How certain US privacy laws affect targeted advertising

Co-founder and President of Termageddon

Getting new clients is an important part of growing any business and targeted advertising is a great way to get your name out there. However, with new privacy laws going into effect every year in the United States, you should be aware of the increasing regulations surrounding targeted advertising. In fact, residents of certain states will not have the right to opt out of receiving targeted ads. If an individual does opt out, you will not be able to send them targeted ads in the future, which could impact your advertising and sales goals. In this article, we will discuss what targeted advertising is, which new privacy laws regulate it, and what you can do to ensure compliance and avoid fines.

Table of Contents

What is targeted advertising?

To determine whether your advertising efforts will be impacted by these new privacy laws, you must first determine whether you engage in targeted advertising. Targeted advertising is defined as “displaying advertisements to a consumer where the advertisement is selected based on personal data obtained from that consumer’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests.” For example, if you run ads on Facebook to individuals who are 20-30 years old and who joined a motorcycle enthusiast group, that would be considered targeted advertising. Other examples include LinkedIn or Twitter ads or remarketing. If you engage in such targeted advertising, you should be aware that multiple new privacy laws regulate this activity.

How does VCDPA regulate targeted advertising?

The Virginia Consumer Data Protection Act (VCDPA) went into effect on January 1st, 2023, aiming to protect the privacy of residents of Virginia by requiring certain businesses to have a comprehensive Privacy Policy, providing rights to individuals, regulating targeted advertising and more. VCDPA applies to persons that do business in Virginia and that produce products or services that are targeted to Virginia and that:

During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
Control or process the personal data of at least 25,000 residents of Virginia and derive 50% or more of their gross revenue from the sale of personal data.

If you need to comply with the VCDPA and engage in targeted advertising, you will need to have a Privacy Policy stating that you will use personal data for this purpose. In addition to all of the other Privacy Policy disclosures required by the VCDPA, your Privacy Policy will also need to inform users that they have the right to opt out of targeted ads and how they can do so. Furthermore, if an individual opts out, you will not be able to use their personal data to send them targeted ads. Lastly, you will also need to perform a data protection assessment to identify the risks and benefits of using personal data for targeted advertisements.

How does CPRA regulate targeted ads?

The California Privacy Rights Act (CPRA) replaces and builds upon the California Consumer Privacy Act (CCPA) and went into effect on January 1st, 2023. The CPRA applies to businesses that collect the personal information of residents of California and do business in California and that meet one of the following factors:

Have annual gross revenue of more than $25,000,000;
Derive 50% or more of its annual revenue from selling or sharing the personal information of California consumers; or
Annually buy, sell or share the personal information of 100,000 or more California consumers or households.

The CPRA allows consumers from California to opt out of the use of their personal information for the purpose of targeted advertising. For the CPRA, this opt out is usually done through a link titled “Do not sell/do not share my personal information.”

How does UCPA regulate targeted ads?

The Utah Consumer Privacy Act (UCPA) is a privacy law that went into effect on December 31, 2023 that also regulates targeted advertising. UCPA applies to persons that do business in Utah or that produce a product or service that is targeted to consumers who are located in Utah and that meet the following:

Has annual revenue of $25,000,000 or more; and
Meets one of the following criteria:
- During a calendar year, controls or processes the personal data of 100,000 or more Utah residents; or
- Derives 50% or more of its annual gross revenue from the sale of personal data and controls or processes the personal data of 25,000 or more Utah consumers.

UCPA provides Utah residents with the right to opt out of their personal data being used for targeted advertising. UCPA also requires businesses to have a Privacy Policy that states that personal data will be used for targeted ads and how to opt out of such use. Finally, if a consumer opts out of targeted ads, their personal data cannot be used for this purpose in the future.

How does the Colorado Privacy Act regulate targeted advertising?

The Colorado Privacy Act is a privacy law that went into effect on July 1, 2023, and provides residents of Colorado with the right to opt out of targeted advertising. The Colorado Privacy Act applies to persons who do business in Colorado or that produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one or more of the following criteria:

Control or process the personal data of 100,000 or more Colorado consumers during a calendar year; or
Derive revenue or receive a discount from the sale of personal data and collect or process the personal information of 25,000 or more Colorado consumers.

Businesses that need to comply with the Colorado Privacy Act need to have a comprehensive Privacy Policy that includes the disclosures required by this law, including whether personal data will be used for targeted advertising and how to opt out of such use. The Colorado Privacy Act states that businesses may use a universal opt-out mechanism for requests to opt out of targeted ads. In addition, if a consumer opts in to receiving targeted ads, they must be able to withdraw their consent at any time. Lastly, businesses that process personal data for targeted ads, must conduct a data protection assessment due to the fact that such processing “presents a heightened risk of harm to a consumer.”

How does Connecticut SB6 regulate targeted ads?

Connecticut SB6 is a privacy law that went into effect on July 1, 2023 and applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:

Controlled or processed the personal data of 100,000 or more Connecticut residents; or
Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived 25% or more of their gross revenue from the sale of personal data.

This privacy law provides residents of Connecticut with the right to opt out of targeted advertisements and requires businesses to inform consumers of this right and how to exercise it within their Privacy Policy. Connecticut SB6 provides that opt outs can take place either through a link or (by January 1, 2025), through an opt-out preference signal sent by a platform, technology or mechanism to the business. Lastly, the law requires businesses that engage in targeted advertising to conduct a data protection assessment to assess the benefits and risks of such use.

How does Iowa SF262 regulate targeted advertising?

Iowa SF262 is a privacy law that went into effect on January 1, 2026, regulating any person conducting business in Iowa or producing products or services that are targeted to residents of Iowa and that meet one of the following:

Controls or processed the personal data of 100,000 or more Iowa residents per year; or
Controls or processes the personal data of 25,000 or more Iowa residents and derives more than 50% of gross revenue from the sale of personal data per year.

Iowa SF262 requires businesses to have a comprehensive Privacy Policy that informs consumers that their personal data will be used for targeted advertising and how consumers can opt out of such use. If an individual does opt out of targeted advertising, a business can no longer use that person’s personal data for targeted ads.

Targeted advertising checklist

If you currently engage in targeted advertising and plan on continuing on doing so, the following checklist may help you determine how you need to adjust your operations to comply with the above privacy laws:

Determine whether the above privacy laws apply to you and whether your advertising matches the description of “targeted advertising” provided above;
Create your comprehensive Privacy Policy with Termageddon, selecting that you will use personal data for targeted advertising;
When answering the Termageddon Privacy Policy questionnaire, provide the contact methods of how a user can contact you to opt out of targeted ads and exercise their privacy rights;
Implement the Termageddon/Usercentrics cookie consent banner so users can easily opt out of targeted ads through the consent banner on your website.

If you’re utilizing targeted ads to get leads for your website and don’t have a policies solution in place, consider signing up with Termageddon.

About the Author

Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site