The California Privacy Protection Agency and the attorneys general of California, Colorado, and Connecticut announced joint investigations this month into companies that may be ignoring Global Privacy Control (GPC), a type of opt-out preference signal. The next day, California’s Senate passed AB 566. The bill would require browsers and mobile operating systems to support easy-to-use opt-out signals. These developments indicate regulators’ ongoing desire to make consumer privacy rights more accessible. Companies that haven’t built GPC compliance into their systems should take note.

Opt-out preference signals are tools that let consumers automatically exercise their right to opt out of the sale or sharing of personal information across all websites. GPC, for example, sends a signal from a browser or extension to websites, telling them not to pass user data to third parties. While honoring these signals has always been a legal requirement, they are becoming a standard part of regulatory attention.

In the joint announcement on September 9, 2025, California, Colorado, and Connecticut re-emphasized that their respective privacy laws — the CCPA, CPA, and CTDPA — require businesses to recognize and respond to tools like GPC. In announcing their enforcement focus, the regulators make clear their commitment to cross-jurisdictional investigations and enforcement of opt-out signal recognition. The announcement outlined two main ways consumers can opt out of the sale or sharing of personal data: (1) using a one-click option on individual websites or (2) enabling a browser-based GPC signal. 

If enacted, AB 566 would make California the first state to mandate browser support for opt-out preference signals, setting a precedent that other states may follow. It would also prohibit the development or maintenance of browsers that lack this consumer-configurable functionality and require clear public disclosures explaining how opt-out signals work and what effect they have. By shifting part of the compliance burden upstream to browser developers, the bill signals a trend toward embedding privacy protections directly into consumer technology and creating a more consistent, enforceable framework.

Taken together, the multi-state enforcement announcement and the passage of AB 566 mark the current direction of privacy regulation: making consumer rights easier to exercise and harder for businesses to ignore. Regulators are not only demanding technical compliance with tools like GPC but also expanding responsibility across the ecosystem. Businesses that fail to detect and respond to GPC signals risk enforcement, reputational harm, and loss of consumer trust.

Three Key Takeaways for Businesses

1. Prepare internal processes for responding to inquiries, identifying who will handle communications, and demonstrating compliance with opt-out signal preferences. 
    
2. Conduct internal audits to verify that opt-out signals are being honored consistently across digital properties. For entities using OneTrust or similar privacy management platforms, checking GPC signal detection and response is typically straightforward and should be part of routine compliance reviews.
    
3. Assess contractual obligations with browser developers and third-party vendors regarding signal recognition.

For more information, please contact us or your regular Parker Poe contact. Click here to subscribe to our latest alerts and insights.