Ready for the new Google Consent Mode v2? Learn more »

US Privacy

IAB GPP: Implement US data protection laws in a legally compliant manner

Make your website or app compliant with the legal requirements for the new US data protection laws.

  • Easy to integrate
  • Supports CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), UCPA (Utah), CAPDP (Connecticut), US National Privacy, among others
  • Official support of the new IAB GPP Standard
  • Including “Do not sell”, GPC and other functions
  • Opt In or Opt Out
  • Customizable design
  • Cookie crawler already integrated
  • Extensive reporting
CMP Consent Management

We have already helped more than 25,000 websites to comply with GDPR, TTDSG & ePrivacy

Our clients include some of the biggest websites and best known brands in the world.

… and many more.

How do I make my website or app compliant with the new US privacy laws?

If your business falls under one of the many privacy laws (see the Laws section), you must comply with those laws. In most states this means:

  • Website visitors/app users must be informed about the type, purpose and content of the data processing
  • Website visitors/app users must have the right to object to data processing (opt-out)
  • In certain cases, consent must be obtained prior to data processing (opt-in)
  • Various basic rules apply to how data may be processed, such as the principle of data minimization, security, transparency or the handling of sensitive data

Specifically, this means in most cases: An opt-out solution must be installed on the website or app in order to provide users with the necessary information and enable the opt-out.

Consent-Lösung TTDSG-, DSGVO-/ePrivacy und CCPA-konform werden können

NEED FOR US PRIVACY COMPLIANCE

… but I’m not processing any data at all!?

One response we hear a lot from US customers is that they don’t actually process any data and therefore data protection laws don’t apply to them.

  • It is important to note here that website and app operators are responsible for the data that is processed on their website or in their app . Therefore, the data protection laws apply in particular to companies if they meet one of the following conditions:

  • 1. If data is processed for our own purposes , for example via tracking tools such as Google Analytics, Matomo, Hotjar or similar

  • 2. Sharing data with third parties is also a processing step. Data is shared, for example, by integrating a third-party plugin into the website or app. This applies to YouTube videos, Facebook plugins, Google Maps, chat programs or payment providers such as PayPal

  • 3. Whenever advertising is integrated into the website or app, data is automatically transmitted to the advertiser . The transmission is understood as a step in data processing.

  • While states differ a bit on when consent to data processing must be given, virtually all data protection laws require opt-out. In the case of CCPA/CPRA, this must be implemented explicitly by means of a link that says “Do not sell or share my personal information”.

Become compliant in 5 steps

With consentmanager you can easily become compliant with various US data protection laws:

  • 1. Register now for free and activate your consentmanager account
  • 2. Integrate the consentmanager code into your website using copy and paste
  • 3. Adapt the opt-out design to your wishes
  • 4. Create & integrate the “Do not sell or share my personal information” link
  • 5. Stay compliant thanks to automatic updates

Recommended by lawyers and data protection officers

The new Standard IAB GPP

Make the website secure with new standards: IAB GPP

In order to transparently signal the opt-in or opt-out within the website or app to all integrated tools, plugins and advertising providers, the so-called IAB GPP Standard was developed by the IAB.

  • GPP stands for Global Privacy Platform and defines various methods and interfaces such as a CMP (Consent Management Provider, also known as “Cookie Banner” or “Privacy Notice”) that record and communicate consent/opt-in or rejection/opt-out can. The Standard is largely based on the IAB TCF Standard , which has been used successfully in Europe for years and has become a must for publishers and advertisers.
  • The consentmanager team played a key role in the development of the GPP standard, and so it is not surprising that consentmanager is the first provider to offer the productive use of IAB GPP.
    You can also find out more about GPP in our blog .
  • Important: Most data protection laws also require that website operators and app operators be able to respond to “browser signals”. One of these signals is the GPC or “Global Privacy Control” required in California. With consentmanager websites and apps don’t have to worry about luck: the consentmanager solution automatically responds to browser signals and implements the opt-out automatically.
  • Use GPP and GPC now

Why become compliant for US privacy laws now?

Protection for your business

CCPA, VCDPA, CAPAP etc. will be effective from 2023 and must be implemented. The Federal Attorneys General can now impose fines on the basis of laws – in many cases this has already happened. Don’t hesitate any longer and make your website or app compliant now!

Protection for your earnings

Advertising companies will rely on the new IAB GPP standard in 2023. In Europe, hardly any advertising is sold without the European standard – in the USA the trend is going in the same direction. If you don’t support the IAB GPP standard, you’re missing out on advertising revenue!

Protection for your customers

Customers are becoming more critical and are increasingly questioning how companies handle data. Companies that do not respect their privacy lose credibility, customers and sales. Show your customers that you really care about them!

Only pay for what you use

Our flexible pricing model

The consentmanager CMP is affordable and available with a flexible model: you only pay for what you use!

