Privacy compliance is difficult. Privacy compliance is made much more difficult due to the patchwork nature of regulations, and thus requirements, many organizations face. Different laws applicable based upon location, based upon the industry, based upon the type of data … it’s complex! Unfortunately, this is especially the reality for organizations operating in the United States. Without a federal privacy law, individual states and industries have taken on the job of filling the gap.
For advertisers, this means all kinds of considerations must be made when creating a targeting and measurement strategy for advertising. What information can we collect from users? From whom can we collect it? What can we use for targeted advertising? Where did all the data in my reports go? A review of the current state of privacy regulations in the United States can help provide necessary context for successful strategy.
Comprehensive State Privacy Laws
Beginning with the passage of the California Consumer Privacy Act (CCPA) in 2018, a number of states in the United States have begun passing what are known as “comprehensive state privacy laws”. These are laws specifically focused on granting privacy rights to individuals within each respective state, as well as placing specific obligations on businesses that collect and process consumers’ personal information.
As of the time of writing (January 2025) there are 19 states with comprehensive privacy laws passed, 13 of which are enforceable with the remaining becoming enforceable over the next year-and-a-half. While each state’s law has slight nuance, a few general commonalities should be on every advertiser’s radar.
Personal Information / Personal Data
To start, it is important to understand the type of data that is protected under comprehensive state privacy laws. “Personal Information” (California) or “Personal Data” (all others) is generally defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person”. For advertisers, this means any kind of device identifier (cookie ID, IDFA, GAID, IP address), any kind of persistent identifier (e-mail, name, phone number, User ID, UID, RampID, etc.), or any kind of probabilistic identifier (what you get from a DMP or most identify resolution partners) is going to fall within this category.
Rule of thumb for advertisers:
- Any kind of user identifier used in advertising is going to meet the definition of personal information/personal data.
Notice
A central tenet of all state comprehensive privacy laws is that users must be given notice as to the personal information being collected and used, the purposes for which it is being used, if/to whom the information is being shared with, and why. This means that organizations need to be transparent about all of their data collection and use practices, including any kind of sharing of this data with adtech partners used for purposes of measurement and targeting.
It is extremely important for advertisers to keep in mind that any use of personal information/personal data that is not aligned with the purposes disclosed to a user in the notice at the time of collection is unlawful. Keep this in mind when thinking about all the new kinds of advanced analysis, segmentation, and targeting that can be done with emerging technologies like AI.
Rule of thumb for advertisers:
- Any data collection for use in advertising use cases needs to be documented with notice provided for the categories of information used, categories of platforms the data is shared with, and use cases for the data.
Consent & User Choice
Consent requirements for the collection and usage of personal information in the United States are much more lax when compared with other regions such as Europe. Generally, for comprehensive state privacy laws, the collection of personal data for advertising use cases does require an opt-out ability for the user. There is a bit of nuance here, as if the data is used purely for a measurement purpose, it is likely exempt. If not used only for measurement, but instead used to inform personalized targeted, audience segmentation, direct targeting, profile creation, or used to predict consumer behavior, then it is safe to assume that the user should have a right to opt out of the collection and use for that purpose.
Beyond the opt-out requirements for the use of personal data for targeted advertising use cases, a special category of data, “sensitive data” or “sensitive information”, carries heightened requirements for the collection for any purpose. “Sensitive data” refers to information like precise location information (generally within a half-mile radius), and information relating to an individual’s health, sexual orientation, race, religious beliefs, or immigration status. In California, any collection of this type of data requires a unique opt-out ability and for all 18 other state laws requires an explicit opt-in for its collection.
Rules of thumb for advertisers:
- There is an opt-out requirement for the use of personal data/personal information for advertising use cases unless it is a purely measurement use case.
- There is an opt-in requirement for any collection of sensitive personal data/personal information.
Data Protection Assessments
A wrinkle added to most of the comprehensive state privacy laws passed in the last two years (many currently enforceable) is a requirement for organizations using personal data for certain “high risk” activities to conduct a formal data protection assessment (DPA) for each of those activities. Explicitly called out as an activity which requires a DPA is any processing of personal data for purposes of targeted advertising. This means that many common advertising use cases that use personal data (things like personalized advertising, user profile creation, audience segmentation, and direct targeting) require a DPA. Specific requirements for what must be covered in the DPA vary from state to state, but generally this assessment must outline the data being used; any potential risks to the consumer; what the benefits of the processing are for the organization, consumer, and other stakeholders; as well as controls put in place to mitigate risks identified. For advertisers, it is critical to document all of these components early in the advertising strategy process to ensure campaigns can be executed in a lawful manner.
