Google quietly adds three states to privacy compliance toolkit

Google announced on December 11, 2025 that publishers using its AdSense platform can now activate privacy compliance messages for users in Indiana, Kentucky, and Rhode Island. The update addresses upcoming state privacy legislation taking effect January 1, 2026 across all three jurisdictions, according to documentation posted to the AdSense Help Center.

The announcement introduces a significant operational change for publishers managing privacy compliance across multiple states. Google launched a toggle allowing publishers to target messages to "All current and future supported US States," which automatically extends privacy messaging to newly regulated states as their laws take effect. This feature eliminates the need for publishers to manually update message targeting each time Google adds support for additional state privacy regulations.

Publishers with existing US state regulations messages must edit their configurations in the Privacy & messaging tool to include the three newly added states. The Geography selector now includes a "select all" option that activates the automatic targeting feature, according to the documentation. Publishers creating new US state regulations messages will have all available states selected by default, with the automatic targeting toggle enabled from the start.

The update expands Google's privacy compliance framework that now covers 25 states with comprehensive privacy legislation. Indiana's Consumer Data Protection Law, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Act all become enforceable on January 1, 2026, creating legal requirements for publishers to provide opt-out mechanisms for targeted advertising and data sharing.

The US state regulations message type displays to users subject to privacy legislation specific to their state location. California residents encounter messaging addressing the California Privacy Rights Act, while users in other states see messages tailored to their respective state requirements. Publishers bear responsibility for ensuring their messages meet all legal requirements, according to Google's documentation.

Message structure and technical implementation

US state regulations messages contain multiple screens shown to users when they view the privacy notice. The system begins with a "Do Not Sell or Share My Personal Information" link that publishers display using their selected formatting and settings. When users click this link, a confirmation page opens displaying an "Opt out of the sale or sharing of personal information" dialog.

The confirmation page includes several elements: the publisher's logo if configured, a "Dismiss" button allowing users to close the message without opting out, and an "Opt out" button that communicates the user's opt-out status to Google and closes the message. The look and feel of the "Do Not Sell or Share" link may differ from standard styling depending on publisher customization choices.

Google's consent management platform supports the IAB Global Privacy Protocol specification for US state regulations messages. The US National section stores and transmits user choices for California, Colorado, Connecticut, Delaware, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia residents.

When the "Do Not Sell or Share My Personal Information" link appears on a page, the system sets several GPP fields to indicate notice was provided. SharingNotice, SaleOptOutNotice, SharingOptOutNotice, and TargetedAdvertisingOptOutNotice all indicate that notice was given to users. SaleOptOut, SharingOptOut, and TargetedAdvertisingOptOut indicate the user has not opted out. MspaCoveredTransaction is set to "No" in this state.

If a user opts out of data sharing, the system updates SaleOptOut, SharingOptOut, and TargetedAdvertisingOptOut to reflect the opt-out choice. All other fields are set to "Not applicable," including those for SensitiveDataProcessing and KnownChildSensitiveDataConsents. Publishers must work with their advertising partners to understand how they respect GPP signals, according to Google's documentation on AdSense's GPP support.

CPRA requirements and automatic updates

The California Privacy Rights Act is now in effect, meaning users can opt out of the sale and sharing of their personal information. Google automatically updated messages for publishers using default text in their CCPA messaging to read "Do Not Sell or Share My Personal Information." Publishers who previously set custom CCPA messages should revise their US state regulations message text to address CPRA requirements, according to the announcement.

The CPRA expanded upon the California Consumer Privacy Act framework that took effect in 2020. The updated law adds specific requirements around the "sharing" of personal information, distinct from its sale, and provides consumers with enhanced rights to control how businesses use their data for cross-context behavioral advertising.

California's evolving privacy landscape has prompted significant enforcement actions. Healthline settled for $1.55 million in July 2025, marking the largest monetary penalty under CCPA to date. The California Attorney General discovered that the health information website continued sharing personal data with advertisers even after users opted out of targeted advertising through multiple consent mechanisms including Global Privacy Control signals.

