Skip to main content

On-demand webinar coming soon...


The ultimate guide to US opt-out requirements | Blog | OneTrust

Make sure your organization is on top of the opt-out requirements in the five new US state privacy laws

Ashlea Cartee
Senior Product Marketing Manager, OneTrust Consent and Preferences
January 31, 2023

Man and woman coworkers looking at cell phone in conference

To opt-in or opt-out? The data privacy landscape in Europe sees consent as an opt-in mechanism under the GDPR. In the US, laws in Virginia and Connecticut also require opt-in consent, regarding sensitive personal information. 

In 2019, US privacy laws arrived on the scene with the California Consumer Privacy Act (CCPA) and subsequent state laws in California, Virginia, Colorado, Utah, and Connecticut. These all follow an opt-out mechanism for consent in most areas.

These five US state privacy laws all have their own unique opt-out requirements. This blog will help you understand the following: 

  • The legal requirements from state to state  
  • How to operationalize compliance  
  • How to implement solutions for the best user experience 

The cross-country opt-out tour  

Let’s take a look at the different types of opt-out definitions across the new regulations, and which state requires which.  

Opt-out definitions 

Sale (S) 

  • The majority of US state privacy laws define the sale of personal data as data exchanged with third parties for a monetary or valuable consideration (Virginia and Utah define it as for monetary purposes only)  
  • This is very broad and generally applicable to third-party analytics or third-party transfers such as partner services (marketing, rewards, etc.)  

Share (Sh) 

  • Personal data exchanged with a third party for the purpose of cross-context behavioral advertising  
  • Considered sharing, regardless of whether it was for monetary or other valuable consideration   
  • This is widely applicable to the programmatic ads ecosystem  

Targeted advertising (TA) 

  • Data used to provide targeted advertising based on cross-contextual or behavioral data   
  • This is applicable to transfers associated with the programmatic ecosystem as well as data correlated across non-affiliated digital properties  

Profiling (P) 

  • Leveraging data to generate profiles to predict or otherwise evaluate or analyze user behavior  
  • This type of processing is generally done by MarTech tools such as Customer Data Platforms (CDPs) or Data Management Platforms (DMPs)   
  • This type of processing can be done by organizations directly as well as third-party providers  

Universal opt-out signals (U)  

  • Extensions through which users can set their opt-out preferences across websites and browsers   
  • Allows them to avoid selecting their cookie preferences for each website they visit  
  • The GPC is the most prominent universal opt-out signal today 

Global Privacy Control – The GPC is a universal opt-out signal that users can either set at a browser level (depending on the browser) or through a browser extension (such as Privacy Badger on Google Chrome). This allows a user to define their preferences across the internet when initially landing on a website. As such, organizations under the jurisdiction of laws requiring universal opt-out signals will need to be able to read the GPC as users visit their digital properties and honor the opt out of the sale and the sharing of personal information. 


Chart showing state-laws and the opt-out rights that pertain to them

Take the ultimate guide to US opt-out requirements offline by downloading the guide here

Operationalize opt-out requirements   

Selling data can be broadly bucketed into two groups.  

  1. Anonymous user data  
  2. Known user data 


Graphic explaining two different types of user data to deal with


Data being transferred through web/digital analytics and tracking for “anonymous” users

This is brought into scope primarily with the inclusion of “valuable consideration.” Because money does not need to be exchanged, this can be interpreted as transfers to third parties for analytics (whether for behavioral tracking or general site statistics). 

This type of transfer happens with technologies such as third-party tags or software development kits (SDKs).  

Data being transferred through server-side/backend processing for “known” users

The second form is more straightforward as it directly references an exchange of money. Most of these processes are used for initiatives like partner services marketing, rewards programs, or third-party list rentals. 

In this case, a user is identified and the transfer of data takes place in an organization’s backend MarTech stack.  

How are you doing the following? 

Targeted advertising

With multiple laws having specific rights to opt-out of targeted advertising, make sure that the appropriate mechanisms are in place for users to opt out.  

In the programmatic ecosystem, which is the primary targeted advertising mechanism, opt-outs will be communicated to supply-side providers and then transferred throughout the ecosystem, to enforce the decision downstream.  

User identification

Selling, profiling, and programmatic advertising take place when users hit your digital properties. They may also have GPC running in their browser.   

Once a user hits your website, an opt-out request needs to occur. In most cases, the opt-out can be executed by shutting off third-party tracking client-side.  

However, if a user’s data is in the form of a list rental, the data is most likely tied to an identifier such as an email address in the case of email marketing or an account ID. To perform an opt-out in this case, the user making the request must be tied to the backend data, with some form of identifier collected on the intake.    

The methods of user identification need to be clearly mapped out to ensure requests are fulfilled efficiently, while prioritizing user privacy throughout the process.  

Take the ultimate guide to US opt-out requirements offline by downloading the guide here

Deliver the best opt-out user experience   

The three main elements of an optimal user experience around opt-outs are the following: 

  • Geolocation  
  • User interface  
  • ID capture 


As different states have different privacy laws, there are two industry-standard approaches to take regarding geolocation (each with their own pros and cons).


Graphic explaining state-specific geolocation and us-wide geolocation


User interface 

As users navigate through your website, completing an opt-out request should be a quick, seamless process. The components you include will help them optimally exercise this right.  

