US States Privacy Notice
Last Updated: March 16th, 2026
This US States Privacy Notice (this "Notice") supplements RevOptimal's Global Privacy Policy and describes how we collect, use, and share personal data relating to individuals located in U.S. states with comprehensive consumer privacy laws and the rights available to you under those laws.
If you are a resident of California, Texas, Oregon, or Vermont, additional data broker-specific rights and disclosures apply. See the Data Broker-Specific Rights and Obligations section below for information about our registration status and specialized obligations in those states.
This Notice Includes:
As of publication of this Notice, the following 20 states have comprehensive consumer privacy laws in effect:
| State | Main Privacy Law |
|---|---|
| California | California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA/CPRA) |
| Colorado | Colorado Privacy Act (CPA) |
| Connecticut | Connecticut Data Privacy Act (CTDPA) |
| Delaware | Delaware Personal Data Privacy Act |
| Florida | Florida Digital Bill of Rights |
| Indiana | Indiana Consumer Data Protection Act (ICDPA) |
| Iowa | Iowa Consumer Data Protection Act (ICDPA) |
| Kentucky | Kentucky Consumer Data Act (KCDPA) |
| Maryland | Maryland Online Data Privacy Act (MODPA) |
| Minnesota | Minnesota Consumer Data Privacy Act (MCDPA) |
| Montana | Montana Consumer Data Privacy Act |
| Nebraska | Nebraska Data Privacy Act (NDPA) |
| New Hampshire | New Hampshire Privacy Act (NHPA) |
| New Jersey | New Jersey Data Privacy Act (NJDPA) |
| Oregon | Oregon Consumer Privacy Act (OCPA) |
| Rhode Island | Rhode Island Data Transparency and Privacy Protection Act |
| Tennessee | Tennessee Information Protection Act |
| Texas | Texas Data Privacy and Security Act (TDPSA) |
| Utah | Utah Consumer Privacy Act (UCPA) |
| Virginia | Virginia Consumer Data Protection Act (VCDPA) |
As a resident of the states covered in this Notice, you have the following rights regarding your personal data. Because most of the personal data we hold was not collected directly from you, some rights may be subject to exemptions or limitations, which we will explain when you submit a request.
You have the right to confirm whether we are processing your personal data and to request disclosure of:
You have the right to request deletion of personal information we have collected and maintain about you. We will delete your personal information upon receiving a verifiable request, subject to legal exemptions that may permit or require us to retain certain information, including where:
You have the right to request correction of inaccurate personal information we maintain about you. We will correct such information within the applicable response timeframe, provided that correction is technically feasible and does not conflict with other legal obligations.
You have the right to receive a copy of your personal information in a portable, readily usable format, where technically feasible. This right allows you to transmit your information to another controller without hindrance.
You have the right to opt out of:
We engage in activities that may constitute a "sale" or "sharing" of personal information as defined under applicable state law, including disclosing audience segment data and identifiers to advertising and marketing partners.
Consistent with requirements under California's CPRA and similar laws in other states, we provide a "Do Not Sell/Share" link in the footer of our website. Clicking this link allows you to opt out of the sale and sharing of your personal information for targeted advertising purposes, which you may do at any time.
Upon receiving a verified opt-out request, we will:
Global Privacy Control (GPC): We recognize and honor GPC signals from your browser or device as a valid opt-out request in states where GPC is legally recognized: California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas.
When a GPC signal is detected, we treat it as a Do Not Sell/Share request and will not use your information for targeted advertising. We will display an "Opt-Out Honored" confirmation when your GPC signal has been processed, consistent with California's 2026 requirements.
Do Not Track (DNT): We currently do not respond to browser-based "Do Not Track" signals in a uniform way, as no industry-wide standard has been established for DNT. However, we do honor GPC signals where legally required.
Some state laws — including those in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Jersey, Oregon, and Texas — provide rights related to the use of sensitive personal information. Sensitive personal information under state laws typically includes:
We generally do not collect or use sensitive personal information as defined by these laws, so this right typically does not apply to our Services.
