CCPA, CPRA & US Privacy Laws: Cookie Compliance Beyond Europe

The United States takes a fundamentally different approach to cookie privacy than Europe. There is no federal cookie law, no universal consent requirement, and no single data protection authority. Instead, a growing patchwork of state-level privacy laws creates an increasingly complex landscape for website operators. Understanding the US approach — and how it differs from the GDPR — is essential for any business with visitors from both sides of the Atlantic.

The US Privacy Landscape: An Overview

The most important distinction between US and EU cookie law is the regulatory model:

• EU model: Opt-in. You must obtain consent before setting non-essential cookies. The default is no tracking.
• US model: Opt-out. You may collect and share personal information by default, but you must give consumers the ability to opt out. The default is tracking, with an off switch.

This difference in philosophy is reflected in every aspect of cookie regulation. In the EU, a cookie banner asks for permission. In the US, a cookie banner (if present at all) typically informs users of their right to opt out.

As of early 2026, comprehensive state privacy laws have been enacted in at least 15 states, with more under active consideration. However, only a handful have specific implications for cookie compliance.

California: CCPA and CPRA

California is the most significant US state for privacy regulation. The California Consumer Privacy Act (CCPA), effective 1 January 2020, was the first comprehensive state privacy law. It was substantially amended by the California Privacy Rights Act (CPRA), which came into full effect on 1 January 2023, with enforcement by the California Privacy Protection Agency (CPPA) beginning 1 July 2023.

How Cookies Relate to the CCPA/CPRA

The CCPA/CPRA does not regulate cookies directly. Instead, it regulates the collection, sale, and sharing of personal information, which includes data collected through cookies. The key concepts are:

• "Personal information" under the CCPA/CPRA includes online identifiers, IP addresses, browsing history, and information about a consumer's interaction with a website — all of which are commonly collected through cookies.
• "Sale" is broadly defined as making personal information available to a third party for monetary or other valuable consideration. If third-party advertising cookies on your site share visitor data with ad networks, this may constitute a "sale" under the CCPA.
• "Sharing" (added by the CPRA) covers making personal information available to third parties for cross-context behavioral advertising, regardless of whether money changes hands. This explicitly brings advertising cookies into scope.

Key Requirements

1. "Do Not Sell or Share My Personal Information" link: If your website sells or shares personal information (which includes most advertising cookie scenarios), you must provide a clearly labeled link on your homepage allowing consumers to opt out. This is the US equivalent of a cookie consent mechanism, though it operates on an opt-out rather than opt-in basis.
2. Global Privacy Control (GPC): Under the CPRA regulations finalized by the CPPA, businesses must treat GPC signals sent by a user's browser as a valid opt-out request. GPC is a browser-level signal (similar in concept to the old Do Not Track, but legally binding under the CCPA/CPRA). If a user's browser sends a GPC signal, you must stop selling or sharing their personal information — which means disabling advertising and tracking cookies for that user.
3. Privacy policy disclosure: Your privacy policy must disclose the categories of personal information collected, the purposes of collection, the categories of third parties with whom information is shared, and whether information is sold or shared.
4. Sensitive personal information: The CPRA introduces a "Limit the Use of My Sensitive Personal Information" right. If cookies collect sensitive information (such as precise geolocation), consumers must be able to limit its use.
5. Minors: For consumers under 16, the CCPA/CPRA shifts to an opt-in model. You may not sell or share the personal information of a consumer you know to be under 16 without affirmative consent (from the consumer if 13-15, from a parent/guardian if under 13).

Who Must Comply

The CCPA/CPRA applies to for-profit businesses that do business in California and meet any of the following thresholds: annual gross revenue exceeding $25 million; buying, selling, or sharing the personal information of 100,000 or more consumers or households; or deriving 50% or more of annual revenue from selling or sharing consumers' personal information.

Other US State Privacy Laws

Several other states have enacted comprehensive privacy laws with implications for cookie compliance. While none are as detailed as the CCPA/CPRA, they establish consistent themes around opt-out rights and data transparency.

Colorado Privacy Act (CPA)

Effective: 1 July 2023. Enforced by: Colorado Attorney General.

Requires opt-out rights for targeted advertising and the sale of personal data. Businesses must honor universal opt-out mechanisms (like GPC). Colorado's rules specifically require a "clear and conspicuous" opt-out method and recognize universal opt-out signals, making GPC compliance effectively mandatory for covered businesses.

