Cookie Consent Requirements in the United States: Explained

In Europe, cookie use is regulated by the ePrivacy Directive and the General Data Protection Regulation (GDPR). Across the Atlantic, things look a little different. The United States doesn’t have a single, comprehensive cookie law or a central Data Protection Authority. Instead, privacy is governed by a patchwork of sector-specific federal laws and state-level consumer privacy regulations.

These laws generally follow an opt‑out model, where users can request businesses to stop selling or using their data for targeted advertising, rather than the opt‑in model of the European Union. Read on to know how the US websites should handle cookie consent.

Yes. Most US state privacy laws consider cookies as personal data.

While there is no federal law that explicitly classifies cookies as personal data, several state laws do. The clearest example is the California Consumer Privacy Act (CCPA) and its amendment, the CPRA. It defines personal information broadly to include any data that can be linked, directly or indirectly, to a consumer or household.

Within that definition, California expressly lists unique identifiers, which include:

• Device identifiers
  
• IP addresses
  
• Online identifiers
  
• Cookies, beacons, pixel tags, and similar technology
  

Because cookies can persist over time and track a user or device across websites or services, they meet the definition of a unique personal identifier.

This means that, under laws like the CCPA/CPRA, cookies are treated as personal information when they can reasonably be linked to a specific consumer, household, or device.

No. The state privacy laws in the United States, such as in California, Colorado, Utah, and Texas, assume cookie consent until the user asks to opt out of tracking. 

Therefore, instead of an opt-in cookie consent, your website must give visitors the option to opt out of cookies. This is the purpose of a “Do not Sell or Share Personal Information” link. 

An opt-out icon/link must be displayed in conspicuous places on your website, such as in the footer, settings, and cookie banner. 

You should also record and maintain logs of cookie consent for regulatory reviews or compliance verification.

Technically, no American state law requires you to show a cookie banner. But if your website uses cookies for targeted advertising, cross-site tracking, or data sales, you’re still on the hook for transparency and user rights.

State privacy laws like the California Privacy Rights Act (CPRA), Connecticut Transparency and Data Privacy Act (CTDPA) and others in Virginia, Utah, Texas, and Florida require clear and conspicuous notice containing a “Do Not Sell or Share My Personal Information” link when personal data is being sold or used for targeted ads. 

Example: Under the CTDPA, if a controller sells personal data to third parties or engages in targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.

So, while a cookie banner isn’t mandatory, it’s often the easiest and most user-friendly way to:

• Notify visitors about the use of cookies
  
• Explain how data is collected and shared
  
• Give users a way to opt out of tracking and data sales

However, not just any banner will do. If you use one, it must be honest, accessible, and must not obscure the option to say no. Regulators are watching for dark patterns, like banners that make rejecting cookies harder than accepting them.

What happened to the American Privacy Rights Act? 

The absence of a national privacy law prompted federal lawmakers to draft the American Privacy Rights Act (APRA) in April 2024. 

The bipartisan proposal would limit the data companies can collect, require processes for users to access or delete their data, and allow users to opt out of data sales.

It would have superseded many state laws, but the bill underwent controversial revisions in June 2024 that removed key consumer protections, leading to the cancellation of a committee markup and a stall in progress.

At present, the APRA has not been enacted, so state laws remain the primary source of cookie obligations.

The US state‑level privacy landscape is dynamic. By mid‑2025, more than a dozen states had enacted comprehensive privacy statutes. The following subsections outline key provisions of six influential laws: California CCPA/CPRA, Texas TDPSA, Utah UCPA, Virginia VCDPA, Florida FDBR, and Minnesota MCDPA.

California Consumer Privacy Act (CCPA)

Applicability:

For‑profit entities doing business in the state that meet any of these thresholds: 

• Annual gross revenue over roughly USD 25 million
• Buying or selling personal information of at least 100,000 consumers or households
• Deriving at least half of annual revenue from selling or sharing personal information.

Consent model and cookies:

Consumers may opt out of the sale or sharing of their personal data. Cookies are considered unique identifiers and therefore qualify as personal information. Any banner or tool used to manage cookie preferences should offer an easy opt-out option (“Do not sell/share” link).

Consent is required to sell or share the data of children under 16.

Fines and enforcement:

The California Privacy Protection Agency and the Attorney General enforce the CCPA/CPRA. Civil penalties can reach about USD 2,500 per unintentional violation and USD 7,500 per intentional violation. 

Texas Data Privacy and Security Act (TDPSA)

Applicability:

Entities conducting business in Texas and providing products or services consumed by state residents. There is no revenue threshold, although small businesses are exempt unless they sell sensitive data.

Consent model and cookies:

Consumers have the right to opt out of targeted advertising and the sale of personal data. Explicit consent is required before processing sensitive data and the data of children. 

The opt-out mechanism must be clearly specified.

Fines and enforcement:

The Texas Attorney General enforces the TDPSA and may impose civil penalties up to USD 7,500 per violation.

