Modern state privacy statutes require that organizations provide individuals with the ability to opt out of targeted advertising. While the substance of the opt-out right is similar between and among states, state statutes differ in how they mandate the conveyance of the opt-out right. While all state statutes require that an explanation of the right to opt out be included within the organization’s privacy notice, some states, like California under the CPRA, contain specific proscriptive requirements regarding what the opt-out link must be called (i.e., “Do Not Sell or Share My Personal Information”) and where it must be placed (i.e., on an organization’s homepages). Most states only require that the opt-out mechanism be “clear and conspicuous” to an individual. The following chart compares the different requirements imposed by state statutes regarding the location and title of the opt-out link:
Requirements |
California 2022 CCPA [1] |
California 2023 CPRA |
Colorado 2023 CPA |
Conn. 2023 CTCPA |
Utah 2023 UCPA |
Virginia 2023 VCDPA |
Clear and Conspicuous. General requirement that disclosure must be clear and conspicuous to the data subject. | N/A | ✘/✔[2] | ✔[3] | ✔[4] | ✔[5] | ✔[6] |
Homepage. Opt-out link specifically required on homepage. | N/A | ✔[7] | ✘ | ✘/✔[8] | ✘ | ✘ |
Privacy notice. Opt-out description specifically required within privacy notice. | N/A | ✔[9] | ✔[10] | ✔[11] | ✔[12] | ✔[13] |
Other Locations. Opt-out description specifically required in other locations. | N/A |
✔[14] (any California-specific description of consumers’ privacy rights) |
✔[15] (readily accessible location outside of privacy notice) |
✘ | ✘ | ✘ |
Specific Wording. Opt-out link must contain specific words. | N/A |
✔[16] (Do not sell or share my personal information) |
✘ | ✘ | ✘ | ✘ |
FOOTNOTES
[1] As the CCPA does not require that an organization include a link to opt-out of targeted advertising, all requirements have been identified as “N/A.” Note that the CCPA does require disclosures relating to the “sale” of personal information. To the extent that sharing personal information with a targeted advertiser constitutes a sale, an opt-out mechanism should be provided.
[2] Cal. Civ. Code 1798.135(a)(1) (West 2021). Note that this has been marked as partially in place as the CPRA does not contain a general requirement that the opt-out mechanism be clearly and conspicuously disclosed to consumers, but does contain a specific requirement that there be a “clear and conspicuous link on the business’s internet homepages.” As a result, it is possible that a business could comply with the CPRA’s requirement of having a clear and conspicuous link on a homepage, even if the mechanism is not clear and conspicuous to a particular data subject (e.g., if a data subject opens a deep link to something other than a homepage there is no requirement that the disclosure be clear and conspicuous as to that data subject).
[3] C.R.S. § 6-1-1306(1)(a)(III) (2022) (stating that controller must provide a “clear and conspicuous method to exercise the right to opt out of the processing”).
[4] Connecticut Substitute Bill No. 6, § 6(d) (2022) (enacted April 28, 2022, awaiting governor signature).
[5] Utah Code Ann. § 13-61-302(1)(b) (2022).
[6] Va. Code § 59.1-574 (D) (2022) (stating that the controller must “clearly and conspicuously” disclose such processing, but not expressly stating that disclosure must be made on the controller’s homepage).
[7] Cal. Civ. Code § 1798.135(a)(1) (West 2021) (note that the CPRA refers to a business’s “homepages”).
[8] Connecticut Substitute Bill No. 6, § 6(e)(1)(A)(i) (2022) (enacted April 28, 2022, awaiting governor signature) (controller is require to provide a “link on the controller’s Internet web site;” statute does not expressly state that the link must be on the homepage).
[9] Cal. Civ. Code § 1798.135(c)(2)(A) (West 2021).
[10] C.R.S. § 6-1-1306(1)(a)(III) (2022) (stating that controller must provide the opt-out method “clearly and conspicuously in any privacy notice required to be provided).
[11] Connecticut Substitute Bill No. 6, § 6(c)(3) (2022) (enacted April 28, 2022, awaiting governor signature) (stating that a controller must disclose within the privacy notice how a consumer can exercise the rights discussed under the statute).
[12] Utah Code Ann. § 13-61-302(1)(a)(iii) (2022) (stating that a controller must disclose within the privacy notice how a consumer can exercise any of the rights discussed under the statute).
[13] Va. Code § 59.1-574(C)(3), (E) (2022) (stating that a controller must disclose within the privacy notice how a consumer can exercise any of the “consumer rights” discussed under the statute).
[14] Cal. Civ. Code § 1798.135(c)(2)(B) (West 2021).
[15] C.R.S. § 6-1-1306(1)(a)(III) (2022) (stating that opt-out mechanism must be provided in a “readily accessible location outside the privacy notice”).
[16] Cal. Civ. Code § 1798.135(a)(1) (West 2021) (note that the CPRA refers to a business’s “homepages”).