Rule of thumb for advertisers:
- Targeted advertising activities will require a data protection assessment to be conducted. Document data requirements, why the activity is being conducted, potential risks to the user, benefits of the activity, and any controls in place to ensure responsible and lawful use of consumer information. Do this early when defining your advertising strategies!
Federal Privacy Laws and Statutes
In addition to comprehensive state privacy laws, organizations must also be aware of federal laws that have implications for privacy. While there is not yet a federal comprehensive privacy law, there are a number of federal laws which carry requirements related to privacy for organizations that meet defined characteristics. Three specifically have attracted a lot of attention over the past several years: VPPA, the FTC Act, and HIPAA.
Video Privacy Protection Act (VPPA)
The Video Privacy Protection Act (VPPA) is a 1988 U.S. federal law that prohibits the collection and distribution of video viewing histories without a consumer’s explicit consent. The law places obligations on “video tape service providers” before certain information about video content in connection with an individual can be disclosed to another party. The challenge with VPPA is the law was written and passed before the current digital environment and carries a private right of action. This means that it is challenging to interpret the law given today’s video delivery mechanisms while also being enticing for private litigators to bring legal action against organizations because there is a monetary reward in the event of being found in violation.
VPPA has, in recent years, led to legal challenges for many organizations with video content on their sites that are also using common third-party tracking technologies, such as Facebook Pixels and adtech platforms, to create audiences and target users based upon their observed behavior (i.e. videos being consumed on the website). While the case law is not fully established, there is significant operational burden and legal costs in the event of legal challenges being brought.
Rules of thumb for advertisers:
- If you are collecting a user’s video viewing behavior on your websites via third-party adtech and analytics platforms, you are potentially at risk for legal challenges related to VPPA.
- Review the purposes for this type of data collection and consult with your privacy and legal teams for the best ways to mitigate risk if this data collection is critical for your advertising use cases.
Section 5 of the Federal Trade Commission Act (FTC Act)
Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” In the past year, there have been several instances where this has been used to litigate organizations’ privacy practices related to data collection and usage for advertising. Two notable recent examples include FTC enforcement actions against BetterHelp and GravyAnalytics for their alleged failures related to privacy.
In the case of BetterHelp, the “FTC alleged that, among other things, BetterHelp promised to keep users’ information private but revealed data to Facebook, Snapchat, Pinterest, and Criteo for advertising purposes.” Essentially, BetterHelp was stating in their notice that they did not collect and use an individual’s personal information for advertising purposes while explicitly doing so via the listed platforms.
In the case of GravyAnalytics, the FTC took action due to the platform (a data broker that provided audiences for targeted advertising) because of to unlawful tracking and selling of sensitive location data from users. The allegation is that the platform was collecting sensitive data for use in targeted advertising without verifiable user consent.
Both of these instances highlight the need to be transparent about the collection and usage of personal data and, in the case of any kind of usage of sensitive data, ensure that proper consent mechanisms are in place.
Rules of thumb for advertisers:
- Document any and all collection and usage of personal data for advertising use cases.
- Ensure that the data used, as well as the purposes for its use, is disclosed to users.
- Ensure that what you are doing with data in practice is aligned with what you tell your users in notices and disclosures.
Health Insurance Portability and Accountability Act (HIPAA)
For organizations in the healthcare industry, there are a number of privacy and data protection obligations in HIPAA. Notably among the requirements as they relate to advertising is the obligation for explicit consent prior to the collection of protected health information (PHI) as well as explicit written consent prior to the use of any PHI for marketing/advertising purposes. Advertisers at HIPAA Covered Entities are well-versed in the constraints of data collection and usage for advertising and analytics. Unique advertising strategies must be pursued for any organization within this scope.
Rule of thumb for advertisers:
- Understand if your organization is a HIPAA Covered Entity to understand the applicability of the law.
- If so, review all data collection and usage practices for advertising use cases with privacy/legal to understand the constraints. Strategize accordingly.
State Sectoral Laws
As if comprehensive state privacy laws and federal laws weren’t enough, there are a number of state-specific laws also relevant for organizations dealing with certain types of data! If you haven’t in awhile, now’s a good time to give your Data Privacy Officer a hug. While there is a ton of nuance and a litany of these laws, two specifically have been the cause of many challenges for organizations recently: California’s Invasion of Privacy Act, and Washington’s My Health My Data Act.
