Skip to content

Modern state privacy statutes require that organizations provide individuals with the ability to opt out of targeted advertising. While the substance of the opt-out right is similar between and among states, state statutes differ in how they mandate the conveyance of the opt-out right. While all state statutes require that an explanation of the right to opt out be included within the organization’s privacy notice, some states, like California under the CPRA, contain specific proscriptive requirements regarding what the opt-out link must be called (i.e., “Do Not Sell or Share My Personal Information”) and where it must be placed (i.e., on an organization’s homepages). Most states only require that the opt-out mechanism be “clear and conspicuous” to an individual. The following chart compares the different requirements imposed by state statutes regarding the location and title of the opt-out link:

Requirements

California 2022

CCPA [1]

California 2023

CPRA

Colorado 2023

CPA

Conn. 2023

CTCPA

Utah 2023

UCPA

Virginia 2023

VCDPA

Clear and Conspicuous.  General requirement that disclosure must be clear and conspicuous to the data subject. N/A ✘/✔[2] [3] [4] [5] [6]
Homepage.  Opt-out link specifically required on homepage. N/A [7] ✘/✔[8]
Privacy notice.  Opt-out description specifically required within privacy notice. N/A [9] [10] [11] [12] [13]
Other Locations.  Opt-out description specifically required in other locations. N/A

[14]

(any California-specific description of consumers’ privacy rights)

[15]

(readily accessible location outside of privacy notice)

Specific Wording.  Opt-out link must contain specific words. N/A

[16]

(Do not sell or share my personal information)

[1] As the CCPA does not require that an organization include a link to opt-out of targeted advertising, all requirements have been identified as “N/A.” Note that the CCPA does require disclosures relating to the “sale” of personal information. To the extent that sharing personal information with a targeted advertiser constitutes a sale, an opt-out mechanism should be provided.

[2] Cal. Civ. Code 1798.135(a)(1) (West 2021). Note that this has been marked as partially in place as the CPRA does not contain a general requirement that the opt-out mechanism be clearly and conspicuously disclosed to consumers, but does contain a specific requirement that there be a “clear and conspicuous link on the business’s internet homepages.” As a result, it is possible that a business could comply with the CPRA’s requirement of having a clear and conspicuous link on a homepage, even if the mechanism is not clear and conspicuous to a particular data subject (e.g., if a data subject opens a deep link to something other than a homepage there is no requirement that the disclosure be clear and conspicuous as to that data subject).

[3] C.R.S. § 6-1-1306(1)(a)(III) (2022) (stating that controller must provide a “clear and conspicuous method to exercise the right to opt out of the processing”).

[4] Connecticut Substitute Bill No. 6, § 6(d) (2022) (enacted April 28, 2022, awaiting governor signature).

[5] Utah Code Ann. § 13-61-302(1)(b) (2022).

[6] Va. Code § 59.1-574 (D) (2022) (stating that the controller must “clearly and conspicuously” disclose such processing, but not expressly stating that disclosure must be made on the controller’s homepage).

[7] Cal. Civ. Code § 1798.135(a)(1) (West 2021) (note that the CPRA refers to a business’s “homepages”).

[8] Connecticut Substitute Bill No. 6, § 6(e)(1)(A)(i) (2022) (enacted April 28, 2022, awaiting governor signature) (controller is require to provide a “link on the controller’s Internet web site;” statute does not expressly state that the link must be on the homepage).

[9] Cal. Civ. Code § 1798.135(c)(2)(A) (West 2021).

[10] C.R.S. § 6-1-1306(1)(a)(III) (2022) (stating that controller must provide the opt-out method “clearly and conspicuously in any privacy notice required to be provided).

[11] Connecticut Substitute Bill No. 6, § 6(c)(3) (2022) (enacted April 28, 2022, awaiting governor signature) (stating that a controller must disclose within the privacy notice how a consumer can exercise the rights discussed under the statute).

[12] Utah Code Ann. § 13-61-302(1)(a)(iii) (2022) (stating that a controller must disclose within the privacy notice how a consumer can exercise any of the rights discussed under the statute).

[13] Va. Code § 59.1-574(C)(3), (E) (2022) (stating that a controller must disclose within the privacy notice how a consumer can exercise any of the “consumer rights” discussed under the statute).

[14] Cal. Civ. Code § 1798.135(c)(2)(B) (West 2021).

[15] C.R.S. § 6-1-1306(1)(a)(III) (2022) (stating that opt-out mechanism must be provided in a “readily accessible location outside the privacy notice”).

[16] Cal. Civ. Code § 1798.135(a)(1) (West 2021) (note that the CPRA refers to a business’s “homepages”).

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).