Where we use automated decision-making or profiling that produces legal or similarly significant effects about you, we will provide notice of this practice. Certain states — including California (effective January 1, 2027), Colorado, Connecticut, Minnesota, Oregon, and Texas — provide rights to request human review of automated decisions, opt out of automated decision-making, and receive explanations of how such decisions are made.
If you exercise any of your privacy rights described in this Notice, we will not discriminate against you. While we do not sell products or services directly to individual consumers, we will not: treat your data differently based on your exercise of privacy rights, deny you the ability to opt out of data processing, provide different quality or levels of response to your privacy requests, or suggest that you will receive different treatment for exercising your rights.
Where we rely on your consent to process personal information, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing that occurred before your withdrawal. You may manage consent for cookies and tracking technologies through our Cookie Preference Center.
California residents have additional rights and protections under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CPRA).
The following table provides additional information about how we use and disclose your data, consistent with CPRA disclosure requirements:
| Category of Personal Information | Business Purpose | Categories of Recipients | Sale/Sharing Classification |
|---|---|---|---|
| Personal Identifiers (e.g. names, aliases, emails, phone numbers, customer numbers, mobile advertising IDs (MAIDs), IP addresses) | Audience segmentation, targeted advertising delivery, analytics | Our customers (advertisers), data analytics providers, digital data management platforms and service providers | Sold for our customers' commercial use, including targeted advertising or cross-context behavioral advertising. Marketing, reporting, and/or analytics. |
| Sensitive Personal Information (sex/gender, marital status, military/veteran status, national origin, ancestry, age, party registration, home ownership, education level, professional details) | Audience segmentation, demographic targeting, model development | Our customers and data analytics providers | Sold for our customers' use, including targeted advertising or cross-context behavioral advertising. Deidentified sharing only — aggregate statistics provided, no individual-level sensitive data disclosed. |
| Tracking Identifiers (e.g. device identifiers, cookies, beacons, pixel tags, and similar technologies) | User recognition across sessions, tracking and analytics, fraud prevention | Our customers, data analytics providers, digital data management platforms and service providers | Sold for our customers' use, including targeted advertising or cross-context behavioral advertising. Marketing, reporting, and/or analytics. See our Cookie Policy for more information. |
| Commercial Information (products/services purchased, obtained, or considered; purchasing or consuming histories) | Behavioral targeting, consumer preference analysis, predictive modeling | Our customers, data analytics providers, digital data management platforms | Sold for our customers' use, including targeted advertising or cross-context behavioral advertising. |
| Internet/Electronic Network Activity (browsing history, search history, interaction with websites, applications, advertisements) | Behavioral analysis, interest-based advertising, service improvement | Our customers, data analytics providers, advertising networks and service providers | Sold for our customers' use, including targeted advertising or cross-context behavioral advertising. |
| Geolocation Data (precise or approximate location) | Geographic segmentation | Our customers and data analytics providers | Sold for our customers' use, including targeted advertising or cross-context behavioral advertising. Shared only in aggregate or deidentified form; precise location not disclosed to third parties. |
| Inferences (profiles reflecting preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, aptitudes) | Predictive audience modeling, personalized marketing, segment creation | Our customers and data analytics providers | Sold for our customers' use, including targeted advertising or cross-context behavioral advertising. Deidentified sharing only — inferences delivered as aggregate audience segments; no individual inference profiles shared. |
We retain your personal information for as long as necessary to fulfill the business purposes for which we collect it (such as providing our audience segmentation Services), and to satisfy legal, accounting, contractual, or reporting requirements. Retention periods vary by data category and purpose.
Under California's 2026 amendments, personal information of consumers under 16 years of age is now classified as sensitive personal information, provided we have actual knowledge of the consumer's age. We do not knowingly collect or process personal data of minors.
