New California Privacy Law Could Redefine How Americans Control Their Online Data

A groundbreaking California law could soon transform how every American’s data is handled online — effectively setting a national standard for digital privacy rights.

Signed by Gov. Gavin Newsom, Assembly Bill 566 (AB 566) requires web browsers to give users an easy, automated way to opt out of data sharing and sales. Legal experts say this marks a major step forward in consumer data protection and could influence federal privacy law in the years ahead.

A Legal Turning Point for Digital Privacy

Under AB 566, web browsers such as Google Chrome, Microsoft Edge, and Apple’s Safari will be required — by January 1, 2027 — to include a user-controlled signal that automatically tells websites not to sell or share personal information.

The law, sponsored by the California Privacy Protection Agency (CPPA), aims to eliminate the burden on consumers to manually opt out on every website they visit. Instead, users will have a single browser setting that communicates their privacy preferences automatically.

“This is the first state law that makes privacy a proactive default rather than an afterthought,” said Emory Roane, Associate Director of Policy at Privacy Rights Clearinghouse, a nonprofit that supported the legislation. “It’s a simple technical implementation with huge implications.”

From State Law to National Standard

California already leads the nation in privacy protections through the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). But even those require users to opt out site-by-site — a process privacy advocates argue is both cumbersome and ineffective.

“Having to visit every website and click ‘Do not sell my data’ isn’t a real privacy right,” said Caitriona Fitzgerald, Deputy Director of the Electronic Privacy Information Center (EPIC). “AB 566 finally automates the process.”

By making the opt-out feature browser-based, experts believe it will be easier for browser developers to roll out the feature nationwide, rather than limit it to California users. As a result, AB 566 could become a de facto national privacy rule, pressuring companies across the U.S. to comply.

The Role of the Global Privacy Control

While some browsers — including Mozilla Firefox — already support a similar feature called Global Privacy Control (GPC), AB 566 is the first law that requires all browsers to implement such a tool.

Several other states, including Texas and New Jersey, have moved toward adopting similar frameworks, and California’s Attorney General has previously taken enforcement actions against companies that ignore users’ privacy signals.

“The more states adopt laws like AB 566, the closer we get to a unified national privacy standard,” said Nick Doty, Senior Technologist at the Center for Democracy and Technology.

However, the law doesn’t specify which standard browsers must use — allowing flexibility in implementation but also creating potential compliance inconsistencies.

Legal Implications and Compliance Challenges

The legal scope of AB 566 extends beyond California’s borders. It applies to all California residents, even if they’re browsing from out of state — meaning websites could face civil penalties if they ignore a user’s opt-out signal.

According to Roane, companies that choose to disregard the browser-based preference risk violating the law:

This adds a new layer of compliance complexity for digital publishers, advertisers, and analytics companies that collect or sell consumer data.

Legal analysts expect the law to trigger a wave of corporate policy updates before its 2027 enforcement deadline, similar to the industry shifts seen after Europe’s General Data Protection Regulation (GDPR) took effect.

Tech Industry Pushback

Not everyone in Silicon Valley supports the change. According to a CalMatters report, Google quietly lobbied against AB 566 through industry groups it funds, though it did not publicly oppose the measure.

Governor Newsom previously vetoed a broader version of the bill in 2024, citing implementation concerns. However, privacy advocates persisted, leading to a narrower version that still passed with strong legislative support.

Critics within the tech sector warn the law could create “patchwork compliance costs” if other states adopt slightly different rules. Yet privacy advocates see it as the inevitable next step in protecting user autonomy and digital consent.

What Comes Next: Expanding Privacy to Devices and Vehicles

Experts say AB 566 could inspire similar legislation targeting connected devices, smart vehicles, and IoT data. Future bills may require manufacturers to integrate opt-out signals directly into device software, not just browsers.

“We’re finally starting to see real, enforceable privacy rights,” Roane said. “But we’re still a long way from making them universal across every platform, device, and state.”

Justice Watchdog Analysis

From a legal standpoint, AB 566 reflects a shift from user burden to corporate responsibility — signaling that privacy is a fundamental right, not a feature.

Know Your Rights

For more information about your data privacy rights or to file a complaint under California law, visit the California Privacy Protection Agency or consult a data privacy attorney familiar with state and federal privacy regulations.