California Invasion of Privacy Act (CIPA)
CIPA is what is commonly referred to as a “wiretapping” law. Under CIPA, it is illegal to record a user via a “pen register” or “trap and trace” device without their explicit consent. Many private litigators in the United States have recently been alleging that tracking technologies (like Facebook Pixels, Google Analytics, TikTok Pixels, etc.) do just this when a website deploys the tracking technologies (tags/pixels/cookies) without explicit consent beforehand. To date, courts have been split on this interpretation, with some cases being dismissed, some settled, and some continuing to make their way through the legal system. Until more explicit case law becomes established to set the guardrails for what is lawful and what is not, we will likely see a continued rise in legal challenges being raised, leading to significant operational and legal overhead due to common data collection practices across the web.
For advertisers, this means that much of the data collection being done on a website to understand consumer behavior, campaign effectiveness, and to power personalized advertising could come under question from privacy and legal teams. Making sure that things like notices are properly configured to mitigate CIPA risks as well as ensuring that your consent architecture effectively respects users’ consent selections is critical to continuing operating with a low-risk profile.
Rules of thumb for advertisers:
- Understand and document all data collection via third-party tracking technologies such as Facebook Pixels, Google Analytics, The Trade Desk, etc.
- Ensure that the consent architecture on all websites appropriately respects users’ consent selections.
- Work with privacy/legal to ensure all uses of consumer data for advertising, along with the platforms used for collection and processing, are properly configured and disclosed to mitigate potential legal risk.
Washington’s My Health My Data Act (MHMD)
MHMD is a law that went into effect in 2024 that extends many privacy protections for organizations that collect and use “consumer health data”. Consumer health data is defined pretty broadly as any “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.” General categories for this definition are things like general health data, health-related data, and reproductive or sexual health information. Basically, any organization, be they a HIPAA Covered Entity or not, that is marketing any kind of health product positioned for a specific health complication could potentially face obligations under the law.
For purposes of advertising, any collection of “consumer health data” that is not necessary for the providing of the service being requested by the user (i.e. accessing the website in a digital context) requires explicit consent. This includes collection for purposes of analytics and personalization in addition to targeted advertising use cases. With this obligation in place, organizations in health-adjacent industries can expect a significant loss of observable behavioral data from websites and applications that are commonly used for advertising use cases.
Washington is the most notable state with a health-data specific law but others, like Nevada, have similar laws with even more expected to pass similar legislation in the coming years.
Rules of thumb for advertisers:
- If marketing health-related products, much of your data collection via adtech and analytics platforms is likely in scope for Washington’s My Health My Data Act.
- In these cases, explicit consent for collection of that data is required.
- If in scope, evaluate data collection and use practices to ensure proper consent is obtained. Likely modifications to data and advertising will be necessary in response to the observable data loss expected from implementing an explicit consent experience for legal compliance.
Where to Start for Advertisers
It’s true that privacy compliance for organizations operating in the United States is complex. The patchwork nature of privacy laws and requirements adds a lot of complexity. So where should advertisers start?
First, it is important to know your constraints. For your business, understand the nature of the information you are collecting as well as the various regulations that will be in play (your privacy office will be glad to help you here!). Once you understand the “rules of the game”, there are a series of general questions and rules of thumb that can be followed. Start by asking yourself the following questions:
- Are you collecting and using personal information?
- As covered at the top, if you’re using data for advertising or analytics, you’re collecting personal data.
- Ensure baseline requirements for disclosure and notice and access and deletion are being met.
- Are you dealing with sensitive data?
- First consider the industry you are in. If health or health-adjacent, then probably; if dealing with children’s data, then definitely; if general consumer products, then probably not, unless you use precise location data for some use cases.
- If yes, you are dealing with sensitive data, then you’ll have an opt-in requirement for the collection and use of those data points across all use cases.
- How are you using your user’s personal data?
- If using personal data just for a measurement purpose, then you’re likely only beholden to the baseline requirements for disclosure and notice as well as access and deletion for this use case.
- If using personal information for advertising use cases (outside of pure measurement) then you will at minimum have an opt-out user choice requirement in addition to the baseline requirements for notice and disclosure. Ensure the consent architecture is properly configured to respect the user’s consent choices.
- Also if yes for advertising, don’t forget data protection assessments! Ensure that all activities are documented with effective risk mitigation controls in place.
At the end of the day, it all starts with a clear understanding of all data collection and use practices, especially for any use of personal information for advertising. Document data collection, use, and purpose for all advertising activities and remember the rules of thumb to respectfully use your consumer’s data.