State Laws on Digital Advertising: CalOPPA, Age-Appropriate Design, and Comprehensive Laws
California leads on digital advertising: CalOPPA (2003) requires website privacy notices and Do Not Track disclosures; the 2022 California Age-Appropriate Design Code Act protects child users; and the CCPA/CPRA regulate network activity, inferences, and cross-device behavioral advertising.
CalOPPA (2003) was the first U.S. law to require operators of commercial websites and apps to conspicuously post a privacy notice if they collect PII from Californians. A 2013 amendment requires the notice to address how the operator responds to Do Not Track signals and whether third parties can collect PII about users.
The 2022 California Age-Appropriate Design Code Act - the first U.S. age-appropriate design law - requires online platforms to consider the best interest of child users, set privacy-protective defaults, avoid detrimental use of a child's data, and bars collecting/sharing/selling a child's location by default.
State comprehensive laws also reach digital advertising. The CCPA/CPRA framework covers a business if it collects PII on California residents and meets a minimum revenue threshold, uses a minimum number of consumers' data, or derives at least half its revenue from selling/sharing personal information. It protects network activity (browsing/search histories), regulates inferences used to build profiles, and restricts Cross-device behavioral advertising.