US Cookie Laws: State-by-State Guide (2026)
The United States has no federal law governing cookies or requiring cookie consent. Instead, a growing number of states have enacted comprehensive privacy laws that regulate the collection, use, and sharing of personal information through cookies and tracking technologies. These laws do not require the EU-style opt-in consent banners seen across European websites. Instead, they give consumers the right to opt out of certain data practices, including targeted advertising and the sale of personal information.
As of March 2026, twenty states have enacted comprehensive privacy laws, with most taking effect between 2023 and 2026. This guide covers each state's requirements as they relate to cookies and online tracking, the key distinctions between their approaches, and practical compliance guidance for businesses operating across multiple states.
How US State Privacy Laws Affect Cookies
US state privacy laws do not directly regulate cookies as a technology. Instead, they regulate the personal information that cookies collect and how that information is used, sold, or shared. The connection to cookies comes through three main activities:
Targeted advertising. When a website uses advertising cookies to build a profile of a visitor and serve personalized ads, most state privacy laws require that the consumer be able to opt out of this practice.
Sale of personal information. When cookie data (browsing history, device identifiers, geolocation) is transferred to third parties in exchange for money or other valuable consideration, state laws classify this as a "sale" that consumers can refuse.
Sharing for cross-context behavioral advertising. California's CPRA introduced this concept, covering the transfer of personal information to third parties for advertising purposes even when no money changes hands. This captures most advertising cookie arrangements.
State-by-State Requirements
California: CCPA/CPRA
California's Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive US state privacy law. It took effect January 1, 2020, with the CPRA amendments effective January 1, 2023.
Cookie-related requirements:
- Businesses must display a "Do Not Sell or Share My Personal Information" link on their homepage
- Must display a "Limit the Use of My Sensitive Personal Information" link if applicable
- Must honor the Global Privacy Control (GPC) browser signal as a valid opt-out
- Must provide a privacy policy that discloses categories of personal information collected, sold, and shared
- Opt-in consent required before selling personal information of consumers under 16
Applies to: Businesses with gross annual revenue over $25 million, or that buy/sell/share the personal information of 100,000+ California residents, or that derive 50%+ of annual revenue from selling/sharing California residents' personal information.
Enforcement: California Privacy Protection Agency (CPPA) and the California Attorney General. Penalties: $2,500 per unintentional violation, $7,500 per intentional violation. The AG has specifically pursued enforcement against businesses failing to honor GPC.
Colorado: Colorado Privacy Act (CPA)
Colorado's Privacy Act (CPA) took effect July 1, 2023.
Cookie-related requirements:
- Consumers can opt out of targeted advertising and the sale of personal data
- Must honor universal opt-out mechanisms (including GPC) as of July 1, 2024
- Must conduct data protection assessments for targeted advertising activities
- Must provide clear opt-out mechanisms "in a manner that is clearly conspicuous"
Applies to: Businesses that control or process personal data of 100,000+ Colorado residents annually, or 25,000+ residents while deriving revenue from selling personal data.
Enforcement: Colorado Attorney General. The AG issued technical specifications for universal opt-out mechanisms in 2024.
Connecticut: Connecticut Data Privacy Act (CTDPA)
Connecticut's Data Privacy Act took effect July 1, 2023.
Cookie-related requirements:
- Opt-out rights for targeted advertising, sale of personal data, and profiling
- Must honor universal opt-out mechanisms (including GPC) as of January 1, 2025
- Must provide a "clear and conspicuous" link for opt-out mechanisms
- Data protection assessments required for targeted advertising
Applies to: Businesses that control or process personal data of 100,000+ Connecticut residents, or 25,000+ while deriving over 25% of gross revenue from personal data sales.
Enforcement: Connecticut Attorney General.
Virginia: Virginia Consumer Data Protection Act (VCDPA)
Virginia's Consumer Data Protection Act (VCDPA) took effect January 1, 2023.
Cookie-related requirements:
- Consumers can opt out of targeted advertising and the sale of personal data
- Must provide a "reasonably accessible, clear, and meaningful" opt-out mechanism
- Does NOT require recognition of universal opt-out mechanisms like GPC
- Data protection assessments required for targeted advertising activities
Applies to: Businesses that control or process personal data of 100,000+ Virginia residents, or 25,000+ while deriving over 50% of gross revenue from personal data sales.
Enforcement: Virginia Attorney General exclusively. No private right of action.
Texas: Texas Data Privacy and Security Act (TDPSA)
Texas's Data Privacy and Security Act took effect July 1, 2024.
Cookie-related requirements:
- Opt-out rights for targeted advertising, sale of personal data, and profiling
- Must honor universal opt-out mechanisms beginning January 1, 2025
- Must provide "one or more secure and reliable means" for consumers to submit opt-out requests
- Small business exception does NOT apply to the sale of sensitive personal data
Applies to: Businesses that conduct business in Texas or produce products/services consumed by Texas residents AND process or sell personal data (but are NOT small businesses as defined by the SBA, unless selling sensitive data).
