If your company’s marketing plan includes cross-context behavioral advertising (i.e., targeting ads to consumers based on their Internet browsing habits, also known as ad tracking), this alert may be for you.
The attorneys general of Connecticut, California, and Colorado, together with the California Privacy Protection Agency (CPPA), have announced a joint investigative sweep to address potential noncompliance with their states’ comprehensive consumer data privacy laws. These states require covered businesses not only to allow consumers to opt out of the sale and “sharing” of their personal data (i.e., disclosure for cross-context behavioral advertising) but also to honor user-enabled universal opt-out signals (such as the Global Privacy Control, or GPC) as valid opt-out requests. The GPC is a browser setting or extension that automatically signals to a business that the consumer wants to opt out of the sale and “sharing” of their personal data. Other states that have enacted omnibus consumer data privacy laws may have similar requirements.
A business that engages in ad tracking and does not currently recognize the GPC signal should determine whether it is subject to a state law that requires such recognition. If so, it should assess how to comply with the opt-out and other provisions of applicable state law. This assessment may involve the review of a business’s public-facing consumer privacy notice, website terms of service, cookie policy, and opt-out procedures. Nineteen states have enacted comprehensive consumer data privacy laws with various opt-out requirements. Whether a business is covered under a particular law generally depends on both offering goods and services to residents of that state for personal or household use, together with some combination of annual revenue and/or processing, selling, and/or “sharing” of a certain number of consumers’ personal data. (California law is stricter and more expansive.) The coverage analysis can be complex, and certain businesses—such as nonprofits, financial institutions, colleges and universities, and HIPAA-covered entities—may be exempt.
The joint investigative sweep follows the spring announcement of the creation of the Consortium of Privacy Regulators and the debut of New Jersey’s omnibus law (which echoes elements of the California and Colorado laws), showing just how closely the states are coordinating. The consortium consists of the CPPA and state attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. These two announcements, along with other public comments from the regulators, indicate that coordinated investigations are likely to become the norm.
[View source.]
