Contact Us Today 770-804-0500

Privacy Policy & Data Rights Management - What U.S. Businesses Need to Know in 2023

privacy policy & data rights management intro

Last Updated: March 11, 3023

Privacy Policy & Data Rights - What You Need to Know

I help eCommerce and digital marketers with customized Internet marketing and digital advertising compliance tactics and documents to be compliant and competitive without costing them sales.

  • My wheelhouse is the tip of your marketing spear: how you present your marketing message to your prospects in a hyper-regulated online marketplace.
  • Your marketing message is a big deal. You should be able to navigate new and complex regulations, but instead, you have questions.

I'm here to help.

Your Concerns and Challenges with Your Privacy Policy and Data Rights Management

United States Laws Regulating Privacy

As I write this, in early 2023, there is no uniform U.S. law regulating privacy. Yet, there is a cluster of overlapping and confusing federal laws regulating some aspects of privacy in the United States.

  • The Health Insurance Portability and Accountability Act (HIPAA).
  • The Fair Credit Reporting Act (FCRA).
  • The Family Educational Rights and Privacy Act (FERPA.
  • The Gramm-Leach-Bliley Act (GLBA).
  • The Electronic Communications Privacy Act (ECPA).
  • The Children's Online Privacy Protection Act (COPPA).
  • The Video Privacy Protection Act (VPPA).
  • The Federal Trade Commission Act (FTC Act).

The American Data Privacy Protection Act (ADPPA) is still working its way through the U.S. Congress. There are still significant hurdles to clear before it becomes law (if it ever does).

The two significant hurdles for the proposed American Dream and Promise Act (ADPPA) to pass are:

  • Preemption, and
  • Private right of action.

Preemption is a legal doctrine that allows federal law to override state law. If passed into law, ADPPA would supersede any state laws that may conflict with it, except for California, which is vigorously opposing the preemption of its CPRA privacy law.

Private right of action refers to the ability of individuals to take legal action on their behalf rather than relying on the government to enforce a law. In the context of ADPPA, this means that if the act were to pass, individuals would have the right to sue if they feel that their rights under ADPPA are violated, which could lead to increased lawsuits.

Both preemption and private right of action are contentious issues, and the success of ADPPA in passing may depend on how these issues are addressed and negotiated by lawmakers.

More Information: Website Documents

Extraterritorial and State Privacy Laws - Data Rights Management

In addition to federal laws, there are additional laws of extraterritorial jurisdiction and state laws that regulate privacy.

  • The General Data Protection Regulation (GDPR) effective May 25, 2018.
  • The California Privacy Rights Act (CPRA) effective January 1, 2023.
  • The Virginia Consumer Data Protection Act (VCDPA) effective January 1, 2023.
  • The Colorado Consumer Privacy Act (CCPA) effective July 1, 2023.
  • The Utah Consumer Protection Act (UCPA) effective December 31, 2023.
  • The Connecticut Consumer Data Privacy Act (CTCDPA).

In addition to the five state laws listed above, at least nine other states are contemplating their own version of a privacy statute.

Small and Mid-Size Business Concerns and Challenges

Small and mid-size businesses face significant concerns and challenges when complying with numerous and complex privacy laws, including:

  • Lack of resources: Smaller businesses often have limited resources, which can make it difficult for them to allocate the time, money, and personnel needed to understand and comply with complex privacy laws.
  • Keeping up with multiple laws: With new state privacy laws, businesses must navigate a patchwork of varying legal requirements, which can be difficult and time-consuming.
  • Balancing privacy and business goals: Smaller businesses must balance protecting consumer privacy and collecting the data necessary to run their operations. The result can be particularly challenging for businesses that rely on consumer data for targeted advertising, marketing, and other business purposes.

How I can Help You

The Evolution of Privacy Policy and Data Rights Management

The present situation regarding your Privacy Policy related data rights compliance resembles a “patchwork quilt” of overlapping and conflicting laws.

You may be wondering just how we arrived where we are with this confusing “patchwork quilt” situation.

We'll discuss below a timeline of the significant privacy developments to provide some perspective on where we are today.

The California Online Privacy Protection Act (CalOPPA) -  2004.

CalOPPA was the first state law in the United States that required commercial websites and online services to post a privacy policy.

  • CalOPPA requires that the privacy policy be displayed prominently on the company's website. It covers the types of personal information collected, how it is used, and with whom it is shared.
  • CalOPPA applies to all companies that collect personal information from California residents, regardless of where the company is located.
  • CalOPPA has served as a model for other states and countries and has been influential in shaping the privacy landscape in the United States.

CalOPPA was the reason that U.S.-based businesses added Privacy Policies to their websites.

CalOPPA was a de facto federal law because marketers selling in California wanted to avoid screening out California residents because of the size of the market for goods and services.

Privacy Policy Targeted Ads - How The Ad Tech Model Impacts Privacy Policies

The Ad Tech model developed in the late 1990s and early 2000s as the internet grew and became more widespread.

The Ad Tech model refers to the technology and systems used in the digital advertising industry for serving targeted advertising. 

ad tech model for targeted advertising

Enabled by tracking technologies such as cookies, the Ad Tech model uses "programmatic advertising," a software-based bidding process that places ads in response to advertising requests containing consumers' personal information.

