US State Privacy Laws — A Growing Patchwork
A quick overview of the US state privacy laws that matter for cookie consent and website compliance.
The United States has no federal privacy law. Instead, individual states are passing their own. As of 2025, more than a dozen states have comprehensive privacy laws on the books, and more are coming every year.
Here’s what you actually need to know.
The big four (that set the pattern)
California: CCPA / CPRA
The first, the biggest, and still the most important. Applies to for-profit businesses meeting at least one threshold (100K consumers, $26.6M revenue, or 50% revenue from data sales). Opt-out model for adults. Strongest consumer rights in the US. Enforced by the CPPA. See the full CCPA guide for the details, including the Global Privacy Control signal requirement.
Virginia: VCDPA
Effective January 2023. Applies to businesses processing data of 100K+ consumers (or 25K+ if deriving 50%+ revenue from data sales). Similar to CCPA but narrower. Enforced by the Attorney General only, with no private right of action. The VCDPA guide walks through the obligations.
Colorado: CPA
Effective July 2023. Opt-out model with consumer rights similar to CCPA. Applies to businesses processing data of 100K+ consumers or deriving revenue from data sales of 25K+ consumers. Requires data protection assessments.
Connecticut: CTDPA
Effective July 2023. Similar thresholds to Colorado. Includes protections for children’s data (under 16) and requires data protection assessments. Enforced by the AG.
The second wave (newer states)
| State | Law | Effective |
|---|---|---|
| Utah | UCPA | December 2023 |
| Texas | TDPSA | July 2024 |
| Oregon | OCPA | July 2024 |
| Tennessee | TIPA | July 2025 |
| Montana | MCDPA | October 2024 |
| Iowa | ICDPA | January 2025 |
| Delaware | DPDPA | January 2025 |
| New Jersey | NJDPA | January 2025 |
| New Hampshire | NHDPA | January 2025 |
| Kentucky | KCDPA | January 2026 |
| Maryland | MODPA | October 2025 |
| Nebraska | NDPA | January 2025 |
| Minnesota | MCDPA | July 2025 |
| Indiana | ICDPA | January 2026 |
| Rhode Island | RIDPA | January 2026 |
Trends: thresholds are dropping and enforcement is getting real.
Common threads
Across all these state laws, you’ll find:
- Consumer rights to access, delete, correct, and opt out of data sales
- “Personal data” definitions that include cookies, IP addresses, and device identifiers
- Opt-out models (not opt-in), except for sensitive data, which requires explicit consent
- No private right of action in most states (California and a few others excepted)
- Attorney General enforcement as the primary mechanism
What this means for your website
If you have US visitors, you are subject to some combination of these laws. The most practical approach:
- Default to the highest standard. GDPR-style consent covers all US state laws and then some.
- Offer clear opt-outs. Even where consent isn’t required, a visible “Do Not Sell or Share” mechanism keeps you compliant everywhere.
- Geo-target your consent experience. Serve opt-in banners in the EU, opt-out in the US, and notification-only where appropriate.
- Document everything. Every state law wants records. Keep them.
How Zest handles it
Zest geo-detects your visitors and serves the right consent experience for each jurisdiction. CCPA opt-out mode for California. GDPR consent mode for the EU. Hybrid mode for states in between. One script configures it all.