a browser level in a single instance instead of having to opt out of data sales on every website. The setting must be easy for a reasonable person to locate and configure, and the browser must make clear to a consumer how the OOPS works and its intended effect.
Currently under the California Consumer Privacy Act (“CCPA”), the obligation to honor consumer opt out signals falls on each individual user and website. California regulations require businesses to honor OOPS when such settings are turned on. The Bill emphasizes the focus on consumer opt out rights, with California also recently announcing a sweep targeted towards businesses that fail to honor OOPS.
The consequences of AB 566 are likely to be far reaching. The Bill does not differentiate between consumers located in California and elsewhere, defining a “browser” as “an interactive software application that is used by consumers to locate, access, and navigate internet websites.” With no easy way to carve out an application limited to California, browsers will likely have to make the setting available nationally or even internationally.
CalPrivacy Board Member Drew Liebert acknowledged the widespread impact, touting AB 566 as an “internationally leaning” move and an “extraordinary accomplishment” for California’s privacy watchdog.
However, even with its effective date over a year away, practical compliance with the Opt Me Out Act brings to light several hurdles. Some businesses, for example, worry that while their website recognizes an OOPS, the signal may not be tied to an identifiable user. With the CPPA noting later in the meeting that the implementation of AB 566 does not require further regulations, this friction is unlikely to be addressed for now.
Bill Proposals for 2026
CalPrivacy also outlined three bill proposals that it would either sponsor or support in the 2026 session.
Notably, the proposals include legislation to establish comprehensive whistleblower protections for California’s technology and privacy laws, including an award program to incentivize whistleblowers, a special designation program that enables the Enforcement Division to collaborate with whistleblower attorneys on certain cases and allow whistleblowers to share a portion of an administrative fine, and anti-retaliation provisions to protect whistleblowers and encourage cooperation.
Additional proposals included expanding the right to delete to cover personal information that business collect about consumers from third parties, and not directly from consumers, and requiring alternative methods for submitting privacy rights requests, such as a webform instead of just an email.
While organizations including Consumer Reports and EPIC voiced their support for the proposals, TechNet cautioned CalPrivacy to proceed carefully, noting that current regulations require significant compliance investments from businesses, and asking the CPPA to allow businesses the time and bandwidth to come into compliance.
Regulatory Priorities
The Board discussed its rulemaking priorities for the coming year, indicating that it will begin preliminary rulemaking activities focused on four key areas:
1. Employee Data
The Board noted that while employee data was initially excluded from CCPA coverage, that exclusion sunset in 2023. This area has previously been identified as needing further attention and the Board will consider whether clarification is needed regarding how the CCPA applies to employees and whether additional regulations could help businesses provide appropriate disclosures and respond to employee privacy requests.
2. Disclosures and Notices
While disclosures and notices are required under the law, the Board pointed to a growing body of scholarship recommending a move away from the traditional “notice and consent” model. The Board stated that it will explore how notices can be made more effective, identify what consumers find confusing, determine what information consumers actually want to know, and assess whether tools such as executive summaries or standardized forms would be helpful.
3. Reducing Friction in the Exercise of Privacy Rights
The Board observed that it has received feedback about difficulties consumers face when exercising their CCPA rights. It plans to examine whether regulations are needed to address dark patterns or other obstacles, review identity verification and authorized agent procedures, and investigate whether businesses may be obscuring or hiding opt-out mechanisms.
4. Opt-Out Preference Signals
While the Board noted that new regulations are not necessary to implement AB 566, it will consider how to harmonize law requiring age verification or whether further guidance is needed on how such signals should be processed.
Phil Laird, General Counsel at the CPPA, noted that the agency will commence pre-rulemaking activities and return with more specific recommendations. He stated that the Board does not intend to proceed with large, multi-topic rulemaking packages but will instead focus on smaller, targeted efforts addressing one or two policies at a time.
Mr. Laird also noted that the overarching goal is to provide clearer guidance, make compliance standards more achievable, and support businesses in implementing privacy requirements effectively. Whether, as he stated, businesses are “at the front” of CalPrivacy’s mind, however, remains to be seen.
CIPAWorld 