Industry context and compliance challenges

The advertising technology industry faces an increasingly complex privacy compliance landscape. Fourteen US state privacy laws were enforceable at the start of 2025, with six more expected throughout the year. Each state's legislation contains distinct requirements for consent collection, data sale opt-outs, and targeted advertising restrictions.

Google expanded privacy controls to eight additional states on June 30, 2025, implementing Universal Opt-Out Mechanism provisions across Connecticut, Montana, Nebraska, New Hampshire, Texas, Minnesota, New Jersey and Maryland. The update brought these states into Google's Global Privacy Control framework, requiring the platform to honor browser-based opt-out signals.

Publishers operating across multiple states must navigate varying effective dates, distinct legal definitions of "sale" and "sharing" of personal information, and different technical requirements for consent collection and storage. The IAB Tech Lab's Global Privacy Platform provides standardized mechanisms for transmitting privacy preferences across jurisdictions, but implementation complexity remains substantial.

Six additional states were added to the Global Privacy Platform in August 2024, including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, and Tennessee. The IAB Tech Lab's expansion demonstrated the ongoing adaptation required as state legislatures continue enacting comprehensive consumer privacy legislation.

The technical specifications for GPP strings enable consent management platforms to encode user preferences and transmit those signals throughout the programmatic advertising supply chain. Publishers using GPP can communicate user opt-out choices to demand-side platforms, supply-side platforms, and other advertising technology vendors in a standardized format that reduces implementation overhead compared to custom integration approaches.

Revenue implications and publisher considerations

Restricted Data Processing mode typically reduces the value of advertising inventory due to limited targeting capabilities and reduced data collection. Publishers in states with privacy laws may experience decreased ad revenue as platforms shift to serving non-personalized advertisements to users who have activated privacy controls. Non-personalized ads generally command lower prices in programmatic auctions compared to their personalized counterparts.

Google's unification of first-party cookie controls in November 2024 maintained compatibility with existing privacy frameworks including CCPA and CPRA requirements. The update consolidated two previously separate controls into a unified mechanism while expanding data sharing capabilities with Authorized Buyers for publishers already implementing first-party cookies for personalization.

Publishers must balance compliance requirements against revenue optimization. The automatic targeting feature for "All current and future supported US States" reduces operational overhead but means publishers automatically opt into compliance messaging for states as Google adds support, potentially before publishers have fully assessed the revenue impact in those specific markets.

Content creators should monitor performance metrics to understand how privacy control adoption rates affect overall monetization. Alternative revenue streams become increasingly important as privacy regulations expand across additional states and user awareness of opt-out rights increases.

California's ongoing privacy legislation development

California privacy law updates taking effect January 1, 2026 bring new consumer data protection requirements for businesses selling or sharing personal information. Assembly Bills 137 and 566 modified the landmark privacy legislation, expanding requirements around consumer consent particularly for businesses that collect and transfer personal information to third parties.

Companies must now enter into agreements with any third party, service provider, or contractor receiving consumer data. These contracts must specify that information transfers occur only for limited purposes and obligate recipients to provide equivalent privacy protections required under the statute.

The California Privacy Protection Agency holds authority to adopt regulations further defining business purposes for which service providers and contractors may use consumer information. Administrative and civil enforcement of provisions added or amended by CPRA began July 1, 2023, applying only to violations occurring on or after that date.

California Governor Gavin Newsom vetoed Assembly Bill 3048 in September 2024, which would have required internet browsers and mobile operating systems to include privacy opt-out settings. The governor expressed concerns about placing mandates on operating system developers, preferring that design questions be addressed by developers rather than regulators.

Multi-state privacy agreement and certification

AdSense certification under IAB Privacy's Multi-State Privacy Agreement Certified Partner Program means the platform can process MSPA Covered Transactions without publishers needing to sign the MSPA. Publishers maintain the option to use GPP without being contractually required to do so by Google.

