To opt-in or opt-out? The data privacy landscape in Europe sees consent as an opt-in mechanism under the GDPR. In the US, laws in Virginia and Connecticut also require opt-in consent, regarding sensitive personal information. 

In 2019, US privacy laws arrived on the scene with the California Consumer Privacy Act (CCPA) and subsequent state laws in California, Virginia, Colorado, Utah, and Connecticut. These all follow an opt-out mechanism for consent in most areas.

These five US state privacy laws all have their own unique opt-out requirements. This blog will help you understand the following: 

• The legal requirements from state to state  
• How to operationalize compliance  
• How to implement solutions for the best user experience 

The cross-country opt-out tour  

Let’s take a look at the different types of opt-out definitions across the new regulations, and which state requires which.  

Opt-out definitions 

Sale (S) 

• The majority of US state privacy laws define the sale of personal data as data exchanged with third parties for a monetary or valuable consideration (Virginia and Utah define it as for monetary purposes only)  
• This is very broad and generally applicable to third-party analytics or third-party transfers such as partner services (marketing, rewards, etc.)  

Share (Sh) 

• Personal data exchanged with a third party for the purpose of cross-context behavioral advertising  
• Considered sharing, regardless of whether it was for monetary or other valuable consideration   
• This is widely applicable to the programmatic ads ecosystem  

Targeted advertising (TA) 

• Data used to provide targeted advertising based on cross-contextual or behavioral data   
• This is applicable to transfers associated with the programmatic ecosystem as well as data correlated across non-affiliated digital properties  

Profiling (P) 

• Leveraging data to generate profiles to predict or otherwise evaluate or analyze user behavior  
• This type of processing is generally done by MarTech tools such as Customer Data Platforms (CDPs) or Data Management Platforms (DMPs)   
• This type of processing can be done by organizations directly as well as third-party providers  

Universal opt-out signals (U)  

• Extensions through which users can set their opt-out preferences across websites and browsers   
• Allows them to avoid selecting their cookie preferences for each website they visit  
• The GPC is the most prominent universal opt-out signal today 

Global Privacy Control – The GPC is a universal opt-out signal that users can either set at a browser level (depending on the browser) or through a browser extension (such as Privacy Badger on Google Chrome). This allows a user to define their preferences across the internet when initially landing on a website. As such, organizations under the jurisdiction of laws requiring universal opt-out signals will need to be able to read the GPC as users visit their digital properties and honor the opt out of the sale and the sharing of personal information. 

Take the ultimate guide to US opt-out requirements offline by downloading the guide here. 

Operationalize opt-out requirements   

Selling data can be broadly bucketed into two groups.  

1. Anonymous user data  
2. Known user data 

Data being transferred through web/digital analytics and tracking for “anonymous” users

This is brought into scope primarily with the inclusion of “valuable consideration.” Because money does not need to be exchanged, this can be interpreted as transfers to third parties for analytics (whether for behavioral tracking or general site statistics). 

This type of transfer happens with technologies such as third-party tags or software development kits (SDKs).  

Data being transferred through server-side/backend processing for “known” users

The second form is more straightforward as it directly references an exchange of money. Most of these processes are used for initiatives like partner services marketing, rewards programs, or third-party list rentals. 

In this case, a user is identified and the transfer of data takes place in an organization’s backend MarTech stack.  

How are you doing the following? 

Targeted advertising

With multiple laws having specific rights to opt-out of targeted advertising, make sure that the appropriate mechanisms are in place for users to opt out.  

In the programmatic ecosystem, which is the primary targeted advertising mechanism, opt-outs will be communicated to supply-side providers and then transferred throughout the ecosystem, to enforce the decision downstream.  

User identification

Selling, profiling, and programmatic advertising take place when users hit your digital properties. They may also have GPC running in their browser.   

Once a user hits your website, an opt-out request needs to occur. In most cases, the opt-out can be executed by shutting off third-party tracking client-side.  

