Beyond 2025: It’s Time To Update ALL Of Your Consent Preferences

Ben Isaacson

7 min read
Beyond 2025: It’s Time To Update ALL Of Your Consent Preferences
"Toto, I've a feeling we're not in Europe anymore." / Alex Krylov via MS Creator

Happy 2025. It’s time to celebrate that 19 U.S. states now have a privacy law enacted or coming into effect in the coming year. Whatever cookie banner you have on your website will no longer be sufficient to manage all of the new requirements, so it’s time to rethink your consent preferences approach with all digital touchpoints.  Here are some things to consider:   

Does your ‘targeted advertising’ choice specifically present an opt-out? 

For U.S. compliance, the objective of any advertising consent choice should be enabling an easy and specific opt-out. Yet, most U.S. cookie consent mechanisms do not specify an opt-out, but rather default to the ‘Continue’ button, or perhaps offer a ‘Settings’ choice alongside the default ‘Accept’ button. To be clear, all 19 U.S. states require that consumers be presented with a specific opt-out mechanism, with California being so prescriptive to require that these mechanisms include the “Do Not Sell or Share My Personal Information” reference. Even so, no U.S. states prescribe that cookie choices be presented in a pop-up banner, just presented in some mechanism which can be a link from the website footer or in the privacy policy.  When reconfiguring your cookie consent mechanism, consider the following:

  • Stop referring to choices for ‘all cookies’ and even ‘personalized content’ since there’s no legal need in the U.S. to get an opt-out or change settings with your own website analytics/personalization efforts (*yet).  Configuring all cookie settings may be deemed a privacy best practice, but the number of U.S. visitors who configure those settings is negligible and, with most websites, will have no brand impact if you limit the choices to targeted advertising.  
  • Make sure your consent management platform (CMP) is configured to include all third-party advertising partners, but not companies designated as ‘processors/service providers’. So many U.S. websites are violating their own opt out choices by stating that the presented choices are for all cookies (advertising, performance, and analytics alike), but when they receive an opt out only disable targeted advertising partners by default. Further, some advertising services may be misconfigured, as even a conversion tracking pixel by an advertising media partner is likely going to be deemed a ‘sale’ or ‘share’ since you’re also buying the targeted ads from that partner. (Not to be confused with Google Analytics, which is configured independently of Google Ads).  
  • Use more prescriptive terms to reflect that the choice is to opt-out of ‘targeted advertising’ or consider geofencing your CMP and using California’s prescriptive ‘Do Not Sell or Share My Personal Information’ (DNSSMPI). Most CMPs tools will enable you to geo-target California visitors with the ‘DNSSMPI’ language based on IP address.
  • Time to turn on ‘Global Privacy Control’ or ‘Opt-out Preference Signal’ functions. California, Colorado, Connecticut, Texas, Montana, Nebraska, and New Hampshire have now codified this requirement to support browser/extension automated opt-out signals. Most CMPs will now have this function available, and if yours does not, then it’s time to find yourself a new CMP as it is a legal requirement for those states.  
  • Don’t forget to use the CMPs ‘sticky’ function to make the pixel/cookie consent choice available at any time with an actual cookie icon, cookie settings tab, or other choice that is available somewhere prevalent on the homepage, from the footer or from the privacy policy.     

Do you know when (and how) to request an opt-in?  

I’m linking again here to the IAPP chart and directing your attention to the “Right to opt-in to sensitive data processing” (7th consumer right from the left). 16 of the 19 state laws now have such an opt-in right, and each slightly varies the definition of what constitutes ‘sensitive personal information’. This also doesn’t take into account the Washington My Health My Data law that also requires ‘express authorization’ for use of any health data, not just HIPAA compliant data (and ‘written authorization’ for the sale of data). As a result of these changes, you may want to consider reconfiguring not only your cookies consent banner, but any website pages that collect self-reported information that could include any of these sensitive attributes, notably: 

  • Health status, condition, diagnosis of any kind, including mental health such as ‘anxiety’.  
  • Race, ethnicity, citizenship, which may even include times where you’re collecting it through a ‘proxy’ question like ‘what is your native language’ if you’re going to use that for a commercial purpose.  
  • Information from Teenagers. California was the first state to require businesses to obtain opt-in consent from the child aged 13-15 prior to processing (as opposed to getting opt-in consent from the parent or ‘verifiable parental consent’ under COPPA) for any commercial purpose. Now, New Hampshire prohibits engaging in any targeted advertising and ‘selling’ the personal data of a known child between the ages of 13 and 16. Starting in October, Maryland will go one step further prohibiting the processing of any child under 18 for targeted advertising purposes and prohibits the ‘sale’ of personal data (including sensitive personal data) of any known child under 18.
  • Precise geolocation. If you haven’t been following the FTC, Texas Attorney General, or class action lawsuits around GPS data use for targeted ads, time to do your homework and get proper opt-in consent. 
  • Coming in October: Maryland’s restrictive obligations regarding ‘sensitive personal information’ (broadly defined). All I can say is for you to plan to geofence and block everything ‘sensitive’ from those residents. 

