choozle

Call us at  970.744.3340

data privacy laws US

U.S. State Privacy Legislation: Key Updates and Impacts on Digital Advertising

Choozle January 14,2025

State privacy legislation continues to expand across the U.S. California set a precedent by passing the first privacy law in 2020, which has since been amended with additional regulations. In 2023, four more states—Virginia, Colorado, Connecticut, and Utah—enacted similar laws. This momentum continued in 2024, with Oregon, Texas, Florida, and Montana joining the list.

The trend shows no signs of slowing, as 2025 is poised to bring the largest expansion yet. Four new privacy laws will take effect in January (Delaware, Nebraska, New Hampshire, and New Jersey), followed by additional laws later in the year in Tennessee (July 1), Minnesota (July 31), and Maryland (October 1). This brings the grand total to 17 state privacy laws, reflecting the growing emphasis on data privacy nationwide.*

Generally speaking, the privacy laws taking effect this year follow the same basic framework and requirements as those previously enacted. However, California remains an outlier, along with the upcoming Maryland privacy law, which introduces unique provisions.

*There are currently 3 US state privacy laws coming to effect in 2026 (Indiana, Kentucky, and Rhode Island)

Advertising Services Designations Under U.S. State Privacy Law

Choozle is usually designated as a ‘Processor’ under U.S. state privacy laws and a ‘Service Provider’ under the California Consumer Privacy Act and its amendments (“CCPA”). Advertisers, on the other hand, are considered ‘Controllers’ under U.S. state privacy laws (or ‘Business’ as defined by the CCPA). As a Service Provider, Choozle operates under the ‘advertising and marketing services’ Business Purpose.

However, providers of third-party advertising services, such as media platforms (e.g., Google, Meta, Amazon) or buying tools (e.g., The Trade Desk, Yahoo!), act as ‘Independent Controllers’ of the data they collect through pixel tags or cookies associated with visitors to advertiser websites. This practice, commonly referred to as ‘targeted advertising’ under state privacy laws (or ‘cross-context behavioral advertising’ in California), imposes specific compliance obligations on advertisers when using these third-party tools on their websites.

This blog is not intended to provide comprehensive details about your obligations under U.S. state privacy laws, nor should it be considered legal advice. Please consult with a lawyer or privacy advisor before making any compliance-related changes to your business.

US Map Privacy Tracker 2025

How Advertisers Can Comply with U.S. Privacy Laws

The bulk of these laws have the same basic requirements for advertisers who use third-party pixel tags/cookies on their websites.

1. Notice – Privacy Policy: Advertisers and ad-supported media publishers (as well as any intermediaries designated as ‘Controllers’ such as affiliates) must ensure their privacy policies disclose to consumers all of the uses of their personal information, especially third-party advertising relationships that may be deemed a ‘sale’ under most state laws (and a ‘share’ under California law). If the following is not already included in your privacy policy, you should consider the following updates:

a.) Inform consumers that you disclose their personal information to ‘Service Providers’ (as defined under the CCPA) for advertising purposes, including measurement providers.

b.) Inform consumers that you disclose their personal information to third-party advertising partners to target ads on other websites (or apps) and that this disclosure may be deemed a ‘sale’ or ‘share’ under state privacy laws. 

c.) A best practice is to list the specific companies that you allow to place pixel tags/cookies on your website in order to use their services to target ads and link to their advertising privacy pages, such as Meta, Amazon, Google, or The Trade Desk.  Alternatively, you can link to a ‘consent management platform’ (see below). 

2. Consent Management Platforms (aka ‘Cookie Banners’): U.S. state privacy law requires businesses to enable all website visitors to opt-out of targeted (or ‘cross contextual behavioral’) advertising, as well as the ‘sale’ of personal information. When configuring Choozle’s services, advertisers can choose to put the pixels of various types of third-party advertising partners (e.g., The Trade Desk) in the Choozle ‘smart tag container.’ Some of these third-party advertising partners’ pixels are considered to be a ‘sale’ or ‘share,’ so consumers must be presented with the ability to opt out of the placement of such tracking technologies. In addition to referencing and linking to these advertising partners in a privacy notice, a common practice is to present website visitors with direct control through a ‘consent management platform’ (CMP). You’ve probably seen a myriad of popups providing notice and choice with the use of cookies, and there are many types of CMPs to choose from that vary in price and sophistication. 

