Universal Opt-Out Mechanism (UOOM) Compliance: What Every Business Needs to Know in 2026
What Is a Universal Opt-Out Mechanism?
A Universal Opt-Out Mechanism (UOOM) — also known as an opt-out preference signal (OOPS) — is a browser-level or device-level signal that communicates a consumer's choice to opt out of the sale or sharing of their personal data. Instead of visiting every website individually and clicking "Do Not Sell My Personal Information," consumers can enable a UOOM once, and it applies automatically across every site they visit.
The most widely adopted UOOM is Global Privacy Control (GPC), an HTTP header signal (Sec-GPC: 1) supported by browsers like Firefox and Brave, and extensions like Privacy Badger and DuckDuckGo.
Which States Require UOOM Compliance in 2026?
As of March 2026, 12 states require businesses to honor universal opt-out mechanisms or opt-out preference signals. Here is the full list with effective dates:
| State | Law | UOOM Requirement Effective |
|---|---|---|
| California | CCPA/CPRA | January 1, 2023 |
| Colorado | CPA | July 1, 2024 |
| Connecticut | CTDPA | January 1, 2025 |
| Montana | MCDPA | January 1, 2025 |
| Texas | TDPSA | January 1, 2025 |
| Oregon | OCPA | January 1, 2025 |
| Delaware | DPDPA | January 1, 2026 |
| Nebraska | NDPA | January 1, 2026 |
| New Hampshire | NHPA | January 1, 2026 |
| New Jersey | NJDPA | January 15, 2026 |
| Minnesota | MCDPA | July 31, 2025 |
| Maryland | MODPA | October 1, 2025 |
Use our GPC Compliance Checker to determine your specific obligations based on where your users are located.
What Counts as a Valid UOOM?
Global Privacy Control (GPC) is the most widely recognized mechanism. California, Colorado, and Connecticut have all explicitly confirmed that GPC qualifies as a valid universal opt-out mechanism. While Colorado is the only state with a formal approval process for UOOMs, GPC is broadly accepted under all 12 states' requirements.
For a signal to qualify as a UOOM, it must clearly communicate the consumer's choice to opt out and be initiated by the consumer (not set by default). Businesses cannot require consumers to provide additional information or take additional steps beyond enabling the signal.
What Must Businesses Do?
When a resident of a UOOM-requiring state visits your website with GPC enabled, you must:
- Detect the signal — check for the
Sec-GPC: 1HTTP header ornavigator.globalPrivacyControlJavaScript property - Treat it as a valid opt-out — the signal must be treated as if the user had manually opted out through your site's own privacy settings
- Stop selling/sharing data — suppress third-party tracking pixels, advertising cookies, and any data sharing for targeted advertising purposes
- Apply automatically — no additional action should be required from the consumer
- Confirm the opt-out (California) — as of January 1, 2026, California requires businesses to display a visible confirmation (e.g., "Opt-Out Preference Signal Honored") when GPC is detected
Implementation Example
Detecting GPC in JavaScript is straightforward:
// Check for GPC signal
if (navigator.globalPrivacyControl) {
// Consumer has opted out
// 1. Do NOT load third-party ad scripts
// 2. Do NOT fire tracking pixels
// 3. Do NOT share data with third parties
// 4. Display opt-out confirmation (California)
}Common Compliance Mistakes
Recent enforcement actions — including the 2026 CCPA enforcement wave — highlight several common mistakes businesses make:
- Ignoring the signal entirely — the most basic violation, and the easiest for regulators to detect through automated scanning
- Requiring additional verification — Ford Motor Company was fined $375,703 for requiring email verification before processing opt-out requests
- Asymmetric design — making it harder to opt out than to opt in violates "dark pattern" rules in multiple states
- Partial suppression — honoring GPC for some trackers but not all still constitutes a violation
- No visible confirmation — since January 2026, California specifically requires businesses to show consumers that their GPC signal has been received and honored
Enforcement Is Ramping Up
GPC compliance is an enforcement priority across multiple states. California, Colorado, and Connecticut launched a joint GPC enforcement sweep that uses automated tools to scan websites for non-compliance. The technology makes it easy for regulators to identify violators at scale — making this one of the areas where enforcement is most likely.
In early 2026, California issued over $4 million in privacy fines, with several cases involving opt-out and GPC violations. See our enforcement tracker for the full list of actions.
Next Steps for Your Business
- Check your obligations — use our privacy law calculator to determine which state laws apply to your business
- Test your GPC implementation — install a GPC-enabled browser extension and verify that your site responds correctly
- Audit third-party scripts — review all tracking scripts, pixels, and cookies for proper suppression when GPC is detected
- Update your privacy policy — disclose that you honor GPC signals and explain how consumers can enable them
- Implement confirmation (if California applies) — display a visible "Opt-Out Preference Signal Honored" message
- Use a consent management platform — CMPs like OneTrust, Cookiebot, or Osano can automate GPC detection and response
Last updated: March 28, 2026.
Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.