All Blog Posts
Privacy News

Concord Privacy News: 11/7/25

California Opt Me Out Act signed into law; consumers seek $2.36 billion from Google after privacy verdict; Massachusetts Senate backs data privacy bill giving consumers more control of their data.

Published: Fri Nov 07 2025

Concord Privacy News: 11/7/25
California's AB 566: Making Privacy Rights Actually UsableThe Problem With Privacy Rights TodayHow AB 566 WorksWhy This MattersA Growing National MovementWhat Makes AB 566 DifferentImplications for BusinessesA Template for the NationOther Privacy News of NoteConsumers Seek $2.36 Billion from Google After Privacy VerdictMassachusetts Senate Backs Data Privacy Bill Giving Consumers More Control of Their Data

California's AB 566: Making Privacy Rights Actually Usable

On October 8, 2025, the California Opt Me Out Act (AB 566) was signed into law, marking a major milestone in digital privacy protection. When it takes effect on January 1, 2027, California will become the first state to require web browsers to offer built-in opt-out preference signals, making it dramatically easier for consumers to protect their privacy.

The Problem With Privacy Rights Today

Californians have had the legal right to opt out of the sale and sharing of their personal information since the California Consumer Privacy Act (CCPA) was enacted. But exercising this right is frustratingly complex. Consumers must visit each website individually, navigate confusing privacy settings, and repeat this process hundreds of times across all the sites they visit.

Privacy rights are meaningless if they're too difficult to use. AB 566 solves this problem by requiring the solution to be built into browsers themselves.

How AB 566 Works

Under the new law, all browser developers operating in California must provide an easy-to-locate, consumer-configurable opt-out preference signal. Think of it as a universal "Do Not Sell My Data" switch that works everywhere you browse.

When consumers enable this signal in their browser—whether Chrome, Safari, Edge, or others—it automatically communicates their opt-out preference to every website they visit. One simple toggle tells every business: "Don't sell or share my personal information."

Key provisions:

  • Browsers must include an easy-to-find opt-out signal
  • Businesses must honor the signals and clearly explain how they work
  • Browser developers are protected from liability for business violations
  • Enforcement will be handled by the California Privacy Protection Agency, with penalties up to $7,500 per violation

Why This Matters

AB 566 doesn't create new privacy rights—it makes existing rights genuinely accessible. Currently, only privacy-focused browsers like Firefox and Brave offer opt-out preference signals such as Global Privacy Control. After January 2027, this protection will be available to everyone, regardless of which browser they use.

The impact extends beyond convenience. Sensitive personal information—including health data, religious beliefs, immigration status, and political affiliations—is regularly collected, sold, and used in ways consumers don't expect. Universal opt-out tools make this information less vulnerable to exploitation.

A Growing National Movement

California isn't alone in recognizing the importance of universal opt-out mechanisms. As of 2025, more than a dozen states already require businesses to honor opt-out preference signals when consumers enable them, including California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Minnesota, and Maryland. Together, these states represent more than a quarter of the U.S. population.

State attorneys general are actively enforcing these requirements. In 2022, California settled with Sephora for $1.2 million over CCPA violations, including failure to process Global Privacy Control signals. Recently, California, Colorado, and Connecticut launched a joint investigation into businesses' compliance with opt-out signals.

What Makes AB 566 Different

While other states require businesses to honor opt-out signals, AB 566 takes the critical next step: requiring browsers to offer those signals in the first place. This is the missing piece that makes the entire system work.

Currently, consumers who want to use Global Privacy Control must switch browsers or install extensions—options most people don't even know exist. By requiring all major browsers to include this functionality, AB 566 ensures privacy protection becomes accessible to everyone, not just tech-savvy users.

Implications for Businesses

Companies should prepare for significant changes:

  • Higher opt-out volume: When Chrome, Safari, and Edge add one-click opt-out, expect many more consumers to exercise their privacy rights.
  • Technical readiness: Systems must automatically detect and respond to opt-out signals by January 2027.
  • Marketing adjustments: Strategies relying on selling or sharing personal data will face new constraints.
  • Compliance documentation: Document your systems for detecting and honoring opt-out signals.
  • Consent management: Ensure you’re using a fully compliant consent management platform (like Concord) that includes the latest regulation-required controls, including GPC support.

A Template for the Nation

California's privacy legislation consistently sets the standard that other states follow. The CCPA inspired comprehensive privacy laws in Virginia, Colorado, Connecticut, and more than a dozen other states. AB 566 is positioned to continue this trend.

By demonstrating that browser-level opt-out signals are both technically feasible and legally enforceable, California is likely to inspire similar legislation nationwide. As more states adopt these requirements, we may see a patchwork that effectively becomes a national standard—or catalyzes federal privacy legislation with universal opt-out mechanisms.

Other Privacy News of Note

Consumers Seek $2.36 Billion from Google After Privacy Verdict

U.S. Google users who won a $425 million jury verdict in a consumer privacy class action last month have asked a federal judge to force the Alphabet unit to forfeit an additional $2.36 billion in profits. The consumers, in an October 22 court filing, called the amount a "conservative approximation" of Google’s allegedly ill-gotten gains after the jury found the company secretly collected app activity data from millions of users who had disabled an account tracking feature. Read more.

Massachusetts Senate Backs Data Privacy Bill Giving Consumers More Control of Their Data

The Massachusetts Senate unanimously passed a landmark data privacy bill that would give residents strong new protections over how their personal information is collected, used, and sold. Lawmakers said the measure would make Massachusetts among the states with the strongest data privacy laws in the country. “When Massachusetts residents’ personal information is being offered up for sale to the tech billionaire with the highest bid, it is imperative that we act decisively to protect individuals and families,” Senate President Karen E. Spilka said in a news release. Read more.