With the recent passage of Virginia’s Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA), users in the United States saw their rights around privacy and data collection expand significantly. Up until the passage of the CDPA and the CPA, only California had legislation around privacy and consent. Now, there are three states that have taken steps to regulate how companies can collect and process their users’ data.
A big part of the legislation of all three states is the expanded opt-out rights of users. Sometimes, this (and the other upcoming changes) get lost in the shuffle of all the “cookieless” chatter and the deprecation of third-party cookies, but that doesn’t decrease their importance.
That’s because these expanded opt-out rights, combined with simpler mechanisms for users to opt out of various uses of their personal data, create an increased risk that marketers and advertisers will have less data to work with and use—and therefore they’ll have less ability to conduct activities like targeted and personalized advertising.
All is not lost, though. By understanding the specific opt-out rights in each of the pieces of legislation, you can take steps to minimize the impact of the legislation on your organization. To help with that, let’s look at the rights the CDPA, CPA, and CPRA (California Privacy Rights Act) grant, how the legislation might impact you, and what you should do about it.
Users’ Opt-Out Rights Under the CDPA
The CDPA allows users to opt out of targeted advertising. Targeted advertising, as defined in the Virginia law, means the displaying of advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.
Importantly expressed in the law is also what targeted advertising does not include. Targeted advertising does not include advertisements based on activities within a controller’s own websites or online applications; advertisements based on the context of a consumer’s current search query, visit to a website, or online application; advertisements directed to a consumer in response to the consumer’s request for information or feedback; or the processing of personal data processed solely for measuring or reporting advertising performance, reach, or frequency.
Keep in mind that, under the CDPA (as well as the CPA and CPRA), companies can still collect data even if a user opts out. However, if a user exercises their opt-out rights, companies cannot then use that data to engage in any prohibited activities (such as targeted advertising).
Users’ Opt-Out Rights Under the CPA
Like the CDPA, the CPA allows users to opt out of targeted advertising. Under the CPA, targeted advertising is defined as “displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests.”
Targeted advertising in the Colorado law also does not include advertising to a consumer in response to the consumer’s request for information or feedback, or advertisements based on activities within a controller’s own websites or online applications.
It also doesn’t pertain to advertisements shown based on the context of a consumer’s current search query, visit to a website, or online application; or the processing of personal data solely for measuring or reporting advertising performance, reach, or frequency.
Users’ Opt-Out Rights Under the CPRA
California’s CPRA expands and clarifies the current rights granted to users by the California Consumer Privacy Act (CCPA) by allowing users to opt-out of the sharing of their personal information. The definition of “sharing” in the law explicitly includes a specific callout for “cross-context behavioral advertising”—in other words, targeted advertising.
The CPRA defines cross-context behavioral advertising as the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.”
So, let’s say you’re relying on third-party data sources that are aggregating information—for example, web browsing data about a user across other websites. If you purchase that information or combine it with your first-party datasets to gain a fuller picture of your users, then the CPRA allows a user to opt out of being included in any of those datasets or having their personal information used for such a purpose.
How the New Legislation Impacts You
As you can see, each piece of legislation uses different terminology, but the end result for each of them is essentially the same. They each give users the right to opt out of having their personal information used for purposes of targeted advertising. And that ability to opt out will have some profound implications for some of your advertising strategies.
This is particularly true for any strategy that relies on third-party data. So, if you are using a data management platform where you’re purchasing information aggregated about a user from across the web, and the user opts out, you will not be able to process any of that information for any type of audience creation or targeting activity.
The same is true if you combine datasets across providers. This is also impacted by the new legislation, because of the fact that it gathers users’ behavior across multiple distinct domains and then processes that information to target users with selected, relevant advertising campaigns.
Exceptions to the Legislation
While the new legislation does drastically expand users’ opt-out rights, it’s important to realize that not all actions are precluded under these laws. For example, there are specific callouts that can allow for activities like remarketing and campaign analysis.
To give you an example of this, let’s say someone adds something to their cart on your website, and then abandons the cart. You create an audience to display an ad to this user for the product they were considering but did not purchase. This type of activity is targeting an ad to a user based on an action they took on your site. It doesn’t combine behavioral information about what the user did on your site with what they did on the rest of the web (other distinct websites). Therefore, this activity would be defensible, even for users who opt out of targeted advertising.
There are also specific callouts in the legislation that allow you to use a user’s personal data for reporting and measurement purposes. For example, if you want to report on or measure the effectiveness of a campaign—and you have no plans to use the data for targeting purposes—you can still collect and process the data for this purpose.
To take advantage of these exceptions, you need to define the different processing activities you plan to engage in, then determine what data is necessary to accomplish your objectives. If you are using certain data points for multiple activities, you need to have technical and operational protections in place to make sure that when a user opts out, you don’t end up processing the data in a prohibited way or for a prohibited purpose. You can still use the data for measuring and reporting, for example, but not for targeted advertising.
How to Minimize the Impact
The changes are sweeping, but the sooner you begin preparing, the better off you’ll be. And, because the new legislation won’t fully go into effect until 2023, you have some time to make the necessary changes to ensure you remain compliant without your marketing and advertising activities suffering.
First, do a strategic risk assessment to analyze what data is being collected and processed by your organization. What data platforms do your current strategies rely on? What technical and operational processes do you have in place to differentiate between processing activities?
Remember, there are certain key exceptions to what users can opt out of, and so part of your job will be to get a structure in place (if you don’t already have one) so you can determine on a granular level how you will use each of the user data points collected. Having the capability to differentiate between those processing activities will help you get the most out of the information you collect while still maintaining compliance with these laws.
Your next step is to make sure you have documentation in place that clearly discloses to users what their personal data is being used for. You should also document the processes you created around all your different processing activities. Finally, you should create the proper architecture so you can maximize the value you’re able to pull from user data, while still fully respecting their wishes if they choose to opt out.
Be Ready for the Upcoming Changes
Come 2023, how companies in the United States are allowed to collect and process data is going to be very different. Yes, third-party data and the deprecation of third-party cookies is a big part of that, but as you’ve seen, cookie changes are not the only change coming. The new opt-out provisions in the CDPA, the CPA, and the CPRA are huge, and all of them will be enforceable in 2023.
The time to start preparing for these regulatory requirements is now. Begin with a risk assessment, get your strategy in order, and make sure you have appropriate documentation. It’s doable, but it will take time, so use 2022 to focus on executing all the various activities you need to accomplish to get your ducks in a row for 2023.