Targeted advertising relies on collecting and processing personal data to deliver customized content. State privacy laws in the United States now provide residents with legal mechanisms to opt out of these practices. This guide covers the technical aspects of exercising your rights under various state privacy laws, with practical examples for developers building privacy-respecting applications.
State Privacy Laws Overview
Several states have enacted privacy legislation that includes opt-out rights for targeted advertising:
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide California residents the right to opt out of the sale or sharing of their personal information, which directly covers targeted advertising.
Virginia Consumer Data Protection Act (VCDPA) grants residents the right to opt out of targeted advertising, defined as advertising based on personal data from across websites or applications.
Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and similar laws in other states follow similar frameworks with opt-out provisions for targeted advertising.
These laws apply to businesses meeting certain revenue or data processing thresholds, typically requiring businesses to honor universal opt-out signals sent through browsers or applications.
Technical Mechanisms for Opt-Out
Global Privacy Control (GPC)
The most important technical mechanism is Global Privacy Control (GPC), a browser signal that automatically requests opt-out from participating websites. When enabled in your browser settings, GPC sends the following header with every HTTP request:
Sec-GPC: 1
To verify GPC is working, developers can check for this header in their server-side code. Here’s a simple Node.js example:
function checkGPC(req) {
const gpcHeader = req.headers['sec-gpc'];
const gpcParam = req.query.gpc;
return gpcHeader === '1' || gpcParam === 'true';
}
// Usage in express route
app.get('/api/data', (req, res) => {
if (checkGPC(req)) {
// Process opt-out request
return res.status(226).json({
status: 'opt-out-honored',
processing: 'none'
});
}
// Normal processing
});
GPC is now supported by major browsers including Firefox, Brave, and DuckDuckGo. Safari and Chrome have added varying levels of support.
Processing Opt-Out Requests
Businesses covered by state privacy laws must provide at least one method for consumers to submit opt-out requests. Common methods include:
- Web forms - Privacy settings pages with opt-out toggles
- Email submissions - Dedicated privacy request email addresses
- API endpoints - Programmatic interfaces for bulk opt-outs
- Phone support - Though less common for technical opt-outs
For developers building compliant systems, processing these requests requires careful implementation:
import hashlib
import json
from datetime import datetime, timedelta
class PrivacyRequestHandler:
def __init__(self, user_db, marketing_db):
self.user_db = user_db
self.marketing_db = marketing_db
def process_targeted_advertising_opt_out(self, user_id):
"""
Process opt-out request for targeted advertising.
This should disable all profiling and ad targeting.
"""
user = self.user_db.get(user_id)
# Disable advertising identifiers
self.user_db.update(user_id, {
'advertising_id': None,
'targeted_ads_enabled': False,
'profiling_enabled': False,
'opt_out_timestamp': datetime.utcnow().isoformat(),
'opt_out_type': 'targeted_advertising'
})
# Remove from marketing segments
self.marketing_db.remove_from_segments(user_id, [
'behavioral_ads',
'interest-based_ads',
'lookalike_audiences'
])
# Delete any stored ad tracking data
self.marketing_db.delete_ad_data(user_id)
return {'status': 'opt-out-complete'}
Platform-Specific Opt-Out Instructions
Meta (Facebook and Instagram)
Meta provides privacy settings that limit targeted advertising:
- Navigate to Settings > Privacy > Ad preferences
- Review categories assigned to your account
- Turn off interest-based advertising
- Review and remove ad topics you want to avoid
For developers, Meta’s Marketing API includes privacy endpoints:
// Facebook Marketing API - access ad preferences
async function getFacebookAdPreferences(accessToken) {
const response = await fetch(
`https://graph.facebook.com/v18.0/me/adPreferences?access_token=${accessToken}`
);
return response.json();
}
Google Advertising
Google maintains ad personalization controls:
- Visit myadcenter.google.com
- Toggle off ad personalization
- Review topic interests and remove unwanted categories
- Manage ad topic sensitivity settings
The Google Analytics GA4 API allows developers to implement opt-outs at the tracking level:
// Disable Google Analytics tracking for opted-out users
function disableGATracking() {
// Disable all GA cookies
window['ga-disable-GA_MEASUREMENT_ID'] = true;
// For GA4 gtag implementation
gtag('consent', 'update', {
'ad_storage': 'denied',
'analytics_storage': 'denied'
});
}
Amazon Advertising
Amazon’s Ad Preferences page allows you to:
- View and edit interest categories
- Turn off personalized advertising
- Opt out of remarketing audiences
Data Broker Opt-Outs
Several data brokers maintain consumer profiles used for advertising. Opting out directly from these brokers reduces the data available for targeting:
Acxiom: Visit isapps.acxiom.com/optout/preference.aspx
Oracle Data Cloud: Submit requests through oracle.com/privacy
Experian: Access consumer information at consumer.risk.lexisnexis.com
Many states maintain registry services where you can opt out of multiple brokers simultaneously.
