Key Takeaways: Businesses that collect personal data for commercial purposes must ensure that their personal data tracking and sale practices comply with privacy regulations by recognizing universal opt-out signals where required. As of July 1, 2025, universal opt-out requirements are in effect in California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. Additionally, requirements will take effect in Minnesota on July 31, 2025 and Maryland on October 1, 2025.

What is a Universal Opt-Out Mechanism?

The term universal opt-out mechanism (“UOOM”) refers to a range of tools available on both desktop and mobile devices that enable consumers to pre-select their preference to opt-out of certain types of online data processing. These mechanisms function by sending a standardized signal to websites that recognize UOOMs to inform the website operator of the user’s preferences regarding the collection of personal information using cookies or other tracking technologies when the user accesses the website.

UOOMs work by integrating with browser settings or tools that users activate to communicate their preferences across multiple websites. The use of UOOMs simplifies the process of managing privacy settings and reduces the need for users to manually modify privacy settings or submit opt-out requests on each individual website.

The first state to require websites to honor UOOM signals was California, under the California Consumer Privacy Act (the “CCPA”). The CCPA’s universal opt-out requirements have been in effect since January 1, 2023. In July of 2024, Colorado became the  second  state  to  require businesses to honor user-selected universal opt-outs for targeted advertising and sales under the Colorado Privacy Act (the “CPA”). While California was a leader in creating UOOM requirements by statute, UOOM requirements across U.S. state privacy laws are largely modeled after the CPA.

As of July 1, 2025, ten U.S. states require websites to honor UOOM signals. These states include California, Colorado, Connecticut, Delaware, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas. Additionally, requirements will take effect in Minnesota on July 31, 2025 and Maryland on October 1, 2025.

What does a UOOM do?

If a website user has enabled a UOOM on their browsers or devices, the UOOM will send a signal to each website the user visits. This signal generally requests that the website operator does not:  

• Track the user’s activity across the internet; 
• Collect the user’s personal data for targeted advertising purposes; or  
• Sell the user’s personal data. 

What is Global Privacy Control?

There are several UOOM tools available to consumers, such as Brave, Mozilla Firefox, and OptMeow. One of the most popular UOOMs is Global Privacy Control (“GPC”). GPC is a browser extension that automatically indicates a consumer’s opt-out preferences. In 2024, GPC was selected as the only UOOM that meets the standards of the CPA. While Colorado remains the only state with a formal approval process for universal opt-out mechanisms, GPC is broadly accepted as meeting the criteria for valid opt-out signals under the remaining U.S. states which require any opt-out signal a user implements to be honored.

On January 29, 2025, California Attorney General Rob Bonta issued a press release reminding Californians of their right to opt out of the sale and sharing of their personal information under the CCPA. He specifically encouraged consumers to familiarize themselves with GPC as a tool that allows customers to exercise this right easily.

A website can be set up to support GPC signals using well-known security identifiers, using the U.S. Privacy Application Programming Interface, or by setting up a consent management platform that supports GPC.

Who is Required to Acknowledge UOOM Signals?

Even if a business doesn’t “sell” personal information in the traditional sense, it may still be required to acknowledge opt-out signals. For instance, the CCPA defines “sale” as the transfer of personal information for monetary or other valuable consideration. Generally, any controller that processes personal information for targeted advertising (referred to as “cross context behavioral advertising” in the CCPA) or for the sale of personal data must detect and honor UOOM signals.

If a business receives a UOOM signal, it must stop selling or sharing personal information associated with: 

• The browser or device that sent the signal;
• Any profile or pseudonymous identifier associated with the browser or device; and 
• The consumer, if known, including when logged into an account with the business.

What Disclosures Are Required?

Businesses subject to UOOM requirements must clearly and conspicuously disclose the use of personal data as well as provide a method for consumers to exercise the right to opt-out of the processing of their personal data. Beyond this, the CCPA also requires businesses to provide a clear and conspicuous method to limit the processing of sensitive personal data, or, in lieu of both methods, a business can offer a clearly labeled link to allow consumers to opt-out out of or limit the processing of personal information.

Are UOOM Requirements Being Enforced?

The CCPA enforcement against Sephora serves as an example of the importance of complying with UOOM requirements. On August 24, 2022, Sephora agreed to pay $1.2 million in fines to the State of California in a settlement to resolve allegations that Sephora sold customer’s personal information in violation of CCPA. The company failed to not only disclose its sale of personal information, but also did not honor or process the opt-out requests made through the GPC. Sephora was given notice by the California Attorney General of its potential violation and was provided with a 30-day cure period before Sephora would face legal liability and Sephora failed to cure its violations during the 30-day period.

The enforcement against Doordash offers another example of the importance of complying with state privacy laws. On February 1, 2023, California Attorney General, Rob Bonta announced a settlement with DoorDash. An investigation by the California Department of Justice found that DoorDash sold its California customers’ personal information without providing notice or an opportunity to opt out of that sale. As part of the settlement, DoorDash agreed to pay a $375,000 penalty and comply with strong injunctive terms, including the development of a compliance program and annual reporting to the California Attorney General.

Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business's compliance needs or the steps required to adhere to state privacy laws, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for expert assistance.

^{*Special thanks to summer associate Ellie Johnson for her contributions to this article.}

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}