Utah Consumer Privacy Act (UCPA)

Applicability:

Controllers or processors with at least USD 25 million in revenue and either: 

• Control or process personal data of 100,000 or more consumers; or
• Derive 50 % of revenue from selling data of 25,000 or more consumers.

Consent model and cookies:

Consumers may opt out of targeted advertising and the sale of personal data. Consent is required for processing sensitive data and the personal data of children. An opt‑out mechanism is mandatory.

Fines and enforcement:

Enforcement lies with the Utah Attorney General and the Division of Consumer Protection. Violations can lead to penalties of up to USD 7,500 per violation.

Virginia Consumer Data Protection Act (VCDPA)

Applicability:

The VCDPA applies to businesses that control or process :

• personal data of at least 100,000 Virginia residents during a calendar year; or
• 25,000 residents and derive at least half of their revenue from selling personal data.

Consent model and cookies:

Consumers have the right to opt out of targeted advertising, the sale of personal data and certain profiling. Controllers must obtain consent before processing sensitive data. There is no specific cookie banner requirement, but websites should provide a clear opt-out choice.

Fines and enforcement:

The Virginia Attorney General enforces the VCDPA. Penalties can reach USD 7,500 per violation.

Minnesota Consumer Data Privacy Act (MCDPA)

Applicability:

Minnesota’s law, effective 31 July 2025, applies to controllers that process personal data of at least 100,000 consumers or 25,000 consumers when at least 25 % of revenue comes from selling data.

Consent model and cookies:

Consumers may opt out of targeted advertising, the sale of personal data and profiling. Consent is required for processing sensitive data and for targeted advertising of minors aged 13–16. The law recognises universal opt‑out signals and uniquely allows consumers to question profiling results. It does not expressly require cookie banners, but it must provide opt‑out mechanisms.

Fines and enforcement:

Enforcement is handled by the Minnesota Attorney General. Civil penalties can reach USD 7,500 per violation, and a 30‑day cure period applies until 31 January 2026.

Websites that use cookie banners for US visitors should ensure the following:

Transparency

Inform consumers that your website uses cookies and why you use them. Specify whether any third-party cookies are used and how they can opt out of them. Also, provide a link to your detailed cookie information. This can be within your privacy policy or as a separate cookie policy. US laws do not explicitly require a standalone cookie policy.

Easy opt‑out mechanisms

Include a link or button that allows consumers to exercise their right to opt out of the sale or sharing of personal data. For California, this must be labelled “Do Not Sell or Share My Personal Information”. Or, you can provide a uniform opt-out icon instead. 

The goal is to make opt-out as easy and convenient as possible, so that users do not have to struggle to find it.

Symmetrical choices

You do not need consent for cookies in the United States. However, if your website uses an opt-in cookie banner globally, ensure that rejecting third-party or advertising cookies is as easy as accepting them. 

This means both the Accept All and Reject All buttons on your cookie banner are equally prominent in the first layer of the banner. Hiding the reject button within secondary layers or within the customise button, etc are dark pattern and can be penalised.

Global privacy control/Universal Opt-out Mechanism

Implement mechanisms to honour universal opt‑out signals, as required under laws like the CPRA, TDPSA, UCPA, VCDPA and MCDPA.

Users who have enabled a global privacy control should be automatically opted out of data sales or targeted advertising.

No dark patterns

One lesson that recent enforcement actions by US state Attorney Generals highlight is their strict adherence to the no dark pattern principle.

Therefore, avoid designs that nudge users into accepting tracking. Regulators consider asymmetrical button placements and confusing language as potential violations of consumer‑protection laws.

A good practice is to present options in a neutral tone without using manipulative design or colours.

US privacy laws do not require a separate cookie policy. A cookie policy is a document that explains what cookies a website uses, why they are used, which third parties set them, and how long they persist.

This information can be integrated into a broader privacy policy, provided it is not buried within the policy and is easy to find. If the privacy policy includes detailed cookie information, a separate cookie policy is not mandatory.

A privacy policy is mandatory under Federal law like CalOPPA and US state privacy laws.

Businesses should ensure their privacy notices describe the types of personal data collected (including through cookies) and provide clear instructions for exercising opt‑out rights.

Because the United States lacks a dedicated cookie law, cookie compliance hinges on understanding state privacy statutes and the general prohibition against deceptive practices. 

A compliant approach should include:

•  Clear privacy notice
•  Conspicuous mechanism to opt out of third-party cookies
• Consent log for accountability

Businesses operating across multiple jurisdictions often choose to implement EU‑style consent banners to provide a consistent user experience, but they must adjust those banners to comply with US opt‑out requirements and avoid dark patterns.

Finally, organisations should monitor legislative developments; the American Privacy Rights Act remains stalled, but state privacy statutes continue to proliferate, and enforcement agencies are increasingly focused on cookie practices.