Meaningful Opt-Out Rights Require Companies to Do Their Part. State Governments Might Have to Make Them.

Update: CDT submitted a letter on March 7, 2025 to the California State Assembly’s Committee on Consumer Protection in support of AB 566, which requires vendors of web browsers and mobile operating systems to include a setting that enables users to send an automated signal to businesses with which they interact through their browser or mobile device indicating that they wish to opt out of sales of their personal data. Read the full letter here.

The internet does, in fact, know that you’re a dog. What’s more, a constellation of industries, many connected to the online advertising business, routinely track your online activity, connect that data to information about offline purchases and behavior, and sell these insights about consumers. This system is ostensibly meant to inform ad targeting in ways that can benefit both brands and consumers, but all too often it’s used in ways that contribute to real-world harm. In much of the world, individual internet users can do very little to protect themselves, at least if they want to fully participate in 21st century society.

Many people and organizations — including CDT — object to this status quo and have devoted significant time and effort to developing legal and technical guardrails. These guardrails include legislation like the General Data Protection Regulation (GDPR) in Europe and a growing number of state privacy laws, like the California Consumer Privacy Act (CCPA), that draw lines around permissible and impermissible data collection and processing. Such legislation also gives individuals the right to opt out of data collection, processing, or sales under certain circumstances. 

Technical solutions like the Global Privacy Control (GPC) are key to enabling people to exercise these privacy rights, particularly in a way that avoids overwhelming individuals with site-by-site or app-by-app requests. GPC allows users to automatically signal to each service they interact with online to respect the opt-out rights protected in their jurisdiction by toggling a single setting in their web browser. It’s time to enact legal requirements to require companies to offer the option to send universal opt out signals and for data-collecting entities to respect them. CDT welcomes the California Consumer Protection Agency’s February 13 announcement that the state legislature would consider such a bill this session, AB 566, after the governor vetoed an identical bill in 2024.

Predictably, companies whose business models hinge on data practices that these laws either prohibit or subject to a user opt-out right are in no rush to respect or implement GPC (or other similar mechanisms) on a voluntary basis. This is why California and Colorado have recognized GPC as a universal opt-out mechanism, obligating companies to respect the GPC opt-out signals they receive; they will soon be joined by other states like Connecticut, Texas, Oregon and New Jersey as those state privacy laws come into effect. However, none of the market-leading web browsers (Google Chrome, Apple Safari, and Microsoft Edge) supports GPC, preventing users of those browsers from sending the technical signals needed to exercise their privacy rights. (Browsers that support GPC include Brave, DuckDuckGo, and Firefox.) 

Last year, California’s legislature passed AB 3048, which would have required browsers and mobile operating systems to offer users the option to send a universal signal to opt out of sale of their data. However, Governor Gavin Newsom vetoed the bill after concerted lobbying from the tech industry.

The failure to enact AB 3048 into law undermined Californians’ ability to control how their data is used. Californians already have the right to opt out of sales of their data, and companies must honor opt-out requests when they receive them. But, as a practical matter, exercising that right is overly cumbersome, requiring users to individually notify each business to refrain from selling their data. AB 3048 would have made that process much easier by allowing users to toggle a single setting on their browser or mobile device, which would automatically send an opt-out signal such as GPC to data-collecting entities. It would have had no significant detrimental effect on browser and device developers, but would likely increase the number of opt-outs from personal data sales that websites and ad tech companies receive, and would therefore be required to honor.

In his September 20th message informing the legislature of his decision, Governor Newsom asserted that “no major mobile OS incorporates an option for an opt-out signal,” in contrast to “most” internet browsers, and that “[t]o ensure the ongoing usability of mobile devices, it’s best if design questions are first addressed by developers, rather than by regulators.”

A bit of context is required to make sense of that statement. First, the market for mobile operating systems both in the U.S. and globally is dominated by Google’s Android and Apple’s iOS. The fact that two companies have so far failed to offer a setting to send an opt-out signal is hardly evidence that it can’t be done. Second, these same companies’ browsers — Chrome and Safari, respectively — do not support GPC, the predominant mechanism for communicating opt-out preferences through the browser; nor does Microsoft Edge, for that matter. One source estimates that, together, these three vendors represent close to 90% of the global desktop web browser market, and an even higher share of the U.S. domestic market. 

Governor Newsom’s reasoning for his veto, then, seems to be that since the market leaders have not voluntarily taken steps that would benefit consumers while potentially disrupting their business practices, the law should not require them to do so. It would be hard to overstate the wrong-headedness of that approach.

As other civil society advocates have highlighted, companies rarely abandon lucrative data practices if the law doesn’t require it, and individuals are less likely to exercise their privacy rights if that requires taking onerous steps. For privacy rights to be meaningful, the law must make it easy for users to vindicate those rights. Governor Newsom knows this: his veto statement recalls that he signed SB 362 in 2023, requiring the California Privacy Protection Agency to establish an accessible deletion mechanism allowing consumers to make a single request that all registered data brokers delete their personal information. 

Where do we go from here?

Notwithstanding the setback that Governor Newsom’s veto represents, work on GPC will continue in 2025. The reintroduction of last year’s bill, now known as AB 566, is an encouraging sign that California’s legislators understand the importance of making universal opt-out mechanisms widely available. CDT is proud to have helped form the Privacy Working Group at the World Wide Web (W3C), which has now published a draft of the GPC specification, and we are committed to shepherding GPC along the path to standardization. 

But GPC standardization alone won’t be enough to empower internet users to control how their data is collected, processed and transferred. While a growing number of states require companies to respect users’ GPC opt-out signals, governments also need to enforce such requirements, and companies need to build products that enable users to easily send those signals in the first place. Tens of thousands of websites already proactively advertise their respect for GPC signals, and extensions with tens of millions of users have these settings available today.

Unfortunately, the need for three sets of actors — governments, companies, and the technical community — to act in concert creates opportunities for unproductive buck-passing. Over many years of advocacy, CDT has repeatedly heard policymakers, company representatives, and members of the technical community resist taking the steps needed to make meaningful opt-out rights a reality by arguing that some other actor should act first. For example, some members of the technical community have objected to GPC standardization at the W3C on the grounds that so far, only a few U.S. states require companies to respect GPC signals. Many policymakers have resisted requiring companies to support universal opt-out mechanisms like GPC and to respect user opt-out signals before GPC is fully standardized and widely implemented. And companies may decline to provide GPC support because of a supposed lack of clarity about legal requirements, absence of robust enforcement mechanisms, or the incomplete W3C standardization process. It is particularly galling for industry to simultaneously argue for privacy opt-out rights instead of an opt-in system but resist making opt-outs actually work for users.

In short, everyone drags their feet until all other actors involved have done their parts. 

That said, we are encouraged by the significant progress made at the W3C and at the state level, Governor Newsom’s veto notwithstanding. In 2025, CDT will continue to support the standardization process as well as state privacy bills mandating respect for user opt-out signals and requiring companies to enable users to send those signals in the first place, like California’s AB 566. It is past time for all stakeholders — from tech companies to policymakers — to recognize that consumer opt-out of tracking is table stakes for basic privacy protections, and universal opt-out mechanisms are the most consumer-friendly way to implement those requirements. Without them, consumers are stuck playing endless whack-a-mole.