However, if a user’s data is in the form of a list rental, the data is most likely tied to an identifier such as an email address in the case of email marketing or an account ID. To perform an opt-out in this case, the user making the request must be tied to the backend data, with some form of identifier collected on the intake.    

The methods of user identification need to be clearly mapped out to ensure requests are fulfilled efficiently, while prioritizing user privacy throughout the process.  

Take the ultimate guide to US opt-out requirements offline by downloading the guide here. 

Deliver the best opt-out user experience   

The three main elements of an optimal user experience around opt-outs are the following: 

• Geolocation  
• User interface  
• ID capture 

Geolocation 

As different states have different privacy laws, there are two industry-standard approaches to take regarding geolocation (each with their own pros and cons).

User interface 

As users navigate through your website, completing an opt-out request should be a quick, seamless process. The components you include will help them optimally exercise this right.  

Do you need a cookie banner?

Look at your website operations and determine when privacy notices or opt-out prompts need to be shown to users.  

If your cookies and trackers on your site are in the scope of “selling data,” then cookie banners will be required to comply with the stipulation to “disclose the sale at or before the time of data collection.” 

How will users opt out?

The industry standard options for users to exercise their opt-out rights include:  

• Preference center options with toggles  
• Request-based rights selections on intake forms  
• User-enabled privacy controls (GPC) 

When presenting the opt-out method of toggle/selection options to users, there are two primary approaches on how to present them.

One universal toggle/selection 

Pros 

• Requires less analysis of tracking technologies as there is no differentiation between different types of opt-outs  
• Can be presented across jurisdictions as it covers all rights 

Cons 

• This is the most restrictive approach and shuts off all tracking with one opt-out selection 

One toggle/selection per opt-out right 

Pros 

• Gives the user more granular choices   
• Allows the user flexibility in how data can be processed  
• Can be presented across jurisdictions or dynamically presented based on location 

Cons 

• Requires extended analysis of tracking technology 

Preference center selections/toggle

• With four opt-out rights that US privacy laws have added, a preference center can act as a unified area where users toggle between the data processes they want to opt out of.   
• The primary requests will be the cookie preference center, accessible via a banner or opt-out link, commonly known as the second layer of a CMP.   
• These choices will then need to be enforced downstream through integration with web tracking and SDKs.   
• User authentication can also be captured through the preference center, making data intake streams much easier for your organization.  

Requests-based rights selections 

• Since opt-out requirements span four different rights, intake forms are a method of implementation that can ensure users enter their preferences for each right.   
• This preference data then needs to be processed through back-end systems and enforced with third parties and on the client side.   
• A combination of a CMP with intake forms for each opt-out right is a common deployment strategy, as it allows new users to immediately exercise their rights while giving them the chance to exercise broader control over their data.  

User enabled privacy controls

Under the CPRA, CPA, and CTDPA organizations need to respond to users that have these signals at the browser level. Your organization needs to implement this in a way that ensures user data is not sold, shared (under the CPRA) or profiled upon visiting the website, but an initial device or probabilistic ID check is performed before other actions take place.  

Link requirements   

While the CCPA required a “Do Not Sell My Personal Information” link, the CPRA takes it a step further to require organizations have a clear link that states “Do Not Sell/Share My Personal Information.” Upon clicking, it should provide users with an opt-out notice about their rights and the opportunity to opt-out of the sale and share of their data. This link can also be geolocated or deployed universally through a unified preference center.  

Take the ultimate guide to US opt-out requirements offline by downloading the guide here. 

How to opt out (the tech)   

After a user exercises their right to opt out, that choice now needs to be enforced downstream to the systems that are processing data for sale, profiling, or targeted advertising.  

This data generally needs to be communicated to two different groups:  

• Web and digital tracking tools  
• MarTech platforms    

Web and digital tracking   

There are three ways to block web and digital tracking.