Skip to content

Most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information used for targeted advertising. As the following chart indicates, the term “targeted advertising” is defined consistently between and among most state statutes with the noticeable exception of the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA). Unlike the other state privacy statutes, the CPRA’s definition of “cross-context behavioral advertising” (the term relating to “targeted advertising” that is used within the CPRA) does not expressly state that such activity must be based upon the observation of a consumer’s activities “over time,” or that it must involve predictions about the consumer’s preferences or interests. It is possible that the California Privacy Protection Agency (CPPA) or California courts will ultimately align the CPRA’s definition with that used in other states’ statutes by finding that both elements are implied.

Definition Explicitly Requires

California 2022

CCPA

California 2023

CPRA

Virginia 2023

VCDPA

Colorado 2023

CPA

Utah 2023

UCPA

Conn. 2023

CTDPA

Ads are displayed to a consumer N/A [1] [2] [3] [4] [5]
Selection based on activities over time N/A [6] [7] [8] [9]
Selection based on activities across nonaffiliated websites or online applications N/A [10] [11] [12] [13] [14]
Selection based upon prediction of consumer’s preferences or interests N/A [15] [16] [17] [18]

[1] Cal. Civ. Code 1798.140(k) (West 2021) (relates to definition of cross-context behavioral advertising).

[2] Va. Code 59.1-571 (2022).

[3] C.R.S. 6-1-1303(24)(a) (2022).

[4] Utah Code Ann. 13-61-101(34)(a) (2022).

[5] Connecticut Substitute Bill No. 6, § 1(28) (2022) (pending governor approval).

[6] Va. Code 59.1-571 (2022).

[7] C.R.S. 6-1-1303(24)(a) (2022).

[8] Utah Code Ann. 13-61-101(34)(a) (2022).

[9] Connecticut Substitute Bill No. 6, § 1(28) (2022) (pending governor approval).

[10] Cal. Civ. Code 1798.140(k) (West 2021) (relates to definition of cross-context behavioral advertising).

[11] Va. Code 59.1-571 (2022).

[12] C.R.S. 6-1-1303(24)(a) (2022).

[13] Utah Code Ann. 13-61-101(34)(a) (2022).

[14] Connecticut Substitute Bill No. 6, § 1(28) (2022) (pending governor approval).

[15] Va. Code 59.1-571 (2022).

[16] C.R.S. 6-1-1303(24)(a) (2022).

[17] Utah Code Ann. 13-61-101(34)(a) (2022).

[18] Connecticut Substitute Bill No. 6, § 1(28) (2022) (pending governor approval).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).