An opt-out preference signal, often called an OOPS, is a browser or device setting. It automatically tells every website a consumer visits not to sell or share their personal information. US state privacy laws increasingly require businesses to honor it, and Global Privacy Control is the leading example.
What Is an Opt-Out Preference Signal?
An opt-out preference signal (OOPS) is a standardized browser or device signal. It lets a consumer exercise their right to opt out of the sale and sharing of personal information across every business at once. The consumer sets it up once. It then applies automatically everywhere, with no per-site requests.
Some state laws use a different name for the same idea: a universal opt-out mechanism (UOOM). California's regulator, the California Privacy Protection Agency (CPPA), calls it an opt-out preference signal.
Other states call the identical concept a UOOM. The mechanism, the legal effect, and the underlying right stay the same no matter which label a given statute uses.
How Does an Opt-Out Preference Signal Work?
An opt-out preference signal works in three moves. The consumer turns it on once in a supporting browser or extension. The browser then sends the signal automatically to every site the consumer visits. A covered business detects and honors it as a valid opt-out.
The flow breaks down into four steps.
- The consumer enables the setting once, inside a browser or an installed extension.
- The browser transmits a real-time signal to every site visited, in a format businesses recognize, such as an HTTP header field or a JavaScript object.
- A covered business detects that signal on the page.
- The business treats it as a valid opt-out request. It stops selling or sharing personal information tied to that browser, device, and any associated profile.
When a site displays "opt-out signal honored" or a similar message, it means the site detected the signal and applied it. As of January 1, 2026, California's regulations require businesses to affirmatively display that they processed the signal, not just quietly apply it.
This is a sharp break from an earlier, largely-ignored signal: Do Not Track. Consumers and privacy advocates spent over a decade watching browsers send a "Do Not Track" header. Almost no site respected it, because nothing in law required it. An opt-out preference signal is different. Under CCPA and a growing list of state privacy laws, honoring it is a legal obligation, not a courtesy.
Native support still varies by browser. Firefox offers the setting under privacy preferences, off by default. Brave and DuckDuckGo ship it turned on by default. Chrome and Safari do not currently send an opt-out preference signal natively, though a browser extension can add it.
This is separate from a cookie banner, which collects consent for cookies on a single site rather than broadcasting a browser-wide preference.
Global Privacy Control: The Leading Opt-Out Preference Signal
Global Privacy Control (GPC) is the most widely adopted opt-out preference signal. It is a browser or extension protocol that automatically transmits an opt-out request, and it is the example regulators point to first.
The Global Privacy Control specification describes GPC as a setting or extension that a consumer turns on once. From that point, every site the consumer visits receives the signal automatically.
For the full mechanics of how GPC is built and how to enable it on each major browser, see our Global Privacy Control explainer.
California's Opt Me Out Act, enacted in October 2025, goes further than any single-browser rollout. It requires every web browser sold or offered in California to include a built-in feature for sending this signal, starting January 1, 2027. Once that mandate takes effect, opt-out preference signals stop depending on a consumer choosing a privacy-focused browser at all.
How Opt-Out Preference Signals Relate to "Do Not Sell or Share"
The right to opt out of the sale or sharing of personal information is the underlying consumer right. An opt-out preference signal is simply the automated way to exercise that same right across every site at once. It replaces clicking a link on each one.
Consumers can still exercise this right manually, typically through a Do Not Sell or Share My Personal Information link on a site. An opt-out preference signal accomplishes the identical legal outcome without that manual step.
Under CCPA rules, a business that honors the signal in a frictionless manner can skip posting the manual link entirely. Automatic, signal-based opt-out replaces it.
Which State Privacy Laws Require Honoring Opt-Out Preference Signals?
Most US states with comprehensive privacy laws now require covered businesses to detect and honor an opt-out preference signal. The exact effective date differs by state.
| State privacy law | Honoring required? | Effective status |
|---|---|---|
| California (CCPA/CPRA) | Yes | In effect; CPPA display rule added January 1, 2026 |
| Colorado (Colorado Privacy Act) | Yes | In effect |
| Connecticut (CTDPA) | Yes | In effect |
| Montana (Montana Consumer Data Privacy Act) | Yes | In effect |
| Nebraska (Nebraska Data Privacy Act) | Yes | In effect |
| New Hampshire | Yes | In effect |
| Texas (TDPSA) | Yes | In effect (effective January 1, 2025) |
| Maryland (Maryland Online Data Privacy Act) | Yes | In effect (effective October 1, 2025) |
| Delaware, Minnesota, New Jersey, Oregon | Yes | Phasing in |
This list will keep growing. Honoring an opt-out preference signal is becoming a default requirement for any US-facing business that sells or shares data, as more state laws take effect. It is no longer a California-only rule.
