Targeted Advertising under 2023’s five new US State privacy laws

Privacy professionals are set to have a busy 2023 as five new state privacy laws come into effect in California, Colorado, Connecticut, Utah, and Virginia. 

New rules around targeted advertising will have a significant impact on the digital marketing environment. Each of these laws requires businesses to provide consumers with more transparency and choice. But each law works slightly differently. 

If any of these new state privacy laws apply to you (check our overview of the laws to see if that’s the case), you’ll need to review your marketing activities to ensure they meet the new requirements. 

Here’s an overview of the digital marketing obligations in each law. 

California Privacy Rights Act (CPRA) 

The California Privacy Rights Act (CPRA) took effect on Jan 1, 2023, and amended the California Consumer Privacy Act (CCPA). 

Here’s an overview of some of the changes from the CCPA that are relevant to marketers. 

New Definitions 

The CCPA had major implications for online marketing because of the broad way in which it defined a “sale” of personal information. But the rules were somewhat ambiguous and, at least initially, there was some debate regarding the law’s impact on marketing activities. 

The CPRA makes the rules more explicit by introducing the concept of “cross‐context behavioural advertising”—broadly speaking, advertising that is targeted to a consumer based on their activity across different websites and/or apps. 

While “cross-context behavioural advertising” is a form of “sharing” personal information (rather than “selling” it), the activity is excluded from the CPRA’s list of “business purposes”. So, unlike other “business purposes” activities, consumers can opt out of cross-context behavioural advertising. 

This means you must enable California residents to opt out of your targeted advertising campaigns. 

“Do Not Sell or Share” 

The CCPA required businesses selling personal information to provide a link on their homepage reading “Do Not Sell My Personal Information”. 

Under the CPRA, businesses engaged in targeted advertising must now provide a link reading “Do Not Sell or Share My Personal Information”. 

This link must direct the consumer to a web page enabling them to opt out of the sale or sharing of their personal information. 

If a consumer exercises their right to opt-out, you must only use their personal information for one of the CPRA’s “business purposes” (which do not include targeted advertising). You can ask the consumer to opt back in, but not for at least 12 months. 

Universal Opt-Out 

Businesses must allow consumers to opt-out via a universal opt-out method such as the Global Privacy Control (GPC).  

This isn’t a new requirement under the CPRA—it existed under the CPRA’s predecessor, the CCPA. but was clarified since the CCPA took effect by the Attorney-General. 

Colorado Privacy Act (CPA) 

The Colorado Privacy Act (CPA) takes effect on July 1, 2023, and sets many rules for companies running targeted advertising campaigns. 

Privacy Notice 

Under the CPA, your privacy notice must contain the following information about your targeted advertising activities (and your data collection and processing activities in general): 

• The categories of personal data you collect 
• The purposes for which you process those categories of personal data 
• How and where consumers can exercise their rights under the CPA 
• The categories of personal data you share with third parties, if any 
• The categories of third parties, if any, with whom you share personal data 
• If you sell personal data or use it for targeted advertising: a disclosure explaining this, and an explanation of how to opt-out. 

Right to Opt Out 

As mentioned, the CPA provides consumers with the right to opt out of several types of data processing, including: 

• Targeted advertising 
• The sale of their personal information 
• Profiling that produces legal or similarly significant effects 

The first two of these requirements are relevant to marketers. The third, “profiling” is unlikely to be relevant to most marketing activities. 

You must make consumers aware of their right to opt-out—both within your privacy notice and “in a clear, conspicuous, and readily accessible location outside the privacy notice.” 

You must also provide a mechanism by which consumers can exercise their right to opt-out, such as “a web link indicating a preference or browser setting, browser extension, or global device setting (see below).” 

Universal Opt-Out 

Like the CPRA, the CPA also requires businesses to allow consumers to opt via a universal opt-out signal. However, this part of the law does not take effect until July 2024. 

Connecticut Data Privacy Act (CTDPA) 

The Connecticut Data Privacy Act (CTDPA) takes effect on July 1, 2023. 

Regarding marketing, the CTDPA shares a lot in common with Colorado’s privacy law, examined above. The requirements include the following: 

• Enabling consumers to opt out of targeted advertising 
• Disclosing your targeted advertising activities in your privacy notice, together with an explanation of how to opt-out 

• Providing a “clear and conspicuous” link to an opt-out form on your website 
• Enabling consumers to opt-out via a universal opt-out signal ( in Connecticut, this takes effect from Jan 1, 2025). 

Data Protection Assessment 

One major difference between the CTDPA and Connecticut’s law is that the CTDPA requires you to conduct a “data protection assessment” before engaging in targeted advertising (or certain other activities that present “a heightened risk of harm”). 

The data protection assessment should: 

• Identify the benefits of the activity 
• Identify the risks to the consumer and others 
• Weigh the benefits against the risks
• Identify any safeguards that could mitigate the risks 

You should document your assessment as it might be demanded by the state Attorney-General during an investigation. 

Utah Consumer Privacy (UCPA) 

The Utah Consumer Privacy (UCPA) is arguably the least demanding of the five state privacy laws that take effect in 2023, including from a marketing perspective. 

The law contains similar requirements to the Colorado and Connecticut laws above, namely: 

• Enabling consumers to opt out of targeted advertising 
• Disclosing your targeted advertising activities in your privacy notice, together with an explanation of how to opt-out 
• Providing a “clear and conspicuous” link to an opt-out form on your website 

The UCPA, however, does not require businesses to conduct a data protection assessment before engaging in targeted advertising (unlike Connecticut). Nor does Utah require businesses to recognize a global opt-out. 

Virginia Consumer Data Protection Act (VCPDA) 

The Virginia Consumer Data Protection Act (VCPDA) took effect on Jan 1, 2023. 

In terms of targeted advertising obligations, the VCDPA is similar to Connecticut’s privacy law (although Virginia’s was drafted first) in that it includes the following requirements: 

• Enabling consumers to opt out of targeted advertising 
• Disclosing your targeted advertising activities in your privacy notice, together with an explanation of how to opt-out 
• Providing a “clear and conspicuous” link to an opt-out form on your website 
• Conducting a data protection impact before engaging in targeted advertising 

However, unlike Connecticut’s law, the VCDPA does not require businesses to recognize a universal opt-out signal. 

Sensitive Data and Children’s Data 

Note that this article hasn’t discussed how these laws treat sensitive data or children’s data. Both of these things might be relevant to some marketing campaigns. 

Each of these laws contains some requirement to treat sensitive data and children’s data differently from other types of personal data. 

If you think you might be processing sensitive or children’s data as part of your marketing campaign, make sure you check how each relevant law applies to you.

Overview of Targeted Advertising Requirements