Skip to main content

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

US State Privacy Laws — A Growing Patchwork

A quick overview of the US state privacy laws that matter for cookie consent and website compliance.

The United States has no federal privacy law. Instead, individual states are passing their own. As of 2025, more than a dozen states have comprehensive privacy laws on the books, and more are coming every year.

Here’s what you actually need to know.

The big four (that set the pattern)

California: CCPA / CPRA

The first, the biggest, and still the most important. Applies to for-profit businesses meeting at least one threshold (100K consumers, $26.6M revenue, or 50% revenue from data sales). Opt-out model for adults. Strongest consumer rights in the US. Enforced by the CPPA. See the full CCPA guide for the details, including the Global Privacy Control signal requirement.

Virginia: VCDPA

Effective January 2023. Applies to businesses processing data of 100K+ consumers (or 25K+ if deriving 50%+ revenue from data sales). Similar to CCPA but narrower. Enforced by the Attorney General only, with no private right of action. The VCDPA guide walks through the obligations.

Colorado: CPA

Effective July 2023. Opt-out model with consumer rights similar to CCPA. Applies to businesses processing data of 100K+ consumers or deriving revenue from data sales of 25K+ consumers. Requires data protection assessments.

Connecticut: CTDPA

Effective July 2023. Similar thresholds to Colorado. Includes protections for children’s data (under 16) and requires data protection assessments. Enforced by the AG.

The second wave (newer states)

StateLawEffective
UtahUCPADecember 2023
TexasTDPSAJuly 2024
OregonOCPAJuly 2024
TennesseeTIPAJuly 2025
MontanaMCDPAOctober 2024
IowaICDPAJanuary 2025
DelawareDPDPAJanuary 2025
New JerseyNJDPAJanuary 2025
New HampshireNHDPAJanuary 2025
KentuckyKCDPAJanuary 2026
MarylandMODPAOctober 2025
NebraskaNDPAJanuary 2025
MinnesotaMCDPAJuly 2025
IndianaICDPAJanuary 2026
Rhode IslandRIDPAJanuary 2026

Trends: thresholds are dropping and enforcement is getting real.

Common threads

Across all these state laws, you’ll find:

  • Consumer rights to access, delete, correct, and opt out of data sales
  • “Personal data” definitions that include cookies, IP addresses, and device identifiers
  • Opt-out models (not opt-in), except for sensitive data, which requires explicit consent
  • No private right of action in most states (California and a few others excepted)
  • Attorney General enforcement as the primary mechanism

What this means for your website

If you have US visitors, you are subject to some combination of these laws. The most practical approach:

  1. Default to the highest standard. GDPR-style consent covers all US state laws and then some.
  2. Offer clear opt-outs. Even where consent isn’t required, a visible “Do Not Sell or Share” mechanism keeps you compliant everywhere.
  3. Geo-target your consent experience. Serve opt-in banners in the EU, opt-out in the US, and notification-only where appropriate.
  4. Document everything. Every state law wants records. Keep them.

How Zest handles it

Zest geo-detects your visitors and serves the right consent experience for each jurisdiction. CCPA opt-out mode for California. GDPR consent mode for the EU. Hybrid mode for states in between. One script configures it all.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.