Cookie Consent Requirements Under US State Privacy Laws: What You Actually Need in 2026
Do US State Privacy Laws Require Cookie Consent?
If you’ve spent time researching cookie consent compliance, you’ve probably encountered advice designed for GDPR — the European Union’s privacy regulation that requires explicit opt-in consent before placing any non-essential cookies on a user’s device. That approach has created a global expectation that every website needs a cookie consent banner.
But US state privacy laws take a fundamentally different approach. The short answer: most US state privacy laws do not require cookie consent banners. Instead, they require you to give consumers the right to opt out of certain data practices — including the sale of personal information, sharing for targeted advertising, and profiling. Cookies are relevant only insofar as they enable these activities.
This distinction matters because blindly applying a GDPR-style cookie consent framework to your US website can create a worse user experience without actually achieving compliance with the laws that apply to you. This guide explains what US state privacy laws actually require when it comes to cookies, consent, and tracking technologies.
How US Cookie Requirements Differ from GDPR
The fundamental difference between GDPR and US state privacy laws on cookies comes down to consent model:
| Requirement | GDPR (EU/EEA) | CCPA/CPRA (California) | Other US State Laws |
|---|---|---|---|
| Consent model | Opt-in (prior consent required) | Opt-out (no prior consent, but must honor opt-out) | Opt-out (similar to California) |
| Cookie banner required? | Yes — must get consent before non-essential cookies | No — but must provide opt-out mechanism | No — but must provide opt-out mechanism |
| Tracking cookies restricted? | Yes — blocked until consent given | Only if they enable "sale" or "sharing" of PI | Only if they enable sale/targeted advertising |
| GPC/universal opt-out | Not specifically required | Required — must honor GPC signal | Required in CO, CT, MT, TX, DE, OR; varies elsewhere |
| Sensitive data via cookies | Explicit consent required | Opt-out of sale; opt-in for some uses | Generally requires opt-in consent |
| Analytics cookies | Consent required (unless strictly necessary) | Generally permitted (first-party analytics) | Generally permitted (first-party analytics) |
| Enforcement | Data Protection Authorities | CA AG + CPPA | State Attorneys General |
The practical takeaway: if your business only operates in the United States and does not target EU consumers, you likely do not need a GDPR-style opt-in cookie banner. But you absolutely need robust opt-out mechanisms. See our state comparison tool for a detailed breakdown of each state’s requirements.
CCPA/CPRA Cookie Consent Requirements
California’s CCPA (as amended by the CPRA) does not explicitly regulate cookies as a technology. Instead, it regulates the activities that cookies often enable:
- Sale of personal information — If third-party cookies on your site transmit personal information to an advertising network or data broker in exchange for monetary or other valuable consideration, that constitutes a "sale" under the CCPA.
- Sharing for cross-context behavioral advertising — If cookies enable sharing personal information with third parties for targeted advertising (even without direct payment), that’s "sharing" under the CPRA.
- Targeted advertising — Using cookies to build profiles for behavioral advertising falls under consumers’ right to opt out.
What California Actually Requires
Instead of a cookie consent banner, California requires:
- "Do Not Sell or Share My Personal Information" link — A clear, conspicuous link on your homepage (and in your privacy policy) that allows consumers to opt out of the sale and sharing of their personal information. See our guide on "Do Not Sell" link compliance.
- Honor Global Privacy Control (GPC) — You must treat GPC browser signals as a valid opt-out request. When a user’s browser sends a GPC signal, you must stop selling or sharing their personal information via cookies and other tracking technologies. Use our GPC Compliance Checker to determine your obligations.
- Disclose tracking in your privacy policy — Your privacy policy must describe the categories of personal information collected, the purposes, and whether you sell or share it. This includes data collected via cookies.
- Process opt-out requests within 15 business days — When a consumer opts out, you must stop selling/sharing their data within 15 business days and ensure third-party cookies that enable these activities are suppressed.
The Disney CCPA settlement ($2.75 million in February 2026) demonstrates why this matters: Disney offered multiple opt-out mechanisms, but they didn’t work consistently across all services and devices. Partial compliance is not compliance. See our analysis of the Disney settlement.