We track and report annually on consumer privacy rights request metrics, including the number of requests received, granted, denied, and the median response time. These details are available on request.
Beginning January 1, 2027, California residents will have the right to opt out of our use of automated decision-making technology for significant decisions and to request information about how such decisions are made. We will update this Notice before that effective date to reflect these rights.
California's 2026 regulations require us to conduct formal privacy risk assessments for processing activities that present significant risk to consumer privacy, including the sale or sharing of personal information and processing of sensitive data. Initial risk assessment reports are due to the California Privacy Protection Agency by April 1, 2028.
To exercise any of the rights described in this Notice, you may submit a request through any of the following methods:
To protect your privacy and ensure we respond only to the rightful individual, we will verify your identity before processing your request. Verification may include asking you to provide information we already maintain about you or to confirm your identity through a signed declaration. If we cannot verify your identity, we will inform you and explain why. You may authorize another individual or business to submit privacy rights requests on your behalf. We require authorized agents to provide written authorization from you and to verify their authority to act on your behalf. We reserve the right to request direct confirmation from you that you authorized the agent to submit a request.
We will respond to verifiable requests within 45 days of receipt (or 30 days for Texas), with possible extensions of up to 45 additional days where permitted by your state's law. We will notify you if an extension is necessary. If we deny your request in whole or in part, we will provide a written explanation and, where required by your state's law, inform you of your right to appeal. You may appeal denials by submitting a written appeal using the same contact methods listed above.
In some cases, we may need to keep certain information for legal or recordkeeping reasons, so fulfilling your request may not mean that all information is completely removed from our systems.
RevOptimal operates as a data broker under the laws of California, Texas, Oregon, and Vermont. As a data broker, we collect, process, and share personal information that we did not collect directly from individuals. We are registered as a data broker with the appropriate state authorities in each jurisdiction.
A data broker is a business that collects, sells, licenses, or shares personal information about consumers with whom the business does not have a direct relationship (i.e., the consumer did not provide the data directly to the business in exchange for goods or services).
| State | Registering Authority | Registry |
|---|---|---|
| California | California Privacy Protection Agency (CPPA) | cppa.ca.gov/data_broker_registry/ |
| Texas | Texas Secretary of State | sos.state.tx.us |
| Oregon | Oregon Division of Financial Regulation (DFR) | dfr.oregon.gov/business/licensing/data-broker-registry/ |
| Vermont | Vermont Secretary of State | bizfilings.vermont.gov/online/DatabrokerInquire/ |
In our data broker activities, we may receive or collect personal information from:
We do not intentionally collect sensitive personal information for the purpose of identifying specific individuals outside applicable legal exemptions and authorizations.
We may use personal information obtained through our data broker operations to:
All processing aligns with contractual limitations and applicable state law.
We may share personal information with:
When registering with the California Privacy Protection Agency, we must disclose whether we collect specific categories of California consumers' personal information, including government-issued identification numbers, mobile advertising IDs, citizenship data, union membership status, sexual orientation, biometric data, precise geolocation data, personal information of minors, and reproductive health care data.
We must also disclose whether we shared or sold California consumers' personal information with or to a "foreign actor" (government of or entity based in China, North Korea, Russia, or Iran), the federal government, other state governments, law enforcement (unless pursuant to subpoena or court order), or developers of generative AI (GenAI) systems or models.
Beginning January 1, 2028, and every three years thereafter, we must undergo an independent third-party audit to verify compliance with California's Delete Act.
As a registered data broker in Texas, we maintain a comprehensive written information security program that includes administrative, technical, and physical safeguards; employee training on data handling and privacy; oversight of third-party service providers; access controls and monitoring; data breach response procedures; and regular program review and updates.
We provide clear, readily accessible notice on our website that states we are a registered data broker with the Texas Secretary of State and informs consumers how to exercise their privacy rights under Texas law.