How a Business Detects and Honors an Opt-Out Preference Signal
A covered business must detect the incoming signal on each page load. It must treat that signal as a valid opt-out, without asking the consumer for anything further. This obligation sits alongside a site's broader cookie consent duties under GDPR and US state law, not in place of them.
The law translates into five practical obligations.
- Detect the signal, sent as an HTTP header field or a JavaScript object, on every page load.
- Treat a valid signal as an opt-out request, with no additional confirmation required from the consumer.
- Stop selling or sharing personal information tied to that browser, device, and any associated profile, including pseudonymous profiles.
- Apply the signal even when it conflicts with an existing site-specific setting. The business may offer the consumer a one-time-per-12-months option to opt back in, but must still honor the signal if the consumer does not respond.
- Display, on the site, that the opt-out signal was processed as a valid request, per the CCPA rule effective January 1, 2026.
Detecting and honoring the signal is one part of a site's overall cookie compliance duties, alongside the banner, the scan, and the policy documents.
What Is a "Frictionless" Response?
A frictionless response means a business honors the opt-out preference signal automatically. It charges no fee, changes nothing about the consumer's experience, and shows no pop-up or interstitial. Businesses that qualify may skip posting the manual "Do Not Sell or Share" link entirely.
To qualify as frictionless, a business must not charge a fee for using the signal. It must not alter the product experience for consumers who use it, and it must not interrupt the visit with a notification or pop-up. Displaying the consumer's current opt-out status is allowed.
A qualifying business must still disclose, in its privacy policy, every method a consumer can use to submit an opt-out request, including the signal.
How an Opt-Out Preference Signal Differs from a Manual Opt-Out
A manual opt-out requires the consumer to find and click a "Do Not Sell or Share" link on each site individually. An opt-out preference signal is set once in the browser and applies automatically everywhere.
| Manual opt-out | Opt-out preference signal | |
|---|---|---|
| How it's exercised | Click a link or fill a form, per site | One browser or device setting |
| What it covers | One site at a time | Every site visited, automatically |
| Who repeats the action | The consumer, every time | Nobody; the browser handles it |
How Consently Supports Your US State Opt-Out Requirements
Consently gives US-facing sites a CCPA and state-law opt-out banner, a Do-Not-Sell control, region-based display, and a consent log. Businesses use these to operate the consumer-facing side of these requirements.
Consently shows US visitors an opt-out-model banner with a Do-Not-Sell / opt-out control. Its CCPA and US state-law opt-out tools apply region-based, geotargeted display so EU visitors see an opt-in banner instead. That geotargeting runs automatically once a site is configured, without a separate rules engine to maintain.
Two features back this directly. Consent logs with export give an audit trail of who opted out and when, useful if a regulator asks for proof of compliance. The cookie, privacy, and terms policy generators produce the privacy-policy disclosures these laws require, including the opt-out methods a business must list.
One thing Consently does not do: detect or honor a browser's opt-out preference signal, including Global Privacy Control. Honoring that signal is a separate technical obligation. A covered business must meet it through its own site configuration or a dedicated signal-detection tool.
Consently's policy generators are compliance assistance, not legal advice. Using them does not by itself make a site compliant with any specific law.
Try Consently free with a 14-day trial, no credit card required.
FAQs
What is an opt-out preference signal?
An opt-out preference signal is a browser or device setting that automatically tells every website not to sell or share your personal information. You do not have to opt out site by site.
Is an opt-out preference signal the same as Global Privacy Control?
No. Global Privacy Control is the leading example of an opt-out preference signal, not the only one. Any browser or extension protocol that meets a state law's technical requirements can qualify.
What does "opt-out signal honored" mean?
It means the website detected your browser's opt-out preference signal and applied it, stopping the sale or sharing of your data on that site. California now requires businesses to display this confirmation.
Which browsers send an opt-out preference signal?
Brave and DuckDuckGo send it by default. Firefox includes the setting but leaves it off by default. Chrome and Safari do not send it natively, though an extension can add it. California's Opt Me Out Act will require all browsers to include it by January 1, 2027.
Which states require businesses to honor opt-out preference signals?
California, Colorado, Connecticut, Montana, Nebraska, New Hampshire, Texas, and Maryland already require it. Delaware, Minnesota, New Jersey, and Oregon are phasing in the same requirement.
Do I have to honor opt-out preference signals on my website?
Yes, if your site collects personal information online, sells or shares it, and a state privacy law covering your business requires honoring the signal. You must detect and process it as a valid opt-out.
Is an opt-out preference signal the same as Do Not Track?
No. Do Not Track was a voluntary signal that most sites ignored, because no law required honoring it. An opt-out preference signal is legally enforceable under state privacy laws.
Does a cookie banner honor opt-out preference signals automatically?
Not necessarily. A cookie banner collects consent on one site. Honoring a browser's opt-out preference signal is a separate technical capability your consent setup must support on top of that.

