US Privacy

We have already helped more than 25,000 websites comply with GDPR, TDDDG & ePrivacy

Our clients include some of the biggest websites and best known brands in the world.

… and many more.

NEED FOR US PRIVACY COMPLIANCE

… but I’m not processing any data at all!?

One response we hear a lot from US customers is that they don’t actually process any data and therefore data protection laws don’t apply to them.

• It is important to note here that website and app operators are responsible for the data that is processed on their website or in their app . Therefore, the data protection laws apply in particular to companies if they meet one of the following conditions:

• 1. If data is processed for our own purposes , for example via tracking tools such as Google Analytics, Matomo, Hotjar or similar

• 2. Sharing data with third parties is also a processing step. Data is shared, for example, by integrating a third-party plugin into the website or app. This applies to YouTube videos, Facebook plugins, Google Maps, chat programs or payment providers such as PayPal

• 3. Whenever advertising is integrated into the website or app, data is automatically transmitted to the advertiser . The transmission is understood as a step in data processing.

• While states differ a bit on when consent to data processing must be given, virtually all data protection laws require opt-out. In the case of CCPA/CPRA, this must be implemented explicitly by means of a link that says “Do not sell or share my personal information”.

The new Standard IAB GPP

Make the website secure with new standards: IAB GPP

In order to transparently signal the opt-in or opt-out within the website or app to all integrated tools, plugins and advertising providers, the so-called IAB GPP Standard was developed by the IAB.

• GPP stands for Global Privacy Platform and defines various methods and interfaces such as a CMP (Consent Management Provider, also known as “Cookie Banner” or “Privacy Notice”) that record and communicate consent/opt-in or rejection/opt-out can. The Standard is largely based on the IAB TCF Standard , which has been used successfully in Europe for years and has become a must for publishers and advertisers.
• The consentmanager team played a key role in the development of the GPP standard, and so it is not surprising that consentmanager is the first provider to offer the productive use of IAB GPP.
  You can also find out more about GPP in our blog .
• Important: Most data protection laws also require that website operators and app operators be able to respond to “browser signals”. One of these signals is the GPC or “Global Privacy Control” required in California. With consentmanager websites and apps don’t have to worry about luck: the consentmanager solution automatically responds to browser signals and implements the opt-out automatically.
• Use GPP and GPC now

Why become compliant for US privacy laws now?

Only pay for what you use

Our flexible pricing model

The consentmanager CMP is affordable and available with a flexible model: you only pay for what you use!

Overview:

When did data protection laws come into force in the United States?

These are the important US privacy norms

What data protection laws are there in the US?

Companies that are located in, do business or provide services in, or otherwise deal with U.S. residents are most likely covered by one of the many data protection laws.

• Unlike in many other countries, data protection laws in the USA are regulated at the state level – until there is a national data protection law. Companies should therefore check whether or which federal laws apply to them. In detail these could be:

• CCPA / CPRA – California

  CCPA stands for California Consumer Privacy Act and was enacted in 2019. It applies especially in California or in relation to California residents. The “update” to CCPA is CPRA or California Privacy Rights Act. Under the CPRA, some regulations are specified and tightened.

• Nevada – NPICICA

  Nevada’s privacy law, the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA), went into effect on October 1, 2019, and underscores consumers’ rights to control their personal information collected online. Amendments such as Senate Bill 220 (SB-220) and Senate Bill 260 (SB-260) expanded these rights by requiring website operators to provide mechanisms that allow consumers to opt out of the sale of their data. While Nevada’s data privacy laws are not as comprehensive as those in other states such as California, they still provide penalties for violations, with the Nevada Attorney General imposing fines of up to $5,000 per violation. Companies must disclose certain information in their privacy policies and provide mechanisms that allow consumers to opt out of the sale of data.

• VCDPA—Virginia

  VCDPA stands for Virginia Consumer Data Protection Act and refers to companies that do business in the state of Virginia or target citizens from this state. The VCDPA entered into force on January 1, 2023.

• CPA—Colorado

  CPA or Colorado Privacy Act is the privacy law of the state of Colorado. This law took effect on July 1, 2023, and must be implemented by companies based in Colorado or processing data of residents of the state. The law imposes a requirement on websites, the universal opt-out mechanism, which requires websites to provide their users with a single opt-out button for the marketing and analytics services used by the website.

• UCPA-Utah

  The US data protection law for the state of Utah in the western USA is called UCPA or Utah Consumer Privacy Act. Unlike the two aforementioned laws, the UCPA does not come into effect until December 31, 2023. This law also affects all companies that process a certain amount of data (here 100,000 per year) of state residents.

• CAPDP—Connecticut

  CTDPA stands for Connecticut Data Privacy Act (also known as the Connecticut Act Concerning Personal Data Privacy and Online Monitoring) and is the federal data protection law in the state of Connecticut. The law went into effect on July 1, 2023 and affects companies that are based in, conduct business in, or process data from residents of the state.

• TDPSA – Texas

  The Texas Data Privacy and Security Act (TDPSA), which will take effect on July 1, 2024, applies to companies that operate in Texas or provide services to Texas residents.

