California’s new Opt Me Out Act ushers in a one-click, browser-level opt-out that will reshape how publishers monetize audiences and manage data.
If you thought California already outpaced the rest of the country in privacy regulation, buckle up. The Golden State is back with the California Opt Me Out Act, a tweak to an earlier bill that publishers, advertisers and just about anyone in ad tech need to pay very close attention to.
In a nutshell, the new law makes it easier for consumers to opt out of data-sharing across websites.
California’s existing privacy law, the California Consumer Privacy Act (CCPA), requires websites to include a “Do Not Sell My Information” link somewhere in the site footer. Users would have to opt out of data-sharing on each site by clicking that link and then following an opt-out process, which varied by site.
Now, with this update to CCPA, users can throw a blanket opt-out signal at the browser level.
The law is set to go into effect on January 1, 2027, and will only apply to websites. Mobile apps are not invited to the party yet.
“This act is really a continuation of California’s push to empower consumers,” Idara Udofia, a partner in the Emerging Technologies Group at global law firm Reed Smith, told AdMonsters.
Its passage follows a previous attempt by California to pass a universal opt-out law, which “fizzled out last year,” Udofia said, after it was vetoed by Governor Gavin Newsom.
The significant difference is that this version of the bill drops the mobile app environment, narrowing the scope in a way that actually got the bill signed.
The law represents a big win for consumer privacy, according to Udofia. “What we’ll see now is a significant uptick in opt-outs, because for the first time, consumers will have a one-stop way to signal their privacy preferences across all sites they visit through compliant browsers,” she said.
An Uptick of Opt-Outs and a Drop in CPMs
But a dramatic jump in opt-out requests means publishers will face some tough decisions about how they manage data and the user experience.
“Publishers may keep their sites looking much the same on the surface,” said Udofia. “But beneath it all, the inventory available for highly targeted campaigns could shrink, affecting ad revenue and shaking up business models.”
In other words, publishers should brace for lower CPMs.
And, as with every new privacy law, technical uncertainty will be another item for publishers to address.
Thus far, implementation guidance from the California Privacy Protection Agency has been sparse, Udofia noted. The law is clear about what’s required, but there aren’t any real specifics about what a browser-level opt-out should look like or how publishers should technically implement it, she added. That leaves many in “wait and see” mode while continuing to honor opt-outs as best they can.
Right now, publisher privacy compliance is about auditing your pipelines, plugging gaps and making sure those browser signals make it through the plumbing without getting dropped. It’s not glamorous work, but enforcement agencies may come knocking if things go wrong. And they’ll be watching to see whether publishers are ingesting the new browser-level opt-out signal—however it ends up working in practice.
Meanwhile, the days of individualized ad targeting—at least in California—might be numbered.
“What we’ll likely see is a renewed focus on contextual advertising and first-party data,” Udofia said.
She added that ad inventory might lose value across the board if large swaths of Californians go dark for targeted ads. But there is a silver lining. “It’s an industrywide shake-up, so everyone’s in the same boat,” she said. “Innovation and transparency in data practices will be what sets winners apart.”
The Mobile Gap and the Next Regulatory Wave
But there’s a big question that’s unanswered by this version of the law: What about the huge chunk of digital activity moving from desktop to mobile? How long will mobile apps remain exempt from integrating a universal opt-out signal?
Udofia said California has shown interest in bringing mobile into the fold, and she predicted that state legislators will push forward on that initiative.
But for the moment, critics say the technology to implement universal opt-outs in mobile apps isn’t quite as established as it is for web browsers.
Governor Newsom seemed to support that idea when he vetoed the previous bill, writing in his letter to the State Assembly, “To ensure the ongoing usability of mobile devices, it’s best if design questions are first addressed by developers, rather than by regulators.”
Still, with more consumers living on their phones these days, another wave of regulation targeted at the mobile channel feels certain.
And don’t sleep on the growing regulatory push around kids’ data, either.
Some states are not just regulating but outright banning targeted advertising to anyone under 18, Udofia said. With younger audiences becoming increasingly unaddressable, and with a surge of California opt-outs likely coming soon, it’s definitely going to put a dent in a publisher’s advertising goals.
So how is a publisher to navigate this wild new privacy frontier? Start by mapping how you use personal data, Udofia said, and clear a path for compliance.