State-by-State Cookie Consent Comparison
Here’s how the major US state privacy laws handle cookie-related requirements:
| State | Consent Model | Cookie Banner Required? | GPC/Universal Opt-Out Required? | Sensitive Data Cookies Need Consent? |
|---|---|---|---|---|
| California | Opt-out | No | Yes — must honor GPC | Yes — opt-out for sale/sharing; opt-in for some sensitive uses |
| Virginia | Opt-out | No | Not required (no universal opt-out mandate) | Yes — opt-in consent required |
| Colorado | Opt-out | No | Yes — must honor universal opt-out | Yes — opt-in consent required |
| Connecticut | Opt-out | No | Yes — must honor universal opt-out | Yes — opt-in consent required |
| Texas | Opt-out | No | Yes — must honor universal opt-out | Yes — opt-in consent required |
| Maryland | Opt-out (stricter) | No | Not explicitly required yet | Yes — sale of sensitive data prohibited entirely |
| Oregon | Opt-out | No | Yes — must honor universal opt-out | Yes — opt-in consent required |
| Indiana | Opt-out | No | Not required | Yes — opt-in consent required |
Notice the pattern: no US state requires a cookie consent banner. The requirement is always about providing opt-out mechanisms for data sale, sharing, and targeted advertising. The cookie itself is not regulated — the data practice it enables is.
When DO You Need Cookie Consent Under US Law?
While US state privacy laws generally follow an opt-out model, there are specific situations where prior consent (opt-in) IS required:
1. Sensitive Data Processing
If cookies collect or process sensitive personal information — such as precise geolocation, health data, biometric data, or data revealing racial or ethnic origin — most state laws require opt-in consent before processing. This means if your website uses cookies that collect sensitive categories, you may need consent before those specific cookies activate. See our guide on sensitive data under state privacy laws.
2. Children’s Data (COPPA)
The federal Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent before collecting personal information from children under 13, including through cookies and tracking technologies. This applies regardless of state law. See our COPPA compliance guide.
3. Known Minors (Ages 13-15 in California)
Under the CCPA, businesses that have actual knowledge that a consumer is between 13 and 16 years old must obtain opt-in consent before selling or sharing their personal information. Cookies that enable sale/sharing of a known minor’s data require prior consent.
4. Maryland’s Stricter Approach
Maryland’s MODPA (effective with enforcement starting April 1, 2026) goes further than other states by prohibiting the sale of sensitive data entirely and imposing stricter data minimization requirements. If your cookies collect data beyond what is "reasonably necessary" for the service the consumer requested, Maryland’s law may require you to stop that collection. See our Maryland MODPA enforcement guide.
Global Privacy Control: The US Alternative to Cookie Banners
Instead of cookie consent banners, the US privacy landscape has converged on Global Privacy Control (GPC) as the primary mechanism for consumers to exercise their opt-out rights. GPC is a browser-level signal (sent as an HTTP header: Sec-GPC: 1) that communicates a user’s preference to opt out of data sale and sharing.
Which States Require Honoring GPC?
As of 2026, the following states require businesses to honor universal opt-out mechanisms like GPC:
- California — Required since 2023 (CPRA regulations)
- Colorado — Required since July 2024
- Connecticut — Required since January 2025
- Montana — Required since October 2024
- Texas — Required since January 2025
- Delaware — Required since January 2026
- Oregon — Required since January 2026
- Nebraska — Required since January 2026
For a complete breakdown, see our Universal Opt-Out Mechanism Compliance Guide.
How GPC Affects Cookies
When your website detects a GPC signal, you must suppress any cookies that enable data sale or sharing. In practice, this means:
- Third-party advertising cookies should not load or should be restricted
- Cross-site tracking pixels should be suppressed
- Data shared with advertising partners via cookies should stop
- First-party analytics cookies are generally still permitted (they don’t typically constitute "sale" or "sharing")
Use our GPC Compliance Checker to determine whether your business needs to honor GPC based on the states where you operate.
5 Common Cookie Consent Mistakes Under US Privacy Laws
1. Copying a GDPR Cookie Banner for US Users
Many businesses deploy the same cookie consent banner they use for EU visitors to US visitors. While this isn’t illegal, it creates unnecessary friction without achieving compliance. US users are not required to consent before cookies load — they need the ability to opt out. A GDPR-style "Accept/Reject" banner is not a substitute for a proper "Do Not Sell or Share" mechanism and GPC detection.
2. Ignoring Global Privacy Control
GPC is not optional in states that require it. The $2.75 million Disney settlement and the multi-state GPC enforcement sweep in 2024-2025 demonstrate that regulators actively check for GPC compliance. If you honor "Do Not Sell" clicks but ignore GPC browser signals, you are not fully compliant.
