California just told Chrome, Safari, and Edge: build privacy controls into your browsers by January 2027, or face consequences. Governor Newsom signed AB 566—the California Opt Me Out Act—on October 8, 2025. For the first time in US history, a government is requiring browser vendors to include opt-out preference signals as a built-in feature.
Currently, only Brave, DuckDuckGo, and Firefox support Global Privacy Control (GPC) natively. When Chrome adds this feature—and with 64% global browser market share (StatCounter, 2025), they will—expect the volume of opt-out requests hitting your WordPress site to surge dramatically.
What AB 566 Actually Requires
The law is straightforward: California is the first state to require browsers to offer built-in opt-out preference signals, effective January 1, 2027 (CPPA, 2025).
Key requirements:
- All browsers must include opt-out functionality: Chrome, Safari, Edge, Firefox, Opera—everyone operating in California
- Easy-to-use setting required: The opt-out signal must be accessible through browser settings, not buried in developer tools
- Signal does not need to be on by default: Users must actively enable it, but the option must exist
- Technical specifications coming: CPPA will define the exact signal format browsers must implement
Here is the critical detail for website owners: Browser developers get immunity from liability under AB 566—the obligation to honor signals falls on websites receiving them (CPPA, 2025).
Translation: Google, Apple, and Microsoft are off the hook. Your WordPress store is not.
You may be interested in: Brave Browser Is Killing Your GA4 Data: What 100M Privacy-First Users Mean for WordPress Tracking
Why This Changes Everything
Privacy browsers like Brave already send GPC signals by default. The impact has been measurable but contained—Brave represents a small slice of overall traffic.
AB 566 changes the math entirely.
Chrome holds 64% browser market share globally. When Google adds a one-click “Do Not Sell My Data” toggle to Chrome settings, millions of users will enable it. Not privacy enthusiasts. Regular people who see the option and think “sure, why not?”
And California cannot be ignored. If California economy were a country, it would rank fifth largest in the world (ObservePoint, 2025). Browser vendors will comply. They have no choice.
The Opt-Out Surge Timeline
Here is what to expect:
Now Through 2026: Preparation Window
You have roughly 12 months before the law takes effect. Use this time to:
- Audit your current GPC signal handling
- Update your Consent Management Platform (CMP) to recognize and honor GPC
- Build first-party data infrastructure that works regardless of opt-out status
- Review which marketing platforms depend on data sharing that GPC blocks
January 2027: Compliance Deadline
Browsers must have opt-out functionality available. Initial adoption will depend on how prominently browsers surface the feature.
2027 and Beyond: Gradual Surge
As users discover the setting—through browser prompts, news coverage, or word of mouth—opt-out rates will climb. The question is not if, it is how fast.
What This Means for Your Marketing
When a user sends a GPC signal, you must treat it as a valid opt-out request under CCPA. That means:
- No selling or sharing personal information with advertising platforms
- No cross-context behavioral advertising based on their activity
- No retargeting through third-party data exchanges
The penalty structure is real: Penalties for CCPA violations include up to $7,988 per intentional violation (NumberVerifier, 2025). Each consumer whose opt-out is not honored could be a separate violation. At scale, this becomes existential.
You may be interested in: Brave Blocks Adobe Analytics, GA4, and Meta Pixel: The Complete List of What Privacy Browsers Kill
What Still Works After Opt-Out
GPC signals restrict data sharing with third parties. They do not eliminate all tracking. Here is what survives:
First-Party Analytics
Collecting data about user behavior on your own site, for your own use, remains permissible. GA4 in “basic” mode (without Google Signals or cross-site measurement) continues to function.
First-Party Conversion Tracking
When a customer completes a purchase, you know they purchased. That is your data, on your site, about your transaction. GPC does not erase this.
Server-Side Data Collection to Your Own Infrastructure
Events captured server-side and stored in your own BigQuery instance remain yours. You are not sharing with advertising platforms—you are building your own data asset.
Contextual Advertising
Ads based on page content rather than user tracking are unaffected by opt-out signals.
Preparing Your WordPress Store
The stores that thrive post-2027 will be those that build first-party data infrastructure now. Here is the preparation checklist:
1. Audit Your Current State
Test your site with a GPC-enabled browser (Brave or Firefox with GPC on). What breaks? What data stops flowing? This reveals your exposure.
2. Update Your CMP
Ensure your Consent Management Platform recognizes GPC signals and treats them as valid opt-out requests. Major CMPs (Cookiebot, OneTrust, Osano) support this—but configuration varies.
3. Build First-Party Data Pipelines
Route your WooCommerce events to infrastructure you control. BigQuery gives you a data warehouse that survives regardless of browser privacy settings. Your customer data, your servers, your rules.
4. Separate Analytics from Advertising
Your need to understand site behavior (analytics) is different from your need to share data with ad platforms (advertising). Structure your tracking to honor this distinction.
5. Plan for Reduced Retargeting Audiences
When opt-out rates climb, your Facebook Custom Audiences and Google Ads remarketing lists will shrink. Prepare alternative acquisition strategies: email marketing, contextual advertising, SEO.
The First-Party Data Advantage
Transmute Engine™ routes your WooCommerce events server-side to destinations you control. GA4 gets measurement data. Facebook CAPI gets conversion events (with appropriate consent). BigQuery gets everything—your complete first-party dataset that no browser setting can touch.
When the 2027 opt-out surge arrives, stores with first-party infrastructure will have customer data to work with. Stores dependent entirely on third-party tracking will be flying blind.
Key Takeaways
- AB 566 requires Chrome, Safari, and Edge to offer opt-out signals by January 1, 2027—the first law of its kind in the US
- Browser developers get immunity; websites bear all liability for honoring opt-out signals
- Chrome 64% market share means opt-out volume will surge dramatically when they comply
- CCPA penalties reach $7,988 per intentional violation—each ignored opt-out could be separate
- First-party data infrastructure built now will determine who survives the 2027 transition
January 1, 2027. By this date, all browsers operating in California must include built-in functionality for consumers to send opt-out preference signals. Governor Newsom signed AB 566 into law on October 8, 2025.
No. AB 566 requires browsers to offer the functionality, but the signal does not need to be enabled by default. Users must actively choose to turn it on. However, once mainstream browsers make this a one-click setting, adoption will likely surge.
No. AB 566 grants browser developers immunity from liability. The obligation to honor opt-out signals falls entirely on websites receiving them. This means the compliance burden is on your WordPress store, not on Chrome or Safari.
CCPA penalties apply—up to $7,988 per intentional violation. Each consumer whose opt-out request is not honored could be a separate violation. With mainstream browser adoption, ignoring signals becomes financially dangerous.
The 2027 deadline is closer than it feels. Start building your first-party data infrastructure with Transmute Engine.
