McCarter & English, LLP | Contents of this website may contain attorney advertising. | Results may vary depending on your particular facts and legal circumstances.

Share

Alternative Dispute Resolution & Mediation
Artificial Intelligence
Bankruptcy, Restructuring & Litigation
Blockchain, Smart Contracts & Digital Currencies
Business Litigation
Cannabis
Corporate
Crisis Management
Cybersecurity & Data Privacy
Delaware Corporate, LLC & Partnership Law
Design, Fashion & Luxury
E-Discovery & Records Management
Energy & Utilities
Environment & Energy
Financial Institutions
Food & Beverage
Government Affairs
Government Contracts & Global Trade
Government Investigations & White Collar Defense
Healthcare
Hospitality
Immigration
Impact Investing
Insurance Recovery, Litigation & Counseling
Intellectual Property
Labor & Employment
Latin America
Life Sciences
Manufacturing
Products Liability, Mass Torts & Consumer Class Actions
Public Finance
Real Estate
Renewable Energy
Sports & Entertainment
Tax & Employee Benefits
Technology Transactions
Transportation, Logistics & Supply Chain Management
Trusts, Estates & Private Clients
Venture Capital & Emerging Growth Companies
Search By:

9.18.2025

If your company’s marketing plan includes cross-context behavioral advertising (i.e., targeting ads to consumers based on their Internet browsing habits, also known as ad tracking), this alert may be for you.

The attorneys general of Connecticut, California, and Colorado, together with the California Privacy Protection Agency (CPPA), have announced a joint investigative sweep to address potential noncompliance with their states’ comprehensive consumer data privacy laws. These states require covered businesses not only to allow consumers to opt out of the sale and “sharing” of their personal data (i.e., disclosure for cross-context behavioral advertising) but also to honor user-enabled universal opt-out signals (such as the Global Privacy Control, or GPC) as valid opt-out requests. The GPC is a browser setting or extension that automatically signals to a business that the consumer wants to opt out of the sale and “sharing” of their personal data. Other states that have enacted omnibus consumer data privacy laws may have similar requirements.

A business that engages in ad tracking and does not currently recognize the GPC signal should determine whether it is subject to a state law that requires such recognition. If so, it should assess how to comply with the opt-out and other provisions of applicable state law. This assessment may involve the review of a business’s public-facing consumer privacy notice, website terms of service, cookie policy, and opt-out procedures. Nineteen states have enacted comprehensive consumer data privacy laws with various opt-out requirements. Whether a business is covered under a particular law generally depends on both offering goods and services to residents of that state for personal or household use, together with some combination of annual revenue and/or processing, selling, and/or “sharing” of a certain number of consumers’ personal data. (California law is stricter and more expansive.) The coverage analysis can be complex, and certain businesses—such as nonprofits, financial institutions, colleges and universities, and HIPAA-covered entities—may be exempt.

The joint investigative sweep follows the spring announcement of the creation of the Consortium of Privacy Regulators and the debut of New Jersey’s omnibus law (which echoes elements of the California and Colorado laws), showing just how closely the states are coordinating. The consortium consists of the CPPA and state attorneys general from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon. These two announcements, along with other public comments from the regulators, indicate that coordinated investigations are likely to become the norm.

For more information or to discuss data privacy compliance, Kim Metzger, Erin Prest, and the McCarter & English Cybersecurity and Data Privacy team stand ready to assist you.