Skip to main content

US Opt-Out — CCPA/CPRA, done right

How Passiro handles US state privacy laws — automatically, and free on every plan

More than 19 US states now have comprehensive privacy laws — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Texas, Oregon, Montana, and more. Unlike the EU, none of them require an opt-in cookie wall. They follow an opt-out model: you may process data, but visitors must be able to say "Do Not Sell or Share My Personal Information" — and automated signals like Global Privacy Control must be respected.

The law follows your visitor — not your address

A common misconception is that a shop in California only needs to follow California law, and a shop in Texas only Texas law. US state privacy laws work the other way around: they protect residents of that state, wherever the business is located. A Texas store with enough California customers owes those visitors CCPA rights. A California store's Florida visitors are covered by Florida's law — not California's.

That is why Passiro decides per visitor: the visitor's region is detected at the network edge, and the correct notice is shown automatically. Whether each law applies to your business at all depends on thresholds (revenue, number of state residents, share of revenue from data sales) — that part is a question for your counsel. The safe, industry-standard default is simpler: give every US visitor the opt-out.

How it works

  1. One tag. You add the same single Passiro script tag used for your EU banner — nothing US-specific to install.
  2. Edge geo-detection. The visitor's country (and US state) is detected on Cloudflare's edge network — no IP lookups on your servers, no latency added.
  3. The right banner. US visitors see a notice with a "Do Not Sell or Share My Personal Information" choice. No consent wall, and no scripts are blocked before the choice — exactly the model US laws expect. EU visitors still get your GDPR opt-in banner.
  4. Signals & records. Every choice is broadcast to the ad ecosystem in the formats vendors read, and stored in your consent records with the banner, regime, and signals that applied.

The signals Passiro emits

Global Privacy Control (GPC)

If a visitor's browser sends the GPC signal, Passiro treats it as an automatic opt-out — no banner interaction needed — and records it. Honoring GPC is legally mandatory in California, Colorado, Connecticut, Texas, and a growing list of states; Passiro honors it for all US visitors.

IAB GPP — US National v2

Passiro emits IAB Global Privacy Platform strings (US National v2 section) via the standard __gpp JavaScript API and __gppLocator frame — the format Google and modern ad platforms read, verified byte-for-byte against IAB's reference implementation.

Legacy US Privacy signals

For vendors still on the older IAB US Privacy framework, Passiro also provides the __uspapi API and usprivacy cookie — so every generation of ad tech gets a signal it understands.

What differs between states — and what Passiro covers

The state laws share the same opt-out core. The practical differences, and how they are handled:

Difference States Handled by Passiro
GPC must be honored CA, CO, CT, TX, MT, OR, DE, NJ + more Yes — honored for all US visitors
"Do Not Sell or Share" wording California (CPRA); others require an opt-out mechanism Yes — the notice satisfies both
Signal format ad platforms accept GPP US National + CA/CO/CT/FL/VA sections (Google) Yes — US National v2, Google's recommended path
Opt-in required for sensitive data VA, CO, CT and others Notice covered; what you collect is a data-layer decision on your side
Scope limited to very large companies Florida ($1B+ revenue) Covered conservatively by the US-wide notice

One US banner — or one per state

The recommended default is a single US-wide opt-out banner: you cannot fail compliance by granting rights, and the IAB designed the GPP US National section for exactly this. Pick the "United States" region (or the US compliance profile) in the banner designer and you are done.

Prefer finer control? Target individual states (e.g. US-CA, US-CO) with their own banners — state targeting beats country targeting automatically. Geo-targeting, multiple banners, and the US opt-out regime are free on every plan, including the free one.

Works alongside your EU banner

US opt-out and EU GDPR are different regimes, and Passiro keeps them strictly separate: EU visitors get the opt-in banner (optionally with IAB TCF v2.3 and Google Consent Mode v2), US visitors get the opt-out notice — from the same tag, with the right texts in 25 languages.

Set up your US banner — free

This page explains how Passiro works and is not legal advice. Whether specific state laws apply to your business depends on statutory thresholds — consult your counsel.