This topic discusses the five US state data privacy laws and their usage within the Multi-State Privacy Agreement (MSPA) national framework, supported by the Global Privacy Platform (GPP).
MSPA supports privacy laws for five states, namely - California, Virginia, Colorado, Utah, and Connecticut. MSPA also provides a national framework encompassing all the consents covered in the five individual state laws.
The GPP's goal is to simplify the conveyance of privacy, consent, and consumer choice signals from websites and applications to ad tech vendors. It empowers advertisers, publishers, and technology vendors to align with regulatory requirements globally.
This framework facilitates the use of a consent management platform (CMP) for capturing and conveying consent signals throughout the digital advertising supply chain. The GPP centralizes the management of diverse consent signals from various global privacy jurisdictions and additionally accommodates the Global Privacy Control (GPC), a browser-level signal enabling individuals to opt out of information sale or sharing. Currently, the GPP supports consent strings for both the US Privacy and IAB Europe TCF.
The US Privacy String will be deprecated by April 30, 2024. The legacy US Privacy signal does not support the four US states privacy signals —VA, CO, CT, and UT. For CCPA, only a few of the required consents are supported. In contrast, the new state signals for the other four states will only be supported by the GPP.
The next section will cover the five state laws in detail. Post that, we will explain the two regulatory paths for enforcing MSPA in the United States, namely the state + national approach and the national approach.
The California Consumer Privacy Act (CCPA) came into force on January 1, 2020. It grants California consumers increased authority over the personal information collected by businesses.
These are the opt-out signals collected from end-users under CCPA:
The CCPA applies to for-profit enterprises engaging in the collection, sharing, or sale of personal information belonging to California residents. The business may or may not be based in California; it must comply with CCPA if it meets one or more of the following criteria:
In case any business is subject to CCPA and found to be non-compliant, they could face a fine in the following range:
The Virginia Consumer Data Protection Act (VCDPA) came into effect on January 1, 2023.
These are the opt-out signals collected from end-users under VCDPA:
The VCDPA applies to businesses or entities based in Virginia or those that sell products and services to Virginia residents, and meet one or more of the following criteria:
If a business is found to be non-compliant with the VCDPA, it could face a fine of up to $7,500 per violation.
The Colorado Privacy Act (CPA) was enacted on July 8, 2021. It applies to entities engaged in business within Colorado or serving its residents.
These are the opt-out signals collected from end-users under CPA:
The CPA applies to businesses operating within the state or those catering to Connecticut residents, and in the preceding year:
The CPA imposes a significant $20,000 per violation and sets a maximum penalty of $500,000.
On 24th March 2022, Utah became the fourth state to pass a data privacy law. The Utah Consumer Privacy Act (UCPA) is also considered by experts as being more business-friendly as compared to the other privacy regulations in the U.S., including the CCPA, VCDPA, and CPA.
These are the opt-out signals collected from end-users under CPA:
Companies with annual revenues exceeding $25 million must adhere to the UCPA if they operate in Utah or offer products or services aimed at Utah residents. Additionally, businesses must meet one of the following thresholds to fall under the purview of the UCPA:
A violation of UCPA can cost business fines in actual damages + $7,500 per violation.
The Utah Consumer Privacy Act (UCPA) distinguishes itself from other data privacy laws by offering a more business-friendly approach with a narrower scope, excluding many companies from compliance.
The UCPA defines a "consumer" as an individual in a personal or household context, explicitly excluding those in employment or commercial, leaving employee data unprotected. Unlike CCPA, UCPA focuses on the sale of personal data and targeted advertising, defining a sale as the exchange of personal data for monetary consideration.
UCPA's broad definition of "data" includes information reasonably linkable to an identifiable individual, with exceptions for aggregated and de-identified data.
Enacted on May 10, 2022, the CTDPA empowers Connecticut residents with increased control over their data. In contrast to states like California, the act defines a consumer as a state resident acting on an individual basis, not within a commercial or employment context.
These are the opt-out signals collected from end-users under CTDPA:
Businesses within the state or those catering to Connecticut residents, and who, in the preceding year:
A violation of CTDPA can result in a fine of $5,000 per violation.
For details on how opt-outs are covered under the MSPA, see Consents Covered Under MSPA.
The MSPA, inspired by the IAB's limited-service provider agreement, is a contractual framework designed to assist companies in exchanging Global Privacy Platform consent signals with their partners in the online advertising supply chain. It was introduced on December 1, 2022.
It ensures compliance with various state privacy laws, including the CCPA in California and others taking effect in Colorado (CPA), Virginia (VCPA), Connecticut (CTDPA), and Utah (UCPA).
For transactions covered under MSPA, First Parties (publishers and advertisers) have the option to operate either in Service Provider Mode or Opt-Out Option Mode. Service Provider Mode is for signatories refraining from "selling," "sharing," or processing personal information for "targeted advertising."
For more information on each Mode, see Technicalities of MSPA.
As numerous state privacy laws come into effect, publishers face the decision of whether to navigate compliance on a state-by-state basis or implement the strictest data usage standards across their entire business nationally. The MSPA guides both approaches.
State-specific privacy laws are applicable based on the consumer's residence, not the location of the company or its partners. Implementing processes on a state-by-state basis can be challenging, making a national approach organizationally simpler.
Opting for a national approach eliminates the need to determine a consumer's location. The MSPA's national approach adheres to the highest common denominator for compliance. for more details on the national and state approaches, see What is a Regulatory Path?
By installing this SDK update, you agree that your Children Privacy Compliance setting remains accurate or that you will update that setting, whenever there is a change in your app's audience. You may update the app's Children Privacy Compliance settings at https://publisher.inmobi.com/my-inventory/app-and-placements.
Support Center