The MSPA framework addresses a critical challenge in the advertising ecosystem: how to enable data sharing and advertising transactions in compliance with multiple state privacy laws without requiring custom contractual arrangements for each state jurisdiction. The certification program provides a standardized approach that reduces legal and operational complexity.

Google announced updates on October 20, 2024 to help publishers using AdSense, AdMob, and Ad Manager comply with privacy laws taking effect in Iowa, Delaware, New Jersey, Nebraska, and New Hampshire in January 2025. The company supplemented its existing Google Ads Data Processing Terms and Google Ads Controller-Controller Data Protection Terms to accommodate these state laws.

Restricted Data Processing mode represents one of Google's key features for publisher compliance. When activated, the system limits personalized advertising and restricts certain data processing activities. Publishers can enable RDP through IAB Tech Lab's Global Privacy Platform for applicable states, through Privacy & messaging settings in AdSense interfaces, or via account-level configurations that apply automatically to traffic from designated states.

Industry standardization efforts and technical frameworks

The IAB Tech Lab has maintained active development of privacy frameworks throughout 2024 and 2025. GPP Extensions were unveiled in May 2024 to address state-specific privacy laws in the United States, enabling transmission of consent signals specific to individual state requirements.

The organization launched a public comment period in October 2025 for Global Privacy Protocol updates adding Maryland, Indiana, Kentucky, and Rhode Island. The updates address a technical gap in how downstream vendors identify which GPP sections a consent management platform supports and has determined applicable for a given user.

IAB Tech Lab's Accountability Platform sets standards for privacy signal monitoring, focusing on ensuring accurate transmission of user preference signals throughout the digital advertising supply chain. The platform represents a collaborative effort developed through the Rearc Accountability Working Group with input from over 750 global companies.

The organization also launched a Privacy Taxonomy to standardize data management across the industry. The framework provides a common language for defining, classifying, and communicating personal data, supporting better enforcement of regulatory consent requirements and streamlined privacy request handling.

Google's privacy framework for AdSense operates alongside broader industry standards while maintaining platform-specific implementation details. Publishers must understand both the technical specifications of frameworks like GPP and the specific requirements Google implements for its advertising systems.

Delaware and Oregon privacy controls via GPC signals were activated on November 17, 2025, with Google automatically triggering Restricted Data Processing mode for users transmitting Global Privacy Control signals from those states. The GPC specification gained regulatory endorsement when California's attorney general stated the Department of Justice was "encouraged to see the technology community developing a global privacy control in furtherance of the CCPA and consumer privacy rights."

Consent management platform requirements

Consent Management Platforms face technical requirements to support publisher compliance across the expanding privacy landscape. Google's mandate for TCF v2.3 migration by February 28, 2026 establishes a hard deadline for implementing IAB Europe's updated framework for European users.

The distinction between European GDPR compliance frameworks and US state privacy law frameworks creates separate technical implementation paths. AdSense uses IAB Europe's Transparency and Consent Framework for European Economic Area and UK users, while relying on the Global Privacy Platform US National section for state privacy law compliance in the United States.

CMPs must maintain support for multiple framework versions during transition periods, handle both disclosed vendor segments and Additional Consent Mode, and ensure accurate transmission of privacy signals across different jurisdictions. The technical complexity extends beyond simple consent collection to encompass proper signal formatting, transmission reliability, and downstream vendor compatibility.

Publishers selecting consent management platforms should evaluate their support for current and planned privacy framework versions, geographic coverage for relevant markets, technical integration requirements, and vendor compliance records. The IAB Europe TCF Vendor Compliance Programme identified and enforced against non-compliant vendor implementations throughout 2024, with over 400 enforcement procedures resulting in temporary suspension of more than 20 entities.

State privacy law implementation timeline

The three states joining Google's privacy messaging framework on December 11, 2025 follow a broader pattern of staggered implementation dates across US jurisdictions. Virginia's Consumer Data Protection Act took effect in 2023, followed by Colorado, Connecticut, and Utah legislation. California's CPRA enforcement began in mid-2023 for violations occurring on or after that date.