Enforcement: Texas Attorney General. Civil penalties up to $25,000 per violation.
Oregon: Oregon Consumer Privacy Act (OCPA)
Oregon's Consumer Privacy Act took effect July 1, 2024.
Cookie-related requirements:
- Opt-out rights for targeted advertising, sale of personal data, and profiling
- Must honor universal opt-out mechanisms (including GPC) as of January 1, 2025
- Nonprofit organizations are included (unlike most other state laws)
- Must provide a "clear and conspicuous" method for exercising opt-out rights
Applies to: Businesses that control or process personal data of 100,000+ Oregon residents, or 25,000+ while deriving 25%+ of gross revenue from selling personal data.
Enforcement: Oregon Attorney General.
Montana: Montana Consumer Data Privacy Act (MCDPA)
Montana's privacy law took effect October 1, 2024.
Cookie-related requirements:
- Opt-out rights for targeted advertising and sale of personal data
- Must honor universal opt-out mechanisms as of January 1, 2025
- Low applicability thresholds given Montana's small population
Applies to: Businesses that control or process personal data of 50,000+ Montana residents (excluding payment transaction data), or any number of residents while deriving 25%+ of gross revenue from data sales.
Enforcement: Montana Attorney General.
Additional States with Cookie-Related Privacy Laws
Several additional states have enacted privacy laws taking effect in 2025 and 2026.
Delaware (effective January 1, 2025): Applies to businesses processing data of 35,000+ residents (or 10,000+ while selling data). Requires recognition of universal opt-out mechanisms.
New Hampshire (effective January 1, 2025): Applies to businesses processing data of 35,000+ residents. Requires recognition of universal opt-out mechanisms.
New Jersey (effective January 15, 2025): Applies to businesses processing data of 100,000+ residents (or 25,000+ while selling data). Requires recognition of universal opt-out mechanisms.
Nebraska (effective January 1, 2025): Applies broadly to businesses processing personal data, with no minimum threshold. Requires recognition of universal opt-out mechanisms.
Iowa (effective January 1, 2025): Applies to businesses processing data of 100,000+ residents. Does NOT require universal opt-out recognition.
Tennessee (effective July 1, 2025): Applies to businesses with $25 million+ revenue processing data of 175,000+ residents. Does NOT require universal opt-out recognition.
Indiana (effective January 1, 2026): Applies to businesses processing data of 100,000+ residents. Does NOT require universal opt-out recognition.
Kentucky (effective January 1, 2026): Applies to businesses processing data of 100,000+ residents. Universal opt-out recognition to be determined by regulations.
Maryland (effective October 1, 2025): Notably stronger than most states. Minimization principle requires that data collection be limited to what is "reasonably necessary." Restricts targeted advertising to minors entirely.
Minnesota (effective July 31, 2025): Includes targeted advertising opt-out rights. Requires data protection assessments.
State-by-State Comparison Table
| State | Effective | GPC/Universal Opt-Out Required | Sale Opt-Out | Targeted Ad Opt-Out | Threshold |
|---|---|---|---|---|---|
| California | Jan 2020 / Jan 2023 | Yes | Yes | Yes | $25M rev or 100K consumers |
| Virginia | Jan 2023 | No | Yes | Yes | 100K residents |
| Colorado | Jul 2023 | Yes (Jul 2024) | Yes | Yes | 100K residents |
| Connecticut | Jul 2023 | Yes (Jan 2025) | Yes | Yes | 100K residents |
| Utah | Dec 2023 | No | Yes | Yes | $25M rev + 100K residents |
| Texas | Jul 2024 | Yes (Jan 2025) | Yes | Yes | Non-SBA small business |
| Oregon | Jul 2024 | Yes (Jan 2025) | Yes | Yes | 100K residents |
| Montana | Oct 2024 | Yes (Jan 2025) | Yes | Yes | 50K residents |
| Delaware | Jan 2025 | Yes | Yes | Yes | 35K residents |
| New Hampshire | Jan 2025 | Yes | Yes | Yes | 35K residents |
| New Jersey | Jan 2025 | Yes | Yes | Yes | 100K residents |
| Nebraska | Jan 2025 | Yes | Yes | Yes | No threshold |
| Iowa | Jan 2025 | No | Yes | Yes | 100K residents |
| Maryland | Oct 2025 | TBD | Yes | Yes | 35K residents |
| Minnesota | Jul 2025 | TBD | Yes | Yes | 100K residents |
| Tennessee | Jul 2025 | No | Yes | Yes | 175K residents |
| Indiana | Jan 2026 | No | Yes | Yes | 100K residents |
| Kentucky | Jan 2026 | TBD | Yes | Yes | 100K residents |
Universal Opt-Out Mechanisms and GPC
The Global Privacy Control (GPC) is a browser-level signal specified at globalprivacycontrol.org. When enabled, GPC sends a technical signal (the Sec-GPC: 1 HTTP header) with every web request, communicating the user's preference to opt out of the sale or sharing of their personal information.
