While compliance with traditional “Do Not Track” (DNT) browser settings remains optional under U.S. privacy law, and many Privacy Policies still note that DNT signals are not honored, a new and far more consequential requirement has arrived.
A growing number of state privacy statutes now mandate compliance with Universal Opt-Out Mechanisms (UOOMs) - browser or device-level settings that automatically communicate a consumer’s request to opt out of the sale, sharing, or use of their personal data for targeted advertising or profiling.
When such a signal (for example, the Global Privacy Control (GPC)) is sent, covered businesses must automatically recognize and process that preference without requiring any further action by the user. Failure to do so could expose a company to enforcement risk under multiple state laws.
States Where UOOM Compliance Is Required
As of October 2025, the following states have enacted laws requiring businesses to recognize and honor universal opt-out signals:
- California (CCPA / CPRA / California Opt Me Out Act (COMOA))
- Colorado (Colorado Privacy Act)
- Connecticut (Connecticut Data Privacy Act)
- Delaware (Delaware Personal Data Privacy Act – effective January 1, 2026)
- Maryland (Maryland Online Data Privacy Act (MODPA))
- Montana (Montana Consumer Data Privacy Act)
- Oregon (Oregon Consumer Privacy Act – effective January 1, 2026)
- Texas (Texas Data Privacy and Security Act (TDPSA)
Understanding Your Obligations
- “Do Not Track” vs. Universal Opt-Out Mechanisms: “Do Not Track” (DNT) requests remain optional, but Universal Opt-Out Mechanisms (UOOMs), including the GPC, are legally binding in several jurisdictions (see below). Businesses can no longer disclaim compliance in these states.
- Controller vs. Processor Responsibilities: UOOM duties generally apply to controllers, entities that determine the purposes and means of processing personal data. However, joint-controller or service-provider relationships may blur this line; both parties should define their responsibilities contractually and ensure their systems implement consistent signal recognition.
- When the Requirement Does Not Apply: If an organization does not sell or share personal information (which has a broad definition and includes trackers such as cookies – which can make this the key to any analysis), engage in cross-context advertising, or conduct profiling that has legal or significant effects, then UOOM obligations may be largely moot. Nonetheless, your Privacy Policy should still explain that you either recognize such signals but have no qualifying processing activities, or that they are not applicable.
Recent Legislative Developments and Effective Dates
California
In October 2025, California enacted the California Opt Me Out Act (COMOA), making it the first state to require browsers to include a built-in universal opt-out function and obligating websites to recognize those signals. COMOA becomes effective January 1, 2027, and while it does not change the underlying opt-out rights under the CCPA/CPRA, it standardizes the mechanism for communicating them.
Delaware and Oregon
Both the Delaware PDPA and Oregon CPA will require UOOM recognition starting January 1, 2026, joining states such as Colorado and Connecticut that already mandate GPC recognition.
Texas
The TDPSA mirrors the Virginia framework but applies to any business operating in or targeting Texas consumers (excluding “small businesses” as defined by the SBA). Texas requires companies to recognize UOOMs such as the GPC beginning January 1, 2025, and to disclose how such signals are handled.
Maryland
The MODPA has lower applicability thresholds, covering entities that control or process data for more than 35,000 consumers (or 10,000 if 20%+ of revenue derives from data sales), and explicitly requires controllers to recognize UOOMs as a valid opt-out for targeted ads, sales, and profiling that produces legal or significant effects.
Practical Compliance Steps
Technical Detection and Signal Processing
Compliance requires more than a banner or cookie notice. Websites, advertising platforms, and consent management tools must detect, interpret, and apply UOOMs automatically. Work with your web development and ad-tech teams to confirm end-to-end recognition and auditing capability.
Update Privacy Policies and User Interfaces
Privacy policies should clearly state:
- that your organization recognizes UOOMs in applicable jurisdictions;
- the specific signals supported (e.g., GPC);
- how quickly opt-outs are processed; and
- how signal-based opt-outs interact with account settings or cookie preferences.
Coordinate with Vendors and Downstream Partners
Controllers must ensure that processors and third-party vendors honor UOOM choices. Review data-processing agreements to mandate downstream compliance and document signal transmission flows.
Maintain Audit and Logging Procedures
Regulators increasingly expect documented proof of UOOM recognition and action. Maintain timestamped records of each signal received and system response for audit defensibility.
Recommended Implementation Approach
- Assess Applicability: Identify where you qualify as a controller under each state law and whether the activities involve targeted advertising or data sharing.
- Design for the Strictest Standard: Many businesses choose to apply the most restrictive rule nationwide (i.e., honor UOOM signals universally) to simplify compliance and reduce risk
- Implement Technical Recognition: Enable automatic detection of GPC/UOOMs across web properties and tag managers.
- Review and Update Policies: Clarify your handling of UOOM signals and update your public-facing Privacy Policy accordingly.
- Test and Train: Run periodic audits and staff training to ensure consistent implementation.
Conclusion
The era of optional “Do Not Track” compliance is effectively over. Universal Opt-Out Mechanisms are now a binding component of many state privacy laws. Organizations must move quickly to align technical infrastructure and contractual arrangements to meet these new expectations.
OlenderFeldman LLP regularly assists clients with privacy policy drafting, cookie and consent management implementation, and cross-state compliance planning. For further guidance or implementation support, please contact: Michael J. Feldman, Esq. () or Niharika Reddy, Esq. ().