The January 1, 2026 effective date for Indiana, Kentucky, and Rhode Island legislation aligns with a wave of state privacy laws becoming enforceable at the start of the new year. This clustering of effective dates creates operational challenges for publishers who must simultaneously implement compliance measures across multiple jurisdictions.

Publishers operating national advertising inventory face the complexity of determining user location, applying appropriate privacy notices based on that location, honoring opt-out requests according to each state's specific requirements, and maintaining compliant data processing practices across varying legal definitions and technical specifications.

The automatic targeting feature Google introduced with this update acknowledges the operational burden publishers face. By enabling publishers to opt into automatic coverage for future states, Google reduces the manual intervention required each time new states are added to the privacy messaging framework. However, this convenience comes with the trade-off of reduced granular control over when to activate privacy measures in specific markets.

State legislatures continue drafting and enacting comprehensive consumer privacy legislation. The pattern established by California's CCPA and CPRA has influenced privacy law structure across multiple states, creating some commonality in consumer rights around data access, deletion, opt-out of sales and sharing, and limits on sensitive data processing. However, significant variations remain in definitions, scope, enforcement mechanisms, and technical requirements.

Publisher implementation requirements

Publishers must take several steps to ensure compliance with the expanded state coverage. For those with existing US state regulations messages, editing the message in Privacy & messaging to adjust targeting settings represents the primary action item. The Geography selector's "select all" option for "All current and future supported US States" provides the most comprehensive coverage with minimal ongoing maintenance.

Publishers creating new US state regulations messages benefit from the default configuration that selects all available states and enables automatic targeting. This default approach reflects Google's recommendation that publishers implement broad geographic coverage rather than selective activation by state.

The responsibility for message content remains with publishers. Google's documentation explicitly states that publishers must ensure their messages meet legal requirements. This includes accurate representation of data practices, clear explanation of opt-out choices, and proper implementation of user preference collection and storage mechanisms.

Publishers should coordinate privacy message implementation with their broader privacy program. Website privacy policies must accurately describe data collection and sharing practices, consent mechanisms must function correctly across all user interfaces, and internal data processing systems must honor user opt-out choices throughout the advertising technology stack.

Legal counsel should review privacy message content, particularly for publishers operating in multiple states with varying legal definitions and requirements. What constitutes a "sale" of personal information under California law may differ from how other states define the term, creating challenges in crafting single messages that accurately describe practices across all jurisdictions.

Technical integration with advertising partners

Publishers must work with advertising partners to understand how they respect GPP signals, according to Google's documentation. This requirement extends beyond Google's own platforms to encompass the full range of demand sources, supply-side platforms, and advertising technology vendors in the publisher's monetization stack.

Not all advertising technology vendors support GPP, and among those that do, implementation quality and signal handling may vary. Publishers should verify that their key advertising partners can receive and properly process GPP signals indicating user opt-out preferences for targeted advertising, data sales, and data sharing.

The complexity increases for publishers using header bidding or other advanced programmatic techniques that involve multiple demand sources. Each demand partner may have different capabilities for processing privacy signals, potentially creating scenarios where some partners honor user preferences while others do not due to technical limitations rather than intentional non-compliance.

Publishers should document their advertising technology vendor ecosystem, verify privacy signal support capabilities with each vendor, monitor compliance through available reporting and audit mechanisms, and maintain fallback procedures for situations where privacy signals are not properly transmitted or honored.

The revenue implications of privacy signal transmission deserve careful attention. Publishers should analyze how opt-out rates correlate with revenue performance across different geographic markets, demand sources, and ad formats. This data informs decisions about optimal privacy configuration, vendor selection, and inventory management strategies.

Future developments and ongoing adaptation

The automatic targeting feature for "All current and future supported US States" signals Google's expectation that additional states will enact privacy legislation requiring similar compliance measures. Several states have proposed comprehensive privacy legislation that has not yet been enacted, while others are in various stages of the legislative process.

