Most US state privacy laws give people the right to opt out of having their data sold or used for targeted advertising. A universal opt-out mechanism (UOOM) turns that right into a single automatic signal: instead of clicking "Do Not Sell" on every website, a person sets one preference in their browser or device, and every site is supposed to honor it. In a growing list of states, honoring that signal is not a courtesy. It's the law.
This guide explains what a UOOM is, which states require you to respect one, which states leave it out, and what "honoring" a signal actually involves in code.
What counts as a universal opt-out mechanism
A UOOM (some laws call it an "opt-out preference signal") is a machine-readable signal a consumer sends automatically to every site they visit. In practice, one mechanism dominates: Global Privacy Control (GPC). When GPC is enabled, the browser sends a Sec-GPC: 1 HTTP header and exposes navigator.globalPrivacyControl = true in JavaScript. It's built into browsers like Brave and Firefox and available through extensions and the DuckDuckGo app.
A UOOM is different from an ad-industry opt-out tool. Programs run by the advertising industry set an opt-out cookie for participating networks. Those are useful, but they're cookie-based, per-device, and easily wiped, and they aren't the state-recognized legal signal. When a state law says you must honor a UOOM, it means a signal like GPC, not an industry opt-out cookie. For the deeper technical background, see our GPC explainer.
Which states require you to honor a UOOM
Roughly a dozen states with broad privacy laws now require businesses to detect and honor a UOOM as a valid opt-out of sale, sharing, and targeted advertising. The list currently includes California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
The dates the requirement attaches vary, because several states phased it in after their main law took effect. The well-established anchor dates are:
- California: businesses must process opt-out preference signals under the CPRA regulations (GPC recognized since 2021).
- Colorado: July 1, 2024, per the Colorado Privacy Act rules.
- Connecticut, Texas, Montana: January 1, 2025.
- Delaware and Oregon: January 1, 2026 (Oregon phased its requirement in about a year and a half after its law took effect).
- Maryland, Minnesota, Nebraska, New Hampshire, New Jersey: the requirement attaches with each law's rollout across 2025 and 2026.
Because a few of these phase-in dates (New Jersey in particular) depend on rulemaking that was still settling in 2026, confirm the exact date for those states against the IAPP state tracker before you rely on it.
Which states leave it out
Not every state privacy law includes a UOOM mandate. The laws built on the Virginia template generally don't require honoring a universal signal, including Virginia, Utah, Iowa, Indiana, Kentucky, and Tennessee. Rhode Island's 2026 law also notably omits the requirement. Florida's narrower law is its own case.
The practical takeaway: honoring GPC is the safe default everywhere, because it satisfies the strictest states and never violates a state that doesn't require it. Building your stack around "honor the signal for everyone" is simpler than trying to switch the behavior on and off by state.
Colorado's recognized-mechanism list
Colorado is the one state that maintains an official public list of recognized UOOMs, and the Attorney General's office is explicit about what's on it. After an application and public comment process, the Colorado Department of Law recognized Global Privacy Control as the first, and so far only, valid universal opt-out mechanism under the Colorado Privacy Act. That makes GPC the de facto standard: if you honor GPC, you satisfy Colorado's list.
One implementation covers most states
The good news for engineers is that you don't build twelve different systems. The same GPC detection works everywhere, and the state differences are mostly about what the opt-out has to stop. Some laws frame the right as opting out of "sale," others as opting out of "targeted advertising," and most cover both. If your handler treats a signal as an opt-out of sale, sharing, and targeted advertising in every covered state, you clear the highest bar and don't need per-state branching for the core behavior.
Two state-specific details are worth noting. Oregon's law asks businesses to tell consumers that they recognize the signal, so a short public disclosure is prudent. And across all states you should keep a record that the signal was received and applied, because "we honor GPC" is far more defensible when you can show the logs. A consent platform that timestamps each signal and the resulting suppression turns a claim into evidence.
How to honor a UOOM correctly
Respecting a signal is more than detecting it. To do it properly:
- Detect it server-side and client-side. Read the
Sec-GPCrequest header and checknavigator.globalPrivacyControlin the browser. - Treat it as an opt-out of sale, sharing, and targeted advertising. Suppress the vendors and cookies that would otherwise fire for advertising, and, where the visitor is identifiable, apply the opt-out to their account too.
- Don't require a login or extra steps. A UOOM is meant to work without the consumer doing anything else. Adding friction defeats the point and can itself be a violation.
- Reflect the state's rights, not merely the signal. Some states let a consumer's account-level choices override a conflicting signal; others don't. Default to the more protective outcome when they conflict.
- Show it's working. Several states expect a visible acknowledgment that the opt-out has been applied. A small "opted out" indicator is good practice.
A regional consent setup makes this manageable: detect the visitor's state, apply the opt-out model that state uses, and let a UOOM signal override the default automatically. For where a banner fits into all this, see our guide on whether you even need a cookie banner in the US, and for the full statutory picture, the complete US state privacy laws guide.