As of January 1, 2026, businesses subject to the California Consumer Privacy Act (CCPA) not only have to honor opt-out signals but also show consumers that their opt-out signal has been processed.

What’s Changed? The CCPA Requires Businesses to Confirm Their Processing of Opt-Out Signals

Revised CCPA regulations that took effect on January 1, 2026, impose a new requirement on those businesses processing automated opt-out signals from browsers. Section 7025(c)(6) of the CCPA previously suggested businesses "may" and now requires that businesses "must" show on their website that a consumer's opt-out signal has been recognized and processed:

"A business must display whether it has processed the consumer’s opt-out preference signal as a valid request to opt-out of sale/sharing on its website. For example, the business may display on its website “Opt-Out Request Preference Signal Honored” when a browser, device, or consumer using an opt-out preference signal visits the website, and display through a toggle or radio button that the consumer has opted out of the sale/sharing of their personal information . . . ."

Background: What Is an Opt-Out Signal?

Several U.S. state laws give consumers the right to tell businesses not to sell or share their personal information for certain purposes, including targeted advertising. One common method is a Global Privacy Control (GPC) (also known as an “opt-out signal” or a “universal opt-out mechanism- UUOM”), a browser-based mechanism that sends an automated signal to websites.

States that require businesses to recognize and honor opt-out signals include California, Colorado, Connecticut, Delaware, Maryland, Montana, Nebraska, New Hampshire, New Jersey, Oregon and Texas.

Why the Use of Opt-Out Signals May Increase

In October of 2025, California enacted the California Opt Me Out Act, a law requiring all web browsers to be able to send an “opt-out preference signal” to businesses by January 1, 2027.  Businesses can expect increased consumer use of the GPC and must be ready to recognize and honor GPC signals automatically.

This new requirement is particularly important give that compliance with the requirement to honor the GPC continues to be a particular enforcement focus for state regulators, emphasized by recent public settlements and the announcement of a multi-state investigatory sweep. For more, see Multi-State Privacy Enforcement Sweep Highlights GPC Compliance Obligations.

What This Means for Businesses

Businesses should seek counsel to review their privacy practices, including:

• Website policies

• Consent-management platform functionality and prompts,

• Text of banners and signal displays, and

• Technical ability to recognize, process, and display the operation of opt-out signals.

If you have questions or would like to schedule a compliance review, please contact your Nelson Mullins attorney.