Publishers opting into automatic targeting should monitor Google's announcements for information about newly supported states and the characteristics of those state privacy laws. While the automatic feature eliminates manual targeting updates, publishers still need awareness of which states are covered and what requirements apply.

The digital advertising industry's adaptation to privacy regulation continues across multiple dimensions. Technical frameworks evolve to support new requirements, enforcement actions establish boundaries around acceptable practices, consumer awareness of privacy rights increases, and business models adjust to accommodate reduced data availability and targeting precision.

Publishers should maintain flexibility in their privacy compliance approach. What works today may require adjustment as regulations change, enforcement priorities shift, technical capabilities advance, or consumer expectations evolve. The automatic targeting feature provides operational efficiency but should not eliminate ongoing review of privacy practices and message effectiveness.

Timeline

• January 1, 2020: California Consumer Privacy Act takes effect
• July 1, 2023: CPRA enforcement begins for violations occurring on or after this date
• May 2024: IAB Tech Lab unveils GPP Extensions for state-specific privacy laws
• June 18, 2024: AdSense updates privacy messaging for US state regulations compliance
• August 2024: IAB Tech Lab adds six states to GPP including Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee
• September 20, 2024: California Governor vetoes AB 3048 browser opt-out bill
• October 20, 2024: Google announces privacy law compliance updates for five states effective January 2025
• October 6, 2025: AdSense adds GPP National v2 support
• October 25, 2025: IAB Tech Lab opens comment period for privacy framework updates
• November 3, 2025: Google mandates TCF v2.3 migration deadline for February 2026
• November 17, 2025: Google adds privacy controls for Indiana, Kentucky, Rhode Island and activates GPC for Delaware, Oregon
• November 25, 2024: Google AdSense unifies first-party cookie controls
• June 30, 2025: Google expands privacy controls to eight states
• July 2025: Healthline settles for $1.55 million, largest CCPA penalty to date
• December 11, 2025: Google announces US state regulations messages update for Indiana, Kentucky, Rhode Island with automatic future state targeting
• January 1, 2026: Updated CCPA requirements take effect along with Indiana Consumer Data Protection Law, Kentucky Consumer Data Protection Act, Rhode Island Data Transparency and Privacy Act

Summary

Who: Google AdSense platform implementing privacy compliance messaging affecting publishers with audiences in Indiana, Kentucky, and Rhode Island, along with users in these states who will gain rights to opt out of targeted advertising and data sharing under new privacy legislation. The update also impacts consent management platform providers and advertising technology vendors who must properly process privacy signals.

What: Implementation of US state regulations messages supporting compliance with three state privacy laws taking effect January 1, 2026. Google introduced automatic targeting functionality allowing publishers to opt into privacy messaging for "All current and future supported US States," eliminating manual updates as additional states are added to the framework. The system uses IAB Global Privacy Protocol to store and transmit user opt-out choices across the advertising technology ecosystem.

When: Announced December 11, 2025, with state privacy laws taking effect January 1, 2026. Publishers with existing US state regulations messages must manually edit targeting to include the three new states, while new messages will have all states selected by default. The automatic targeting feature activates immediately for publishers who enable it.

Where: Indiana, Kentucky, and Rhode Island join 22 other states with enforceable comprehensive privacy legislation as of early 2025. The expansion affects publishers operating advertising inventory reaching users in these jurisdictions. Google's privacy framework now covers 25 states through the US state regulations messaging system, with the IAB Tech Lab's Global Privacy Platform supporting standardized signal transmission across these markets.

Why: State privacy legislation mandates consumer rights including the ability to opt out of targeted advertising, data sales, and sharing of personal information. Indiana's Consumer Data Protection Law, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Act all create legal requirements for businesses to provide clear mechanisms for users to exercise these rights. Publishers face potential enforcement actions and penalties for non-compliance, as demonstrated by California's $1.55 million settlement with Healthline in July 2025. The automatic targeting feature addresses operational complexity as the number of states with privacy laws continues expanding.