Which States Require GPC Recognition?
As of March 2026, nine states explicitly require businesses to honor universal opt-out mechanisms: California, Colorado, Connecticut, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, and Nebraska. Additional states (Maryland, Minnesota, Kentucky) have provisions for universal opt-out that will be clarified through rulemaking.
How GPC Works Technically
When a user enables GPC in their browser (built into Firefox, Brave, and DuckDuckGo; available as an extension for Chrome and other browsers), the browser sends a Sec-GPC: 1 header with every HTTP request and sets navigator.globalPrivacyControl = true in the JavaScript environment.
Websites must detect this signal and suppress data practices covered by the applicable state laws (sale, sharing, targeted advertising) without requiring any additional action from the user. The opt-out should be applied automatically, without displaying a banner asking the user to confirm.
GPC vs. Do Not Track (DNT)
GPC differs from the older Do Not Track (DNT) signal in a critical way: GPC has legal backing. The CCPA/CPRA and other state laws require businesses to honor GPC. DNT was a voluntary standard with no legal enforcement mechanism, and the advertising industry broadly ignored it. The FTC has signaled support for GPC in enforcement actions, further establishing its legal weight.
Opt-In vs. Opt-Out: Understanding the US Approach
The fundamental difference between US and EU cookie law is the default setting. In the EU, tracking is off until the user turns it on (opt-in). In the US, tracking is on until the user turns it off (opt-out).
Why the US Uses Opt-Out
The US approach reflects a different legal philosophy. US privacy law traditionally treats personal information collection as permissible unless restricted, placing the burden on the consumer to object. The EU approach treats personal data as belonging to the individual, requiring justification for any collection.
Exceptions: When US Law Requires Opt-In
There are narrow exceptions to the US opt-out model:
- Children's data under COPPA: The federal Children's Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting personal information from children under 13
- California minors (13-15): The CCPA/CPRA requires opt-in consent before selling personal information of consumers between 13 and 15
- Sensitive data in some states: Maryland and other states with stronger laws may require opt-in for certain sensitive data categories
Practical Compliance for Multi-State Operations
Option 1: Universal Opt-Out (Recommended)
The simplest approach for businesses operating nationwide is to implement a single opt-out mechanism that honors requests from all visitors regardless of state. This avoids the complexity of geolocation and state-specific logic.
A universal approach includes:
- A "Do Not Sell or Share My Personal Information" link in the footer and privacy policy
- GPC auto-detection that suppresses targeted advertising and data sharing when the signal is present
- A privacy preference center where users can manage their data choices
- Automatic honoring of opt-out requests for targeted advertising, data sales, and data sharing
Option 2: State-Specific Geolocation
Organizations that want to maximize data collection in states without privacy laws can implement geolocation-based compliance. This approach uses IP geolocation to determine the visitor's state and displays opt-out mechanisms only where legally required.
The drawbacks of this approach include implementation complexity, risk of misidentification (VPNs, mobile users crossing state lines), and the reputational risk of appearing to respect privacy only where legally compelled.
Option 3: National Baseline + California Extras
A middle-ground approach provides basic opt-out mechanisms nationwide (satisfying most state laws) while adding California-specific elements (the "Do Not Sell or Share" and "Limit Sensitive Information" links, GPC recognition, and age-gating for minors) for California visitors.
Federal Privacy Legislation: Still Pending
As of March 2026, Congress has not passed a comprehensive federal privacy law. See our US state privacy laws comparison for the current landscape. The American Privacy Rights Act (APRA) advanced through committee in 2024 but did not receive a full vote. If a federal law is enacted, it could preempt the state-by-state patchwork and establish uniform national requirements for cookies and tracking technologies.
Until federal legislation passes, businesses must navigate the growing number of state laws independently.
This is general legal information, not legal advice. State privacy laws are evolving rapidly, with new laws taking effect and existing laws being amended through regulation. Consult a privacy attorney for advice specific to your business operations and the states where you operate.
Sources and References
Sources and References
- California CCPA/CPRA(oag.ca.gov).gov
- CPPA Regulations(cppa.ca.gov).gov
- Colorado Privacy Act(coag.gov).gov
- Connecticut Data Privacy Act(portal.ct.gov).gov
- Virginia VCDPA(law.lis.virginia.gov).gov
- Texas HB 4 (TDPSA)(capitol.texas.gov).gov
- Oregon Consumer Privacy Act(oregonlegislature.gov).gov
- Global Privacy Control(globalprivacycontrol.org)
- FTC COPPA Rule(ftc.gov).gov
- FTC Flo Health Enforcement(ftc.gov).gov