What states require cookie consent?

0 views
what states require cookie consent includes twenty regions enforcing comprehensive privacy laws like the California Privacy Rights Act in 2026. New regulations in Indiana activate as of 2026, requiring clear consumer data opt-out mechanisms and transparency. Websites honor universal signals like Global Privacy Control and provide explicit data processing notices for total regulatory adherence.
Feedback 0 likes
You might want to ask?More

What states require cookie consent? 20 active laws in 2026

Determining what states require cookie consent is essential for modern businesses effectively navigating the complex landscape of regional data protections. Failure to address these evolving requirements creates significant legal exposure and financial liability. Understanding these standards helps organizations avoid the risks of non-compliance.

Which US States Have Active Cookie Consent and Privacy Laws in 2026?

As of 2026, there is still no single federal law in the United States governing cookie consent, but the landscape has shifted dramatically at the state level. Over 18 states with comprehensive privacy laws have now implemented requirements that websites provide clear notice about data collection and offer users the ability to opt out of tracking - particularly when cookies are used for targeted advertising or data sales. While California remains the most stringent, many other states have joined the ranks with their own unique requirements.

In my experience helping small businesses navigate these rules, the biggest hurdle isnt just knowing the names of the states, but understanding if your business actually triggers the legal requirements. I remember spending a frantic weekend in 2024 trying to figure out if a clients e-commerce shop needed a specialized banner just because they had ten customers in Virginia. It turned out we were overthinking the revenue threshold, but the anxiety was real. Most of these laws only apply to businesses that reach specific sizes or handle large volumes of data. However, the list of states is growing fast.

A List of States with Active Privacy Requirements

The following states currently have active comprehensive privacy laws that impact how you use cookies and trackers: California (CCPA/CPRA): The pioneer. Requires a Do Not Sell or Share My Personal Information link and strict disclosure of all tracking technologies.

Virginia (VCDPA): Focuses heavily on the right to opt out of targeted advertising and profiling. Colorado (CPA): Notable for requiring websites to honor Universal Opt-Out Mechanisms (like Global Privacy Control) by 2024. Connecticut (CTDPA): Similar to Virginia but with stricter protections for childrens data and sensitive information.

Utah (UCPA): Generally seen as more business-friendly but still mandates clear notices and opt-out rights. Texas (TDPSA) & Oregon (OCPA): Both laws went into full effect recently, with Texas applying to almost any business that isnt a small business as defined by the SBA. Montana, Delaware, and Iowa: These states have implemented tiered rollouts throughout 2024 and 2025.

Opt-In vs. Opt-Out: The Critical Difference in US Compliance

One of the most frequent points of confusion for website owners is why US cookie banners look so different from European ones. When comparing opt-out vs opt-in cookie consent US models, the standard in America is almost entirely opt-out. This means you can often fire non-sensitive cookies immediately, provided you have a clear notice and a way for the user to say Stop. It sounds simpler. But its actually a bit of a trap.

While the US leans toward opt-out, the adoption of privacy-enhancing technologies has skyrocketed. Many users now prefer using automated tools to manage their privacy rather than clicking through individual banners. [1]

This is why many state laws now mandate that your website must automatically recognize signals like Global Privacy Control (GPC). If a user has a do not track setting enabled in their browser, and your site ignores it, you are likely in violation in states like California and Colorado. Ive seen developers spend weeks building custom banners only to realize they forgot to wire up the GPC listener - a mistake that makes the whole banner legally insufficient.

Thresholds: Does Your Website Actually Need to Comply?

Not every blog or local bakery needs a complex cookie management system. Most state laws are designed to target larger data brokers or high-revenue companies. However, the thresholds are becoming more inclusive. Determining exactly what states require cookie consent for your operations is key; for instance, in many states, if you process the personal data of at least 100,000 consumers, the law applies regardless of your revenue. In California, the threshold is often met if you derive 50% or more of your annual revenue from selling or sharing personal information.

Typical compliance thresholds for state privacy laws across most states involve either a gross revenue of $25 million or the processing of 25,000 to 100,000 individual records. If you are a small business only collecting basic analytics, you might be exempt. But wait - there is a catch. If you use third-party cookies for retargeting ads (like Meta or Google Ads), many states classify this as sharing or selling data. This triggers the requirement for an opt-out mechanism even if you never see a dime of data sale money. Its a nuance that catches many off guard.

Handling Sensitive Data and Minor's Privacy

There is one major exception to the US opt-out rule: sensitive data. Almost all modern state privacy laws - including those in Connecticut and Oregon - require opt-in consent before you can process sensitive information. Understanding cookie consent requirements by state is crucial here. This includes precise geolocation, health data, or race and ethnicity. If your cookies are used to track a users exact location within a 1,750-foot radius, you cant just provide an opt-out link; you need a proactive Yes from the user.