3. Assuming "Cookie Banner = Compliant"
A cookie consent management platform (CMP) alone does not make you compliant with US state privacy laws. The CMP handles cookie loading, but US laws require broader opt-out mechanisms that extend beyond cookies — including opt-out of data sale through any mechanism, not just cookie-based tracking.
4. Not Applying Opt-Outs Across All Services
If a consumer opts out on one part of your platform, that opt-out must apply to all of your services connected to their account. The Disney settlement specifically targeted the practice of siloing opt-out requests to individual apps or devices rather than applying them account-wide.
5. Failing to Disclose Cookie Practices in Your Privacy Policy
Every state privacy law requires you to disclose what personal information you collect and how you use it. This includes data collected via cookies. Many businesses have detailed cookie policies for GDPR but fail to adequately describe cookie-based data collection in the privacy policy section that addresses state law requirements. See our privacy policy requirements guide.
Cookie Consent Compliance Checklist for US Businesses
Use this checklist to ensure your cookie practices comply with US state privacy laws:
- Audit your cookies — Identify all first-party and third-party cookies on your site. Classify which ones enable data sale, sharing, or targeted advertising.
- Implement GPC detection — Add JavaScript to detect the
navigator.globalPrivacyControlsignal and suppress sale/sharing cookies when detected. - Add a "Do Not Sell or Share" link — Place a clear, conspicuous link on your homepage footer that allows consumers to opt out (required in California and recommended everywhere).
- Apply opt-outs universally — When a consumer opts out (via GPC, toggle, or form), ensure the opt-out applies across all services, devices, and third-party data-sharing arrangements linked to their account.
- Update your privacy policy — Disclose the categories of personal information collected via cookies, the purposes of collection, and any third parties with whom data is shared.
- Handle sensitive data cookies separately — If any cookies collect sensitive personal information, implement opt-in consent for those specific cookies.
- Document your compliance — Maintain records of your cookie audit, opt-out mechanism implementation, and GPC testing results.
- Test regularly — Verify that opt-out mechanisms and GPC detection work correctly across browsers, devices, and all parts of your website. Use our Privacy Law Calculator to confirm which state laws apply to your business.
Frequently Asked Questions
Do I need a cookie consent banner for CCPA compliance?
No. The CCPA does not require a cookie consent banner. Instead, you need a "Do Not Sell or Share My Personal Information" link that allows consumers to opt out, and you must honor Global Privacy Control (GPC) browser signals. The focus is on providing opt-out mechanisms, not obtaining prior consent for cookies. However, if you also serve EU customers, you may still need a GDPR-compliant cookie banner for those users.
Does the CCPA require opt-in consent for cookies?
Generally, no. The CCPA follows an opt-out model, not an opt-in model. However, there are exceptions: opt-in consent is required before selling or sharing the personal information of consumers you know to be under 16, and stricter rules apply to sensitive personal information. For most business-to-adult-consumer interactions, the CCPA only requires that you provide the ability to opt out.
What is Global Privacy Control and do I have to honor it?
Global Privacy Control (GPC) is a browser-level signal that communicates a consumer’s intent to opt out of data sale and sharing. It is sent as an HTTP header (Sec-GPC: 1) with every web request. As of 2026, California, Colorado, Connecticut, Montana, Texas, Delaware, Oregon, and Nebraska all require businesses to honor GPC signals. Failing to do so can result in significant fines — as demonstrated by California’s $2.75 million settlement with Disney.
Are tracking cookies considered personal information under state privacy laws?
Yes, in most cases. State privacy laws define personal information broadly to include online identifiers, device identifiers, IP addresses, and browsing activity — all of which are commonly collected via cookies. If a cookie can be linked to an identified or identifiable individual (directly or indirectly), the data it collects is personal information under these laws.
How does CPRA differ from CCPA on cookie consent?
The CPRA (which amended the CCPA in 2023) added several requirements relevant to cookies: it introduced the concept of "sharing" personal information for cross-context behavioral advertising (separate from "sale"), required businesses to honor opt-out preference signals like GPC, created the CPPA as a dedicated enforcement agency, and added new requirements around sensitive personal information. For cookie practices, the most significant change is the mandatory GPC compliance and the expanded definition of "sharing" that covers many advertising cookie use cases that were ambiguous under the original CCPA. See our CCPA compliance checklist for the full list of requirements.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.