Automating Opt-Out Requests
For power users managing opt-outs across many services, automation tools provide efficiency. The following Python script demonstrates the concept of sending a formal privacy request:
import requests
from datetime import datetime
class PrivacyOptOut:
def __init__(self, identity_verification=None):
self.session = requests.Session()
self.verification = identity_verification
def send_ccpa_opt_out(self, business_email, business_name):
"""
Send a CCPA opt-out request to a business.
Businesses must respond within 45 days.
"""
request_data = {
"type": "opt-out",
"request_type": "targeted_advertising",
"legal_basis": "CCPA",
"request_date": datetime.utcnow().isoformat(),
"consumer": self.verification,
"response_required": True
}
headers = {
'Content-Type': 'application/json',
'Authorization': f'Bearer {self._get_auth_token()}'
}
response = self.session.post(
f'{business_email}/privacy/request',
json=request_data,
headers=headers
)
return {
'status': response.status_code,
'request_id': response.headers.get('Request-Id'),
'response_deadline': self._calculate_deadline()
}
def _calculate_deadline(self):
"""CCPA requires response within 45 days"""
return (datetime.utcnow() + timedelta(days=45)).isoformat()
Verifying Your Opt-Out Status
After submitting opt-out requests, verify compliance through:
- Browser inspection - Check for persistent tracking cookies
- Network monitoring - Observe advertising network requests
- Third-party audits - Use services that check tracking exposure
- Direct inquiry - Request confirmation from businesses
The following bash command demonstrates checking for common tracking domains:
#!/bin/bash
# Check for tracking requests in network logs
DOMAINS=(
"doubleclick.net"
"facebook.com/tr"
"googlesyndication.com"
"advertising.com"
"criteo.com"
"taboola.com"
"outbrain.com"
)
check_tracking() {
local domain="$1"
if grep -q "$domain" /tmp/network_log.txt; then
echo "TRACKING DETECTED: $domain"
return 1
fi
echo "Clean: $domain"
return 0
}
for domain in "${DOMAINS[@]}"; do
check_tracking "$domain"
done
For Developers: Building Privacy-Compliant Systems
If you’re building applications that serve users in privacy-law states, implement these patterns:
Honor GPC Signal
// Middleware to check and honor GPC
function honorGlobalPrivacyControl(req, res, next) {
const gpcHeader = req.headers['sec-gpc'];
const gpcParam = req.query.gpc;
if (gpcHeader === '1' || gpcParam === 'true') {
// Immediately disable all tracking
disableAllTracking(req.userId);
res.set('GPC-Status', 'honored');
}
next();
}
Provide Clear Opt-Out Mechanisms
<!-- Privacy settings page snippet -->
<section id="privacy-controls">
<h2>Privacy Preferences</h2>
<div class="opt-out-option">
<label for="targeted-ads">
<input type="checkbox"
id="targeted-ads"
name="targeted_advertising"
checked>
Disable targeted advertising
</label>
<p class="description">
We will stop using your browsing behavior and profile
to deliver personalized advertisements.
</p>
</div>
<button type="submit" class="btn-primary">
Save Preferences
</button>
</section>
Maintain Audit Logs
def log_privacy_request(request_type, user_id, timestamp=None):
"""Maintain audit log for compliance"""
log_entry = {
'timestamp': timestamp or datetime.utcnow().isoformat(),
'request_type': request_type,
'user_id': hashlib.sha256(user_id.encode()).hexdigest()[:16],
'ip_address': get_client_ip(),
'user_agent': get_user_agent(),
'processing_completed': False
}
audit_db.insert('privacy_requests', log_entry)
return log_entry['timestamp']
Limitations and Considerations
State privacy law opt-outs have boundaries:
- Retroactive limitations: Opt-outs affect future data use but don’t always require deletion of historical profiles
- Cross-context sharing: Some laws treat sharing differently than selling
- Service functionality: Some personal information necessary for service delivery may continue processing
- Tiered compliance: Businesses below threshold sizes may not be covered
Regularly review and resubmit opt-out requests, as businesses may collect new data or update their practices.
Related Articles
- How To Use State Attorney General Office To Enforce Privacy
- Opt Out of Data Sharing Under Connecticut Data Privacy Act
- Threat Model For Political Dissident In Surveillance State 2
- Data Broker Opt Out Automation Tools That Continuously Remov
- Facebook Facial Recognition Opt Out Guide
Built by theluckystrike — More at zovo.one