• OCDPA-Oregon

  The Oregon Consumer Data Privacy Act (OCDPA), effective July 1, 2024, applies to companies that operate in the state or provide services to its residents. It includes GDPR-like roles for data controllers and processors, requires detailed data protection notices and requires data protection assessments for high-risk activities.

• MTCDPA – Montana

  The Montana Consumer Data Privacy Act (MTCDPA), which takes effect October 1, 2024, applies to companies doing business in Montana or targeting Montana residents and sets thresholds for applicability based on the amount of personal data processed and the revenue generated from the sale of personal data, exempting certain companies and types of data.

• CDPA-Iowa

  The Iowa Consumer Data Protection Act, effective January 1, 2025, targets data controllers and data processors that process significant amounts of personal information of Iowa residents or derive significant revenue from the sale of such information.

• DPDPA-Delaware

  The Delaware Personal Data Privacy Act, effective January 1, 2025, establishes Delaware’s position on protecting consumer data, consistent with general trends in the United States, but is notable in that it does not exempt most nonprofit organizations and institutions of higher education.

• TIPA-Tennessee

  The Tennessee Information Protection Act (TIPA), effective July 1, 2025, sets strict criteria for how companies must handle the personal information of Tennessee residents. The TIPA sets restrictive applicability thresholds based on turnover and volume of data processing and defines detailed consumer rights, including access, rectification, deletion, data portability and objection to certain data uses.

• CDPA-Indiana

  The Indiana Data Protection Act, effective January 1, 2026, addresses both “data controllers” and “data processors” operating in Indiana or targeting Indiana residents. The law sets certain thresholds for applicability and exempts various entities such as government agencies and HIPAA covered entities.

• MHMD – Washington

  Washington State’s My Health My Data Act (MHMD), which took effect on March 31, 2024, imposes strict requirements on companies that collect, share or process health data. The MHMD requires prior consent for the collection of health data and additional consent for its sharing to protect the privacy of healthcare consumers. The law sets out detailed data security requirements and restricts geofencing near healthcare providers.

• MODPA – Maryland

  Maryland lawmakers have passed the Maryland Online Data Privacy Act (MODPA), a data privacy law that will take effect on October 1, 2025, once passed. Key provisions of the MODPA include a ban on the sale of sensitive data, stricter data minimization requirements, mandatory privacy assessments, unique targeted advertising requirements, and opt-out rights with updated privacy notices. Failure to comply may result in fines of up to $10,000 per violation.

• FDBR – Florida

  The Florida Digital Bill of Rights (FDBR) was signed on June 6, 2023 and will take effect on July 1, 2024. This law introduces a number of measures to protect consumer privacy. It applies primarily to large companies with gross annual revenues of more than $1 billion, with certain thresholds applying to companies that are heavily involved in digital advertising or operate large digital platforms. The FDBR provides extensive opt-out rights for data collection through voice and facial recognition technologies, sets strict restrictions on the collection of surveillance data without the active consent of the user, and requires clear notices for the sale of sensitive and biometric data. In addition, the law provides special protection for children’s data and prohibits government agencies from moderating content on social media, although some exceptions are provided.

• NDPA-Nebraska

  The Governor of Nebraska signed the Nebraska Data Privacy Act on April 17, 2024, which will take effect on January 1, 2025. The law imposes obligations on companies that process personal information in Nebraska and grants consumers rights such as confirmation of data processing, correction of inaccuracies, deletion of personal information, and opt-out of certain data processing activities. The law requires data controllers to provide clear privacy notices, restrict data collection, implement data security procedures and conduct data protection assessments. The Nebraska Attorney General can sanction violators with fines of up to $7,500 per violation.

• SB 255 – New Hampshire

  The Governor of New Hampshire signed Senate Bill 255 on March 6, 2024, which will take effect on January 1, 2025. The law applies to companies operating in New Hampshire that process personal data and establishes obligations for data minimization, purpose limitation and privacy, as well as consumer rights such as access, rectification, erasure, portability and opt-out. Enforcement of the law is the sole responsibility of the New Hampshire Attorney General, who has 60 days to correct any deficiencies.

• NJPA – New Jersey

  At the On January 16, 2024, the Governor of New Jersey signed the New Jersey Privacy Act (NJPA), which will go into effect on January 15, 2025. The NJPA requires companies to take similar measures as other state privacy laws, such as data minimization, data security, and data subject rights, with particular attention to sensitive data and the protection of children. Data controllers and processors must comply with the provisions regarding consumer requests, data security and data breach notification. The law is enforced exclusively by the Attorney General of New Jersey and contains provisions for regulation and redress for consumers.

• KCDPA – Kentucky

  Kentucky passed the Kentucky Consumer Data Privacy Act (KCDPA) on April 4, 2024, which will take effect on January 1, 2026. The law regulates the processing of personal data, establishes consumer rights, and authorizes the Kentucky Attorney General to enforce the law. The law applies to controllers that process data of Kentucky residents, with exemptions for various entities and types of data, including financial and health data. Data controllers must provide clear privacy notices, limit data collection, ensure security and respect consumers’ rights, with an emphasis on not processing sensitive data without explicit consent. Enforcement is the responsibility of the Kentucky Attorney General, who provides a 30-day deadline to correct violations and possible civil penalties.