Our registration statement includes a link to a webpage providing consumers with specific instructions on how to exercise their consumer rights under the Texas Data Privacy and Security Act, including rights to know, delete, correct, port, and opt out of data sales and targeted advertising.
We must register annually with the Oregon Department of Consumer and Business Services before collecting, selling, or licensing brokered personal data.
Our registration includes a declaration describing whether and how Oregon residents may opt out of all or a portion of our data broker activities and whether an Oregon resident may authorize an agent to exercise opt-out rights on their behalf.
Oregon prohibits the sale of personal data when we have actual knowledge, or willfully disregard knowledge, that a consumer is under 16 years of age. Oregon also prohibits the sale of precise geolocation data relating to an individual's location within a 1,750-foot radius.
We must register annually with the Vermont Secretary of State and pay a registration fee. Our registration must include our name and contact information; methods for consumers to opt out of data collection, storage, or sales (if offered); data activities from which consumers may not opt out; whether we implement purchaser credentialing; number of data broker security breaches in the prior year; information about data practices applicable to minors; and additional information about our data collection and sharing practices.
As a registered data broker in Vermont, we develop, implement, and maintain a comprehensive written information security program that includes designated employees responsible for program maintenance; privacy and security risk assessments; security policies for employees, including training and compliance; oversight of third-party vendors and service providers; physical restrictions to records; user authentication protocols; access control measures; encryption of transmitted data and data on portable devices; monitoring for unauthorized access; current firewall protection and security patches; and current security software.
In addition to the consumer privacy rights described above, you have the following data broker-specific rights:
In addition to consumer privacy rights described above, you have the right to:
In addition to consumer privacy rights described above, you have the right to:
In addition to consumer privacy rights described above, you have the right to:
If you believe your privacy rights have been violated, you have the right to lodge a complaint with the appropriate state authority. Submitting a complaint with a state authority does not affect your ability to assert other legal claims.
| State | Enforcement Authority | Contact |
|---|---|---|
| California | California Privacy Protection Agency; CA AG | cppa.ca.gov/submit-a-complaint/ |
| Colorado | Colorado AG Consumer Protection | coag.gov |
| Connecticut | Connecticut AG | ct.gov/ag |
| Delaware | Delaware AG Consumer Protection | ago.delaware.gov |
| Florida | Florida AG | myfloridalegal.com |
| Indiana | Indiana AG | in.gov/attorneygeneral |
| Iowa | Iowa AG Consumer Protection | iowaattorneygeneral.gov |
| Kentucky | Kentucky AG | ag.ky.gov |
| Maryland | Maryland AG Consumer Protection | oag.state.md.us |
| Minnesota | Minnesota AG | ag.state.mn.us |
| Montana | Montana DOJ Consumer Protection | doj.mt.gov |
| Nebraska | Nebraska AG | ago.nebraska.gov |
| New Hampshire | NH DOJ Consumer Protection | doj.nh.gov |
| New Jersey | NJ AG Consumer Affairs | njconsumeraffairs.gov |
| Oregon | Oregon DCBS; Oregon AG | oregon.gov/dcbs |
| Rhode Island | Rhode Island AG | riag.ri.gov |
| Tennessee | Tennessee AG | tn.gov/attorneygeneral |
| Texas | Texas AG Consumer Protection | texasattorneygeneral.gov |
| Utah | Utah AG Consumer Protection | attorneygeneral.utah.gov |
| Virginia | Virginia AG Consumer Protection | ag.virginia.gov |
We review and update this Notice periodically to reflect changes in our practices, applicable law, and regulatory guidance. We will notify you of material changes by posting the updated Notice on our website and updating the effective date above. Where required by law, we will seek renewed consent or provide additional notice of material changes. Your continued use of our Site and/or Services following notification of changes constitutes your acknowledgment of the updated Notice.
We encourage you to review this Notice frequently to be informed of how we are protecting your information.
If you have questions about this Notice, your privacy rights, or how we handle your personal information, please contact us at:
Ready to supercharge your ROAS?