Basic

0
Permanently free for
a website
  • 5,000 views / month incl.
  • GDPR Compliant
  • Premade Designs
  • 1 crawl/week
  • Support: tickets
  • additional Views bookable
  • IAB TCF compatible CMP
  • IAB GPP standard
  • A/B testing & optimization
  • additional user accounts

Beginner

19
Monthly for
a website
  • 100,000 views / month incl.
  • additional Views:0.1  / 1000
  • GDPR Compliant
  • Customizable designs
  • 3 crawls/day
  • Support: tickets
  • A/B testing & optimization
  • IAB TCF compatible CMP
  • IAB GPP standard
  • additional user accounts
Very popular

Standard

49
Monthly for up to
3 websites or apps
  • 1 million views / month incl.
  • additional Views:0.05  / 1000
  • GDPR Compliant
  • IAB TCF compatible CMP
  • IAB GPP standard
  • Customizable designs
  • A/B testing & optimization
  • 10 crawls/day
  • Support: Ticket & Email
  • additional user accounts

Agency

195
Monthly for up to
20 websites or apps
  • 10 million views / month incl.
  • additional Views:0.02  / 1000
  • GDPR Compliant
  • IAB TCF compatible CMP
  • IAB GPP standard
  • Customizable designs
  • A/B testing & optimization
  • 100 crawls/day
  • 10 additional user accounts
  • Support: Ticket, email & phone
  • Personal account manager

Enterprise

On demand
Monthly price by individual agreement
  • Any Views / Month
  • additional Views:0.02  / 1000
  • GDPR Compliant
  • IAB TCF compatible CMP
  • IAB GPP standard
  • Customizable designs
  • A/B testing & optimization
  • Any crawls/day
  • any add. user accounts
  • Support: Ticket, email & phone
  • Personal account manager

These are the important US privacy norms

What data protection laws are there in the US?

Companies that are located in, do business or provide services in, or otherwise deal with U.S. residents are most likely covered by one of the many data protection laws.

  • Unlike in many other countries, data protection laws in the USA are regulated at the state level – until there is a national data protection law. Companies should therefore check whether or which federal laws apply to them. In detail these could be:
  • CCPA / CPRA – California

    CCPA stands for California Consumer Privacy Act and was enacted in 2019. It applies especially in California or in relation to California residents. The “update” to CCPA is CPRA or California Privacy Rights Act. Under the CPRA, some regulations are specified and tightened.

  • VCDPA—Virginia

    VCDPA stands for Virginia Consumer Data Protection Act and refers to companies that do business in the state of Virginia or target citizens from this state. The VCDPA entered into force on January 1, 2023.

  • CPA—Colorado

    CPA or Colorado Privacy Act is the privacy law of the state of Colorado. Like Virginia’s VCDPA, this law went into effect on January 1, 2023 and must be implemented by companies located in Colorado or processing data from residents of the state. The law imposes a requirement on websites, the universal opt-out mechanism, which requires websites to provide their users with a single opt-out button for the marketing and analytics services used by the website.

  • UCPA-Utah

    The US data protection law for the state of Utah in the western USA is called UCPA or Utah Consumer Privacy Act. Unlike the two aforementioned laws, the UCPA does not come into effect until December 31, 2023. This law also affects all companies that process a certain amount of data (here 100,000 per year) of state residents.

  • CAPDP—Connecticut

    CTDPA stands for Connecticut Data Privacy Act (also known as the Connecticut Act Concerning Personal Data Privacy and Online Monitoring) and is the federal data protection law in the state of Connecticut. The law went into effect on July 1, 2023 and affects companies that are based in, conduct business in, or process data from residents of the state.

  • TXDPSA – Texas

    The Texas Data Privacy and Security Act (TXDPSA), effective July 1, 2024, applies to companies that operate in Texas or provide services to Texas residents.

  • OCDPA-Oregon

    The Oregon Consumer Data Privacy Act (OCDPA), effective July 1, 2024, applies to companies that operate in the state or provide services to its residents. It includes GDPR-like roles for data controllers and processors, requires detailed data protection notices and requires data protection assessments for high-risk activities.

  • MCDPA-Montana

    The Montana Consumer Data Privacy Act (MCDPA), effective October 1, 2024, applies to companies doing business in Montana or targeting Montana residents and establishes applicability thresholds based on the amount of personal data processed and the revenue generated from the sale of personal data, excluding certain companies and types of data.

  • CDPA-Iowa

    The Iowa Consumer Data Protection Act, effective January 1, 2025, targets data controllers and data processors that process significant amounts of personal information of Iowa residents or derive significant revenue from the sale of such information.

  • DPDPA-Delaware

    The Delaware Personal Data Privacy Act, effective January 1, 2025, establishes Delaware’s position on protecting consumer data, consistent with general trends in the United States, but is notable in that it does not exempt most nonprofit organizations and institutions of higher education.

  • TIPA-Tennessee

    The Tennessee Information Protection Act (TIPA), effective July 1, 2025, sets strict criteria for how companies must handle the personal information of Tennessee residents. The TIPA sets restrictive applicability thresholds based on turnover and volume of data processing and defines detailed consumer rights, including access, rectification, deletion, data portability and objection to certain data uses.

  • CDPA-Indiana

    The Indiana Data Protection Act, effective January 1, 2026, addresses both “data controllers” and “data processors” operating in Indiana or targeting Indiana residents. The law sets certain thresholds for applicability and exempts various entities such as government agencies and HIPAA covered entities.

frequently asked Questions

Not sure if you need a CMP?

To help you with things like GDPR, CMP and consent, we’ve rounded up the most common questions here.

The law comes into force on July 1, 2023

CAPDP (sometimes also CTPDP) stands for Connecticut Act Concerning Personal Data Privacy.

UCPA will become effective on December 31, 2023.

Utah Consumer Privacy Act.

CPA is effective from January 01, 2023.

Colorado Privacy Act.

VCDPA effective January 01, 2023.

VCDPA stands for Virginia Consumer Data Protection Act.

Yes. The federal prosecutor is already diligently handing out fines. The most prominent case so far is that of Sephora with a fine of USD 1.2 million.

The laws have already come into force.

California Privacy Rights Act

California Consumer Privacy Act

Please note that we cannot provide legal advice. Some points of this FAQ may also change over time or be interpreted differently by courts. That’s why you should always consult your lawyer!