To opt-in or opt-out? The data privacy landscape in Europe sees consent as an opt-in mechanism under the GDPR. In the US, laws in Virginia and Connecticut also require opt-in consent, regarding sensitive personal information.
In 2019, US privacy laws arrived on the scene with the California Consumer Privacy Act (CCPA) and subsequent state laws in California, Virginia, Colorado, Utah, and Connecticut. These all follow an opt-out mechanism for consent in most areas.
These five US state privacy laws all have their own unique opt-out requirements. This blog will help you understand the following:
- The legal requirements from state to state
- How to operationalize compliance
- How to implement solutions for the best user experience
The cross-country opt-out tour
Let’s take a look at the different types of opt-out definitions across the new regulations, and which state requires which.
Opt-out definitions
Sale (S)
- The majority of US state privacy laws define the sale of personal data as data exchanged with third parties for a monetary or valuable consideration (Virginia and Utah define it as for monetary purposes only)
- This is very broad and generally applicable to third-party analytics or third-party transfers such as partner services (marketing, rewards, etc.)
Share (Sh)
- Personal data exchanged with a third party for the purpose of cross-context behavioral advertising
- Considered sharing, regardless of whether it was for monetary or other valuable consideration
- This is widely applicable to the programmatic ads ecosystem
Targeted advertising (TA)
- Data used to provide targeted advertising based on cross-contextual or behavioral data
- This is applicable to transfers associated with the programmatic ecosystem as well as data correlated across non-affiliated digital properties
Profiling (P)
- Leveraging data to generate profiles to predict or otherwise evaluate or analyze user behavior
- This type of processing is generally done by MarTech tools such as Customer Data Platforms (CDPs) or Data Management Platforms (DMPs)
- This type of processing can be done by organizations directly as well as third-party providers
Universal opt-out signals (U)
- Extensions through which users can set their opt-out preferences across websites and browsers
- Allows them to avoid selecting their cookie preferences for each website they visit
- The GPC is the most prominent universal opt-out signal today
Global Privacy Control – The GPC is a universal opt-out signal that users can either set at a browser level (depending on the browser) or through a browser extension (such as Privacy Badger on Google Chrome). This allows a user to define their preferences across the internet when initially landing on a website. As such, organizations under the jurisdiction of laws requiring universal opt-out signals will need to be able to read the GPC as users visit their digital properties and honor the opt out of the sale and the sharing of personal information.