The rules for children are even tighter. Under many state frameworks, if you have actual knowledge that a user is between the ages of 13 and 16, you must obtain their affirmative consent before selling or sharing their data.

For children under 13, the federal COPPA rules still apply, requiring parental consent. I once worked on a project where we inadvertently tracked the location of users for a local event app. We didnt realize that by capturing that data, we had crossed into the sensitive category. We had to scrap the entire database and start over because we hadnt asked for permission first. It was a painful, expensive lesson in checking your data definitions early.

Before you finalize your compliance strategy, you might wonder: Does rejecting cookies actually work for privacy?

US State Privacy Law Threshold Comparison

Understanding whether these laws apply to your business depends on specific triggers. While they vary, most follow a similar pattern based on revenue or data volume.

California (CCPA/CPRA)

- Buys, sells, or shares data of 100,000 or more households or residents

- Includes a private right of action for data breaches

- Applies if gross annual revenue exceeds $25 million

Virginia (VCDPA)

- Processes data of 100,000 consumers or 25,000 if 50% revenue is from data sales [3]

- Mandatory Data Protection Assessments for high-risk processing

- No specific revenue floor if data volume is met

Texas (TDPSA) ⭐

- Broadest application; essentially covers most mid-to-large entities in the state

- Specific 'Selling of Personal Data' notice required if applicable

- Applies to any business that is not a 'small business' under SBA rules

For most mid-sized businesses, the 100,000 consumer threshold is the most common trigger. Texas is the notable outlier, using the SBA's small business definition rather than a flat revenue or data count, making it one of the most broadly applicable laws in the country.

The Geo-Fencing Struggle: A Retailer's Lesson

Minh, owner of a growing outdoor gear brand in Austin, Texas, wanted to personalize his website for customers in different states. He implemented a new analytics tool in late 2025 to track user behavior and offer local discounts, assuming his business was too small for 'big' privacy laws.

First attempt: He launched the tool without a banner, thinking Texas laws were only for tech giants. Within two months, he received a notice regarding his use of targeted advertising cookies without an opt-out option. He panicked, thinking he would face an immediate six-figure fine.

He realized that under the TDPSA, even smaller entities must provide notice if they 'share' data with third-party ad networks. He spent a week manually trying to code a 'Do Not Sell' link but realized it didn't actually stop the cookies from firing.

The breakthrough came when he switched to a dedicated consent manager that auto-blocked scripts until the signal was honored. By early 2026, Minh had zero compliance warnings and actually saw a 12% increase in customer trust scores on his annual survey.

Further Reading Guide

Does my small business need a cookie banner?

It depends on your revenue and how many people's data you handle. In states like Texas, most businesses that aren't officially classified as 'small' by the SBA need a banner if they use cookies for targeted ads. If you only use basic, necessary cookies for your site to function, you likely won't need a complex banner.

Can I just use one banner for all US states?

Yes, many businesses use a single 'multi-state' banner that satisfies the strictest requirements (usually California's). This involves having a clear link to a privacy policy, a 'Do Not Sell or Share' option, and a way for users to manage their preferences easily.

What happens if I don't comply with state cookie laws?

Fines can be steep, often ranging from $2,500 to $7,500 per violation. In states like California, this can add up quickly if the violation affects thousands of users. Most states provide a 'cure period' where you have 30 days to fix the issue before the fine is finalized.

Most Important Things

US uses an Opt-Out model

Unlike the EU, most US states allow cookies to fire by default as long as you provide a clear and easy way for users to opt out later.

Targeted ads trigger compliance

Using cookies for Google or Meta ads is often legally defined as 'selling' or 'sharing' data, which requires an opt-out link in nearly all regulated states.

Watch for the 100,000 threshold

Regardless of revenue, processing data for 100,000 or more residents in a single state almost always brings you under that state's privacy jurisdiction.

This article offers general legal information, not legal advice for your specific situation. Privacy laws are evolving rapidly at the state level. Consult a licensed attorney or a certified privacy professional for guidance on your particular business circumstances before taking action.

Related Documents

  • [1] Law - Data shows that 67% of users now prefer using automated tools to manage their privacy rather than clicking through individual banners.
  • [3] Law - Virginia applies to companies processing data of 100,000 consumers or 25,000 if 50% of revenue is from data sales.
Most Liked
Most Viewed
Latest Questions

Feedback on answer:

Thank you for your feedback! Your input is very important in helping us improve answers in the future.

Please let us know why: