On March 6, 2026, the California Privacy Protection Agency (CalPrivacy) published an Invitation for Preliminary Comments seeking public input on whether regulatory changes are needed in two related areas under the California Consumer Privacy Act (CCPA): (1) reducing friction in exercising privacy rights ; and (2) the operation and use of opt-out preference signals (OOPS).
Businesses subject to the CCPA are required to honor multiple consumer privacy rights, including the rights to know, delete, correct, opt out of the sale or sharing of personal information, and limit the use or disclosure of sensitive personal information. Businesses must also treat OOPS such as Global Privacy Control (GPC) as valid requests to opt out of the sale or sharing of personal information.
CalPrivacy has increasingly emphasized the importance of making these rights meaningful and easy to exercise in practice. For example, CalPrivacy’s recent enforcement action against a media technology company and investigative sweep in partnership with other privacy regulators have targeted businesses that allegedly fail to honor GPC signals or otherwise process consumers’ opt-out requests. CalPrivacy’s enforcement advisory from April 2024 also cautions businesses against imposing unnecessary or burdensome requirements such as requiring excessive information for identity verification to submit CCPA requests.
The March 2026 invitation reflects this ongoing regulatory focus and signals that CalPrivacy is evaluating whether existing regulations adequately address practical obstacles faced by both consumers and businesses. In the invitation, CalPrivacy identifies the following areas where it is seeking stakeholder input:
- Consumer challenges in exercising privacy rights, such as difficulty locating relevant information, confusing or obstructive user interface designs, and unnecessarily burdensome identity verification requirements; and how CCPA regulations could better address these issues.
- Business challenges in responding to CCPA privacy rights requests, including presenting required information, designing compliance user interface designs, and verifying consumer identity; and how regulatory updates could help mitigate these challenges.
- Priority issues and benefits associated with reducing friction in the exercise of privacy rights.
- Consumer experience and expectations when using OOPS, including how consumers use GPC or age-signal mechanism.
- Operational challenges in processing OOPS, including how businesses apply OOPS to known consumers, pseudonymous profiles, and across different browsers, devices, and identifiers.
- Need for additional regulatory clarity or guidance regarding the use and processing of OOPS.
Stakeholders may submit preliminary comments through April 6, 2026, either electronically to regulations@cppa.ca.gov or by physical mail to CalPrivacy. CalPrivacy will use preliminary comments to assess whether formal rulemaking is warranted. See the “6 Tips for Submitting Public Comment” guide published by CalPrivacy for help formulating and submitting effective comments.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor developments surrounding CCPA rulemaking and provide updates as more information becomes available. Please contact us if you have any questions.