The "programmatic advertising" process is where personal data such as browsing history, demographic information, and location data is collected and shared among numerous parties causing significant privacy and data security concerns among regulators and data subjects.

GDPR Privacy Notice - The EU General Data Protection Regulation (GDPR) – 2018

The Ad Tech model played a significant role in the rise and enactment of the General Data Protection Regulation (GDPR) in the European Union (EU).

The GDPR was designed to address privacy and data security concerns arising out of the Ad Tech Model's "programmatic advertising" and to provide EU citizens with greater control over their data.

After GDPR, digital marketers have had to change their practices and invest in new technologies and processes to comply with the regulation.

GDPR has put further pressure on the Ad Tech industry to be more transparent and responsible in how it collects, stores, and uses personal data.

The California Consumer Privacy Act (CCPA) – 2020

CCCPA was one of the first comprehensive privacy laws in the United States to give individuals greater control over their data and to provide new rights and protections for privacy.

The CCPA is also notable for being the first privacy law in the United States to give individuals the right to opt-out of the sale of their personal data, which is a new and essential privacy right that was not previously recognized in U.S. privacy law.

The California Consumer Privacy Act (CCPA) – 2023

The California Privacy Rights Act (CPRA) is a privacy law that was enacted in California, United States, on November 3, 2020, through a statewide ballot initiative.

CPRA builds upon the California Consumer Privacy Act (CCPA) by adding new rights and protections for California residents for their personal data.

CPRA gives California residents additional rights and control over their personal data, including the right to know the specific pieces of personal information that businesses collect, the right to tell businesses not to sell their personal data, and the right to request that businesses delete their personal data.

CPRA also requires businesses to provide additional transparency about their data practices and to implement new security measures to protect personal data.

The Critical Difference Between First-Party Cookies and Third-Party Cookies

There is a significant difference between first-party and third-party cookies in terms of the scope of tracking that is enabled by the cookie.

First and Third-party cookies are two different cookie types used for tracking and collecting data about users' online behavior.

  • First-party cookies are created by the website that the user is visiting.
  • First-party cookies are used to remember a user's preferences, to store information about a user's session, or to track the user's behavior on the website.
  • First-party cookies are considered less intrusive and are generally considered to be less of a privacy risk than third-party cookies.

Third-party cookies, on the other hand, are created by a domain other than the website that the user is visiting.

  • Third-party cookies are often used by advertising networks and other tracking companies to track a user's behavior across multiple websites.
  • Third-party cookies can be used to build a profile of a user's interests and preferences, which can then be used for targeted advertising.
  • Because third-party cookies can track a user's behavior across multiple websites, they are considered to be more intrusive and have a greater privacy risk than first-party cookies.
  • Overall, the difference between first-party cookies and third-party cookies comes down to who is creating the cookie and what the cookie is being used for.

Why Privacy Regulators Have Relatively Few Privacy Concerns Regarding First-Party Cookies

In terms of privacy and the regulation of data rights, privacy regulators have relatively little concern over the use of first-party cookies by digital marketers.

The reason is that tracking is limited to persons who choose to visit a specific website, portal, or marketplace.

Using first-party cookies to recognize a return visit by a customer or prospect is generally considered a permissible marketing practice.

The user is not being tracked beyond the website, portal, or marketplace that dropped the cookie.

On the other hand, there is great concern by privacy regulators regarding the use of third-party cookies to track users across the internet as he/she visits other sites.

For this reason, California CPRA and other state privacy laws haven't outlawed targeted advertising.

Instead, these laws still permit targeted advertising subject to stringent controls over how digital marketers collect, use, and share consumers' personal information, including for targeted advertising purposes.

Businesses must comply with these laws and provide consumers with certain rights, such as the right to opt out of the sale or use of their personal information for targeted advertising.

How to Get Started

The recommended way to get started is to scroll to the bottom of this page, click on the "Book a Call" button, then schedule a call.

We'll discuss your requirements and concerns and answer any questions you may have.

----> There may be compliance options you're not aware of.

At the same time, sign Up for my complimentary 2-Minute Marketing Compliance Email.

It's not a newsletter (they take too long to read).

Every week or so, you'll get compliance tips, insights, strategies, tactics, and alerts you can digest quickly and use,

written in a simple, conversational way to help you grow your business with confidence.

Best wishes for your online business success.

Chip Cooper esq. eCommerce attorney



My Background

  • Juris Doctor Degree, Wake Forest University School of Law
  • Adjunct Professor of Law, Wake Forest University School of Law (20 years)
  • Martindale-Hubbell Highest Attorney Peer Rating – AV® PREEMINENT™
  • Co-Founder & CEO,, #1 in FTC Compliance Training

Contact Us

Need help? Or a little Q&A to see if we’re a good fit? Book a call below and let’s chat. You'll be working directly with me, not another attorney. I help eCommerce and digital marketers with Internet marketing and advertising compliance so they can be compliant and competitive in a hyper-regulated digital marketplace.
Book a Call