“Data-Driven Thinking” is written by members of the media community and contains fresh ideas on the digital revolution in media.
Today’s column is written by Richard Eisert, partner and co-chair of advertising, and Zachary Klein, associate, both at Davis+Gilbert.
California, Virginia and Colorado were just the beginning. Soon, the ad tech community will have even more state privacy laws to keep tabs on. On December 31, 2023, the Utah Consumer Privacy Act (UCPA) will go into effect, while the Connecticut Data Privacy Act is set to take effect on July 1, 2023.
While the seemingly relentless passage of legislation may seem daunting, most of these new state laws follow patterns. In short, if you’re gearing up for compliance with the Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA) or the California Privacy Rights Act (CPRA), you’ll be well-positioned for the new Utah and Connecticut laws, too.
Here are some common features in the upcoming laws.
The definition of “sale”
Since a “sale” of personal information triggers many of the relevant requirements under the various state laws, the different definitions of “sale” are important. Similar to Virginia’s law, the Utah statute defines a “sale” as “the exchange of personal data for monetary consideration by a controller to a third party.”
This definition might not apply to the exchange of personal information, such as cookie data, for targeting and serving ads to users across different platforms, since that process often doesn’t involve an exchange for “monetary consideration.” The Connecticut statute, however, resembles the Colorado law and CCPA/CPRA in California, in that a “sale” includes “monetary or other valuable consideration.”
The CPRA goes further than any of the other statutes in regulating the “sharing” of information and creates other barriers to what it refers to as “cross-context behavioral advertising.”
See:
- What Does The CPRA Mean For Behavioral Advertising? (Nov. 2020)
- New Rules For Behavioral Advertising: How The CDPA And CPRA Compare (July 2021)
- How CPRA Treats “Cross-Context Behavioral Advertising” – And The Implications For Ad Tech (Dec. 2021)
“Sales” under the Utah and Connecticut statutes do not include disclosures to a data controller’s affiliates and processors or disclosures to third parties as directed by the consumer. This is similar to the Virginia and Colorado laws.
But the Utah statute is unique in that it also excludes disclosures of personal data to third parties from the definition of “sale” if the purpose is “consistent with a consumer’s reasonable expectations” and “considering the context in which the consumer provided the personal data to the controller.”
This should provide an additional layer of maneuverability for ad tech companies to share data outside the “sales” framework.
Targeted advertising and opt-outs
The definitions of “targeted advertising” under the Utah and Connecticut statutes mirror those in Virginia and Colorado. In particular, the Utah statute defines the term as “displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests.”
The Utah and Connecticut laws also list several exceptions to “targeted advertising,” which include:
- advertising based on a consumer’s activities within a controller’s website or online application;
- advertising based on the context of a consumer’s current search query or visit to a website or online application;
- advertising directed to a consumer in response to the consumer’s request for information, product, service or feedback; or
- processing personal data solely to measure or report advertising performance, reach or frequency.
As with the Virginia and Colorado laws, Utah and Connecticut consumers have the right to opt out of the processing of their data for targeted advertising, and controllers must clearly and conspicuously disclose to consumers the manner in which they may exercise their opt-out rights.
Notable differences
Although the several new state privacy laws have much in common, some subtle differences are beginning to take shape, such as opt-in requirements.
For example, the Utah law provides a notice and opt-out framework, while the CPRA allows consumers to limit a business’s use of their sensitive personal information for only statutorily permitted purposes. Connecticut follows Virginia and Colorado in requiring opt-in consent to process sensitive personal data.
The Connecticut law also prohibits controllers from processing personal data without consent for targeted advertising in cases where a consumer is at least 13 years old but younger than 18. The prohibition applies only if a controller knows or willfully disregards the consumer’s age.
This is similar to California’s opt-in consent rule for sharing the personal information of consumers that are at least 13 (but younger than 16) with a third party for cross-context behavioral advertising. These opt-in requirements for teenage consumers are not shared by the other three emerging state privacy laws.
Another difference is the use of opt-out preference signals. The Connecticut statute requires controllers “[not] later than January 1, 2025,” to recognize opt-out preference signals to allow consumers to opt out of the processing for targeted advertising, or sales of, their personal data.”
The CPRA is currently the only other law that clearly recognizes opt-out preference signals, although there is also related language in the Colorado statute.
The bottom line
No doubt, the ever-expanding list of state privacy laws can seem daunting for the ad tech industry.
But if you have already taken steps to comply with the state privacy laws in California, Virginia and Colorado, you will be well-positioned to comply with the new Utah and Connecticut statutes.
Follow Davis+Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.