Most modern U.S. data privacy statutes require companies to allow data subjects to opt out of having their personal information (PI) used for targeted advertising. As the following chart indicates, the term “targeted advertising” is defined consistently between and among most state statutes with the notable exception of the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA). Unlike the other state privacy statutes, the CPRA’s definition of “cross-context behavioral advertising” (CCBA) (the term relating to “targeted advertising” that is used within the CPRA) does not expressly state that such activity must be based upon the observation of a consumer’s activities “over time,” or that it must involve predictions about the consumer’s preferences or interests. It does, however, clarify that CCBA means “the targeting of advertising to a consumer based on the consumer’s [PI] obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” The California Privacy Protection Agency (CPPA) or California courts may ultimately align the CPRA’s definition with that used in other states’ statutes by finding that both elements are implied.

Click to view full-sized table.