Some key considerations when implementing a CMP:

a.) The best practice is to immediately present the opt-out choice rather than force users to visit a ‘settings’ page or be directed to the cookies section of a privacy or cookie policy. In fact, California law indicates that the text in the presented choice (which also needs to be in the website footer) should offer visitors the ability to “Do Not Sell or Share My Personal Information,” while other states do not prescribe any such text and a more generic ‘opt-out of targeted advertising’ or similar language would be acceptable. 

b.) Make sure all (and only) third-party advertising cookies are included in the choice mechanism, as opposed to all pixel tags/cookies. Only advertising services that enable an advertiser to ‘retarget’ a visitor to their own website on another website are required to present an opt-out choice. As a result, all measurement and analytics pixel tags, as well as website personalization, functional, or performance-related pixel tags, do not need to be included with any targeted advertising opt-out requirements.      

c.) Turn on the ‘Global Privacy Control’ (or ‘opt-out preference signal’) feature. Do not select a CMP unless it can identify browsers and browser extensions that automatically indicate to websites that the visitor does not want their information ‘sold’ or ‘shared’ for targeted advertising. Most US state privacy laws have legally required this feature to be recognized, it is clearly a user choice that websites should ubiquitously recognize (and is only marginally adopted by consumers today).   

d.) If you also use your collected email list for ‘custom audience’ matching with social platforms or programmatic advertising, you should offer this opt-out choice separately, as most pixel/cookie CMPs do not also include the ability to enter an email address at the initial website visit. Make sure that the email opt-out option is included in your privacy policy or a more configurable CMP.

3. Sensitive Personal Information: Every new state law includes a reference to limiting the collection and/or use of ‘sensitive personal information’ (SPI). While each state has a slightly different definition, the categories now commonly include: (1) racial or ethnic origin; (2) religious or philosophical beliefs; (3) sex life, sexual orientation; (4) citizenship or immigration status; (5) genetic data for the purpose of identifying an individual; (6) biometric data for the purpose of identifying an individual; (7) personal data collected from a known child; (8) precise geolocation data; and (9) health information (which can be narrowly defined as ‘diagnosis’ or broadly defined as ‘status’). In some states, companies must get ‘opt-in’ consent for the collection and use of any of these SPI attributes.

For example, if your company operates in the health vertical – even if you are not regulated by the Health Information Portability and Accountability Act (HIPAA), the aforementioned US state privacy laws may impact your ability to use pixel tags on specific web pages that collect self-reported information about health diagnosis, conditions, or status. In addition to US state privacy laws, there are also now two ‘consumer health data’ laws in effect in Washington and Nevada that have a heightened consent requirement (greater than opt-out or opt-in) in order to use collected health information for targeted advertising. This puts further pressure on advertisers to use a properly configured CMP that can be set specifically for states with strict requirements for SPI or consumer health data.

And then there was Maryland…

Maryland’s privacy law (the Maryland Online Data Privacy Act (MDODPA), which comes into effect in October 2025, varies from the standard privacy laws and has additional restrictions around targeted advertising, processing sensitive information, and data minimization, namely, MDODPA:

  • Prohibits targeted advertising to minors under 18.
  • Prohibits the sale of personal data of minors under 18.
  • Prohibits selling sensitive personal information of any consumer.
  • Prohibits the processing of sensitive personal information unless it is strictly necessary to provide a specific product or service requested by the consumer.
  • Prohibits the collection of personal data unless it is reasonably necessary and proportionate to provide/maintain a product or service that the consumer requests. 

Practically speaking, later this year, websites may need to collect ‘opt-in’ consent from Maryland visitors before using any third-party advertising services.

Privacy laws 25 blog

Conclusion

While these new U.S. state privacy laws build off of existing privacy laws, there are a number of new requirements and important distinctions between the upcoming privacy laws. We recommend you speak to a lawyer or privacy advisor prior to making changes to your website and privacy-compliance efforts. If you have any questions about how to use the Choozle services in compliance with these U.S. state privacy laws, please contact your Choozle representative or by emailing us at privacy@choozle.com.

Picture of McKenzie Thomsen

McKenzie Thomsen

McKenzie focuses her legal practice at the intersection of technology and privacy. As a proactive advisor, McKenzie works with clients to operationalize data privacy programs in compliance with state (CCPA, etc.), federal (FERPA, GLBA, HIPAA), and global (GDPR) laws and regulations. She supports businesses in drafting and updating privacy policies, operationalizing privacy, and advising on all privacy related matters. In addition, Mckenzie drafts and negotiates commercial contracts. McKenzie leverages her understanding of tech, and in particular, the adtech ecosystem, to help her clients strategize and respond to notices and demands under the California Invasion of Privacy Act (CIPA).

McKenzie received her J.D. from the University of San Francisco where she graduated with a certificate in Intellectual Property and Technology Law with honors and served as Senior Articles Editor for the Intellectual Property and Technology Law Journal.

Filling her spare time volunteering, McKenzie currently volunteers for the Privacy Section of the California Lawyers Association, putting on events and writing for the Adtech subcommittee. McKenzie also serves as a Co-Chair of IAPP’s Cincinnati KnowledgeNet Chapter. Previously, she was a Co-Chair of IAPP’s Silicon Valley KnowledgeNet Chapter, and prior to that was a ‘Young Privacy Professional’ for IAPP’s San Francisco chapter.

McKenzie is a member of the State Bar of California and has earned her CIPP/US from the IAPP.

About the author:

Similar Posts