Do you need a cookie banner?

Look at your website operations and determine when privacy notices or opt-out prompts need to be shown to users.  

If your cookies and trackers on your site are in the scope of “selling data,” then cookie banners will be required to comply with the stipulation to “disclose the sale at or before the time of data collection.” 

How will users opt out?

The industry standard options for users to exercise their opt-out rights include:  

  • Preference center options with toggles  
  • Request-based rights selections on intake forms  
  • User-enabled privacy controls (GPC) 

When presenting the opt-out method of toggle/selection options to users, there are two primary approaches on how to present them.


Graphic explaining the pros and cons of universal toggle/selections and one toggle/selection opt-out right


One universal toggle/selection 


  • Requires less analysis of tracking technologies as there is no differentiation between different types of opt-outs  
  • Can be presented across jurisdictions as it covers all rights 


  • This is the most restrictive approach and shuts off all tracking with one opt-out selection 

One toggle/selection per opt-out right 


  • Gives the user more granular choices   
  • Allows the user flexibility in how data can be processed  
  • Can be presented across jurisdictions or dynamically presented based on location 


  • Requires extended analysis of tracking technology 

Preference center selections/toggle

  • With four opt-out rights that US privacy laws have added, a preference center can act as a unified area where users toggle between the data processes they want to opt out of.   
  • The primary requests will be the cookie preference center, accessible via a banner or opt-out link, commonly known as the second layer of a CMP.   
  • These choices will then need to be enforced downstream through integration with web tracking and SDKs.   
  • User authentication can also be captured through the preference center, making data intake streams much easier for your organization.  

Requests-based rights selections 

  • Since opt-out requirements span four different rights, intake forms are a method of implementation that can ensure users enter their preferences for each right.   
  • This preference data then needs to be processed through back-end systems and enforced with third parties and on the client side.   
  • A combination of a CMP with intake forms for each opt-out right is a common deployment strategy, as it allows new users to immediately exercise their rights while giving them the chance to exercise broader control over their data.  

User enabled privacy controls

Under the CPRA, CPA, and CTDPA organizations need to respond to users that have these signals at the browser level. Your organization needs to implement this in a way that ensures user data is not sold, shared (under the CPRA) or profiled upon visiting the website, but an initial device or probabilistic ID check is performed before other actions take place.  

Link requirements   

While the CCPA required a “Do Not Sell My Personal Information” link, the CPRA takes it a step further to require organizations have a clear link that states “Do Not Sell/Share My Personal Information.” Upon clicking, it should provide users with an opt-out notice about their rights and the opportunity to opt-out of the sale and share of their data. This link can also be geolocated or deployed universally through a unified preference center.  

Take the ultimate guide to US opt-out requirements offline by downloading the guide here

How to opt out (the tech)   

After a user exercises their right to opt out, that choice now needs to be enforced downstream to the systems that are processing data for sale, profiling, or targeted advertising.  

This data generally needs to be communicated to two different groups:  

  • Web and digital tracking tools  
  • MarTech platforms    

Web and digital tracking   

There are three ways to block web and digital tracking.    


Graphic explaining three ways to block web and digital tracking


1. Industry-standard frameworks 

One of the most common frameworks is the IAB CCPA framework, which can be used to signal an opt-out to the various third parties that process personal information throughout your data ecosystem. The IAB also announced the launch of the Global Privacy Platform (GPP) in 2023, a uniform privacy signaling specification that will help companies to comply with US state privacy laws.    

2. Vendor-specific APIs 

Many tracking tools today have their own privacy controls, such as Meta’s Limited Data Use Setting, or Google’s Consent Mode for Google Analytics. These allow marketing teams to still capture some data that falls outside the opt-out right scope. Opt-out preference data can be passed through these tools to ensure a comprehensive opt-out.    

3. Direct blocking 

Tracking technologies can be blocked directly by blocking the script tag that processes personal information or preventing tracking SDKs from loading. Tag management solutions are the most common way to do this. These allow for easy integration downstream and automated blocking procedures.  

Backend processing

An opt-out usually needs to be communicated to backend systems to stop any data processing that the user opts out of. These integrations are dependent on your tech stack and its architecture.  

Data mapping

The backend systems that perform selling, profiling, or targeted advertising on the data first need to be identified, while the specific fields that store this data and allow processing need to be mapped as well. Mapping the opt-out data lifecycle is key to the efficient handling of these requests.    

Integration methods

Different systems have different authentication and integration requirements. Take a look at whether your opt-outs can be passed in real-time or in batch processes, which protocols are required, and how to communicate this to third parties.  

OneTrust for optimal opt-outs  

As more regulations come into effect and online privacy becomes a growing concern globally, make sure your consumers’ personal information is collected in line with all applicable privacy laws to your organization.  

OneTrust Consent and Preferences can help your organization handle opt outs with ease. Give your users choice and control over their data, with dynamic trust centers that indicate communication preferences while allowing users to view their consent history. Use automated workflows and integrations across your MarTech stack to enforce user consent and preferences downstream, across all marketing and communications. Take the ultimate guide to US opt-out requirements offline by downloading the guide here

Request a free demo to learn more.  

You may also like