Connecticut Data Privacy Act (CTDPA)

Effective: 1 July 2023. Enforced by: Connecticut Attorney General.

Similar to Colorado's law. Requires opt-out for targeted advertising, sale of personal data, and profiling. Requires recognition of universal opt-out mechanisms starting 1 January 2025. Provides specific protections for sensitive data requiring opt-in consent.

Virginia Consumer Data Protection Act (VCDPA)

Effective: 1 January 2023. Enforced by: Virginia Attorney General.

Provides opt-out rights for targeted advertising and sale of personal data. Does not require recognition of universal opt-out signals (unlike California, Colorado, and Connecticut). Requires consent for processing sensitive data.

Texas Data Privacy and Security Act (TDPSA)

Effective: 1 July 2024. Enforced by: Texas Attorney General.

Notably broad in scope with no revenue threshold — it applies to any entity conducting business in Texas that processes personal data and is not a small business as defined by the SBA. Requires opt-out for targeted advertising and data sales. Requires recognition of universal opt-out mechanisms.

Oregon Consumer Privacy Act (OCPA)

Effective: 1 July 2024. Enforced by: Oregon Attorney General.

Applies to businesses controlling or processing the data of 100,000+ Oregon consumers, or 25,000+ consumers if deriving 25%+ of revenue from data sales. Provides standard opt-out rights and requires a 30-day cure period for violations.

Comparison: US States vs. GDPR

Practical Approach: GDPR Compliance Covers Most US Requirements

If your website already complies with the GDPR, you are well-positioned for US compliance. The GDPR's opt-in model is stricter than any US state's opt-out model. However, there are specific US requirements that the GDPR does not address:

1. "Do Not Sell or Share" link: The GDPR requires consent management, but not a specific "Do Not Sell or Share" link. If you have California visitors and meet the CCPA thresholds, you need this link.
2. GPC signal recognition: While the GDPR does not require recognition of browser signals, several US states mandate it. Implementing GPC recognition is straightforward and demonstrates respect for user preferences.
3. Specific privacy policy disclosures: The CCPA/CPRA requires disclosures formatted in specific ways (categories of information collected in the preceding 12 months, categories of sources, etc.) that differ from GDPR privacy notice requirements.
4. "Do Not Track" vs. GPC: The old Do Not Track (DNT) browser signal was never legally binding. GPC is its successor and is legally binding under the CCPA/CPRA and several other state laws. Ensure your consent management platform recognizes and acts on GPC signals.

The Prospect of a Federal US Privacy Law

The American Data Privacy and Protection Act (ADPPA) came closer to passage than any previous federal privacy bill when it advanced through the House Energy and Commerce Committee in July 2022, but it ultimately stalled. Subsequent sessions of Congress have seen renewed proposals, but as of early 2026, no federal privacy law has been enacted.

The main obstacles remain:

• Preemption: Whether a federal law should override state laws (California opposes preemption that would weaken the CCPA/CPRA).
• Private right of action: Whether individuals should be able to sue companies directly for privacy violations.
• Opt-in vs. opt-out: Whether the federal standard should adopt an opt-in model for sensitive data or maintain the opt-out approach.

Until a federal law is enacted, businesses must navigate the state-by-state patchwork. The practical advice remains: build a consent management system that can handle the most restrictive requirements (GDPR opt-in), and layer on US-specific features (opt-out links, GPC support) as needed.

Recommendations for Global Compliance

For websites serving both EU and US visitors, the most efficient approach is:

1. Implement GDPR-compliant consent management as your baseline. This gives you the strictest model, which inherently satisfies less strict requirements.
2. Add a "Do Not Sell or Share" mechanism if you meet CCPA thresholds or have significant California traffic.
3. Implement GPC signal recognition for all visitors. It is a simple technical implementation with significant legal benefits.
4. Use geolocation to serve appropriate consent experiences. EU visitors see an opt-in banner; US visitors see a less intrusive notice with opt-out options. This balances compliance with user experience.
5. Maintain comprehensive privacy disclosures that satisfy both GDPR and CCPA/CPRA requirements.

The global trend is unmistakably toward greater privacy protection and user control over tracking technologies. Building robust consent management now is an investment that will pay dividends as new regulations continue to emerge.