What about email (or phone or IP address) matching opt-outs?  

Very few consent choices and a vast majority of privacy policies omit any statements that email addresses (or phone or IP address) will be used for custom matching with targeted advertising services, which is considered to be a ‘sale’ or ‘share’ of email lists with those match partners (perhaps excluding when they’re used for suppressions). The good news is that in 2024, many of the leading email ‘onboarding’ tools have synchronized with the Digital Advertising Alliance’s ‘Token ID Based Opt Out Tool’.

This means that if a privacy policy references the ‘youradchoices.com’ site to opt-out of targeted ads, it ‘may’ be compliant with most state requirements. However, you need to know if your custom match partner is using the DAA tool, and/or offer your own opt-out for those that do not. In particular, California regulators have indicated that requiring consumers to visit a 3rd party tool such as the DAAs may not be the exclusive choice for opt-outs and the ‘business’ should be offering their own choice.      

This is perhaps the most difficult prescriptive guidance to offer, as California has made this challenging. Here’s my take on what should be in your website footer.

  • If you meet the California threshold for being a ‘business’ (essentially you have 100k unique website visitors/customers), and you use 3rd party targeted ‘sale’ or ‘share’ advertising partners, then you need to include either the “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” links with the accompanying CA-designated icon in the website footer. You may not shorten or deviate from this in any way, such as “Do not sell my info” or “privacy choices” or “cookie settings”. California is prescriptive, and can simply fine anyone who doesn’t follow the letter of the law.    
  • Assuming you comply with California law, then you don’t need to provide any other duplicative footer links such as “Adchoices” or “Cookie Settings”. Simply link from the California-designated option link (above) to your CMP and/or privacy policy reference to cookie/other preference choices. If your website/business does not reach the California threshold of being a ‘business’, then you may want to check with an attorney or privacy advisor if you need to comply with any of these new laws as they each have similar thresholds and may offer you a small business exemption. 
  • A final related point is some consumer facing websites are adding a ‘Notice at Collection’ as it is seemingly required under CA regulations for consumer-facing entities. This link should not replace or otherwise serve as a targeted advertising opt-out, as it is typically just a (duplicitous) notice similar to your privacy policy that may also offer details about advertising and other data collection partners with specific preferences choices. 

Should you split your Privacy Policy?

If your business processes data used for targeted ads, then you should consider splitting out a ‘Services Privacy Policy’ from your ‘Website Privacy Policy’.  

This is not an explicit legal requirement, but as any business processing ‘cross contextual’ behavioral data may be deemed an ‘independent business’ under California law, and is required to offer its own opt-out choice, then it should be presented more clearly to consumers than buried in a generic business-to-business privacy policy. Yes, the ‘DNSSMPI’ link referenced above could be sufficient, but the best practice is to delineate all of the ways you process consumer data from the ways you process your business customer data for your own operations.

Many of the leading adtech companies, such as the Trade Desk and Magnite, offer these separate choices.    

Is your business now deemed to be a ‘data broker’?  

I encourage you to read my December 19th comments to the CPPA and scroll to the last paragraph. The implications from the California Privacy Protection Agency’s (CPPA) now enacted regulations are clear; if your business licenses third party data (including advertising audience segments) and then ‘sells’ that third party data to other businesses, then you may be deemed a data broker (as defined in California).

The implications of this designation and your ($6600+) public data broker registration are that you may need to reconsider your approach to opt-out preferences, as you will start receiving significant volumes of opt-out requests from 3rd party agents, which requires automation to fully support.

In addition, California data brokers need to account for all of the metrics associated with data subject requests, and publicly report them in their privacy policy. Finally, don’t forget the upcoming 2026 requirement that data brokers will need to synchronize with the California ‘Deletion Mechanism’, which may further complicate managing opt-out or deletion requests.   

Persevering through the patchwork

Getting multi-state consent requirements is increasingly daunting, but take solace that few companies have ‘perfected’ this yet and privacy-tech tools are constantly improving to better support these changes.  

To recap:

  • US opt-outs are for targeted advertising and not site measurement or content personalization.
  • CMPs must accurately handle all ad partners but exclude “service providers”/”processors”.
  • Pixels that may qualify as "sales" or "shares" must be correctly configured and gate-kept when a user opts out.
  • California’s DNSoSMPI link requirements are prescriptive.
  • Opt-out signals (e.g., GPC) are now mandatory in a number of states.
  • Keep cookie settings accessible via a sticky icon or link.

Footnotes:

*Yet = draft California regulations requiring an opt-out from ‘profiling’ used for personalized content. The comment period for these regulations ends 2/19/25. Review them here

Sign up for more like this.