Last month, the California Privacy Protection Agency (CPPA), together with the attorneys general of California, Colorado, and Connecticut, announced a coordinated investigation into whether businesses are properly honoring consumer opt-out preference signals, including the Global Privacy Control (GPC). The joint action highlights regulators’ increasing focus on the practical implementation of automated opt-out mechanisms and sends a clear signal that technical arguments for noncompliance will not suffice.
Just two weeks after the enforcement announcement, the California Office of Administrative Law approved the CPPA’s latest package of CCPA regulations, which will take effect on January 1, 2026. Among several consequential provisions are those that formalize obligations around opt-out preference signals (OOPS). For companies, this means it is no longer enough to post a “Do Not Sell My Personal Information” link — systems must now be able to detect, honor, and confirm when a consumer has chosen to opt out.
What Are Opt-Out Preference Signals?
OOPS are a consumer-friendly mechanism that allows individuals to communicate their privacy choices directly from their browser or device. Instead of navigating through multiple websites to click on links or adjust settings, a consumer can enable a single tool or browser extension that automatically transmits an opt-out signal to all websites they visit.
The most widely recognized signal is the Global Privacy Control (GPC). When activated in a browser, GPC sends a signal indicating that the user wishes to opt out of the sale or sharing of personal information. The expectation is that websites and apps detect this and similarly qualifying signals and treat OOPS as a valid opt-out request under applicable state laws.
The Obligation to Honor OOPS
The CPPA’s amendments (Article 3, § 7025) require businesses to not only detect and act on opt-out preference signals, but also provide consumers with a clear indication that their request has been honored. In other words, this is an affirmative obligation — companies are to build the technical capacity to ingest signals and propagate the opt-out decision through their data flows, including, for example, with analytics tools, adtech partners, and service providers. The amendments also require companies to display on their website whether they have processed the consumer’s OOPS as a valid request.
The coordinated enforcement announcement underscores how central OOPS will be to enforcement. As California Attorney General Rob Bonta put it: “Californians have the important right to opt-out and take back control of their personal data — and businesses have an obligation to honor this request.”
Connecticut Attorney General William Tong was even more direct: “We are putting violators on notice today that respecting consumer privacy is non-negotiable.”
With regulators coordinating across states, businesses can expect heightened scrutiny of their signal-handling practices in the coming months.
Publicly Visible, Consumer-Testable Obligations
One feature that makes OOPS compliance unique is that it is publicly verifiable. Unlike backend obligations (e.g. risk assessments or security audits), whether a business honors an OOPS can be tested by any consumer with a browser extension. This visibility creates real enforcement exposure:
- Regulators can easily verify whether a site is ignoring valid OOPS.
- Consumers can confirm for themselves and file complaints if signals are not honored.
- Class action plaintiffs and advocacy groups may also monitor sites and build claims based on observed noncompliance.
This transparency changes the calculus as companies may not wish to treat OOPS as a low-priority compliance item. For example, the CCPA recently fined Tractor Supply Co. $1.3 million, for among other alleged violations, failing to provide an effective opt-out mechanism such as through Global Privacy Control (GPC) signals.
As noted above, the Attorneys General of California, Colorado, and Connecticut sent a sweep of letters to business they perceived were not processing consumer requests to opt out of personal information sales, and the OOPS capability is expected to increase in use, with commensurate regulatory focus, in the coming months and years.
What Companies Could Do Next
Meeting these obligations likely requires more than a policy update and will involve operational integration across systems, vendors, and consumer interfaces. To prepare, businesses can focus on five key areas:
1. Signal detection and ingestion
Review to check that websites and apps are technically capable of receiving valid OOPS. This may require updating consent management platforms, tag managers, and backend systems.
2. Propagation across the data ecosystem
Consider data ecosystems, such as reviewing to check if opt-out decisions flow through advertising and analytics pipelines, data warehouses, and service providers. Contracts may require vendors to honor signals, and technical testing to confirm compliance.
3. Consumer-facing confirmation
The regulations call for businesses to indicate to consumers when their opt-out signal has been honored. Clear, user-friendly interfaces and back-end technical solutions may be needed to provide this feedback.
4. Monitoring and evidence
Businesses could implement logging, monitoring, and audit trails to demonstrate that signals were consistently honored.
5. Governance and accountability
Consider assigning ownership—often within privacy, legal, or IT teams—for signal compliance. Reporting to senior management and the board may help ensure visibility and oversight.
Conclusion
With the CPPA’s new regulations approved and a multi-state investigation underway, OOPS compliance has became a priority of U.S. privacy enforcement. Businesses can act now to start reviewing and verifying that OOPS are honored across their operations, align vendors and service providers, and provide consumers with clear confirmation of their choices.
