Ready for the new Google Consent Mode v2? Learn more »

US Privacy

IAB GPP: Implement US data protection laws in a legally compliant manner

Make your website or app compliant with the legal requirements for the new US data protection laws.

  • Easy to integrate
  • Supports CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), UCPA (Utah), CAPDP (Connecticut), US National Privacy, among others
  • Official support of the new IAB GPP Standard
  • Including “Do not sell”, GPC and other functions
  • Opt In or Opt Out
  • Customizable design
  • Cookie crawler already integrated
  • Extensive reporting
CMP Consent Management

We have already helped more than 25,000 websites to comply with GDPR, TTDSG & ePrivacy

Our clients include some of the biggest websites and best known brands in the world.

… and many more.

How do I make my website or app compliant with the new US privacy laws?

If your business falls under one of the many privacy laws (see the Laws section), you must comply with those laws. In most states this means:

  • Website visitors/app users must be informed about the type, purpose and content of the data processing
  • Website visitors/app users must have the right to object to data processing (opt-out)
  • In certain cases, consent must be obtained prior to data processing (opt-in)
  • Various basic rules apply to how data may be processed, such as the principle of data minimization, security, transparency or the handling of sensitive data

Specifically, this means in most cases: An opt-out solution must be installed on the website or app in order to provide users with the necessary information and enable the opt-out.

Consent-Lösung TTDSG-, DSGVO-/ePrivacy und CCPA-konform werden können

NEED FOR US PRIVACY COMPLIANCE

… but I’m not processing any data at all!?

One response we hear a lot from US customers is that they don’t actually process any data and therefore data protection laws don’t apply to them.

  • It is important to note here that website and app operators are responsible for the data that is processed on their website or in their app . Therefore, the data protection laws apply in particular to companies if they meet one of the following conditions:

  • 1. If data is processed for our own purposes , for example via tracking tools such as Google Analytics, Matomo, Hotjar or similar

  • 2. Sharing data with third parties is also a processing step. Data is shared, for example, by integrating a third-party plugin into the website or app. This applies to YouTube videos, Facebook plugins, Google Maps, chat programs or payment providers such as PayPal

  • 3. Whenever advertising is integrated into the website or app, data is automatically transmitted to the advertiser . The transmission is understood as a step in data processing.

  • While states differ a bit on when consent to data processing must be given, virtually all data protection laws require opt-out. In the case of CCPA/CPRA, this must be implemented explicitly by means of a link that says “Do not sell or share my personal information”.

Become compliant in 5 steps

With consentmanager you can easily become compliant with various US data protection laws:

  • 1. Register now for free and activate your consentmanager account
  • 2. Integrate the consentmanager code into your website using copy and paste
  • 3. Adapt the opt-out design to your wishes
  • 4. Create & integrate the “Do not sell or share my personal information” link
  • 5. Stay compliant thanks to automatic updates

Recommended by lawyers and data protection officers

The new Standard IAB GPP

Make the website secure with new standards: IAB GPP

In order to transparently signal the opt-in or opt-out within the website or app to all integrated tools, plugins and advertising providers, the so-called IAB GPP Standard was developed by the IAB.

  • GPP stands for Global Privacy Platform and defines various methods and interfaces such as a CMP (Consent Management Provider, also known as “Cookie Banner” or “Privacy Notice”) that record and communicate consent/opt-in or rejection/opt-out can. The Standard is largely based on the IAB TCF Standard , which has been used successfully in Europe for years and has become a must for publishers and advertisers.
  • The consentmanager team played a key role in the development of the GPP standard, and so it is not surprising that consentmanager is the first provider to offer the productive use of IAB GPP.
    You can also find out more about GPP in our blog .
  • Important: Most data protection laws also require that website operators and app operators be able to respond to “browser signals”. One of these signals is the GPC or “Global Privacy Control” required in California. With consentmanager websites and apps don’t have to worry about luck: the consentmanager solution automatically responds to browser signals and implements the opt-out automatically.
  • Use GPP and GPC now

Why become compliant for US privacy laws now?

Protection for your business

CCPA, VCDPA, CAPAP etc. will be effective from 2023 and must be implemented. The Federal Attorneys General can now impose fines on the basis of laws – in many cases this has already happened. Don’t hesitate any longer and make your website or app compliant now!

Protection for your earnings

Advertising companies will rely on the new IAB GPP standard in 2023. In Europe, hardly any advertising is sold without the European standard – in the USA the trend is going in the same direction. If you don’t support the IAB GPP standard, you’re missing out on advertising revenue!

Protection for your customers

Customers are becoming more critical and are increasingly questioning how companies handle data. Companies that do not respect their privacy lose credibility, customers and sales. Show your customers that you really care about them!

Only pay for what you use

Our flexible pricing model

The consentmanager CMP is affordable and available with a flexible model: you only pay for what you use!

Basic

0
Permanently free for
a website
  • 5,000 views / month incl.
  • GDPR Compliant
  • Premade Designs
  • 1 crawl/week
  • Support: tickets
  • additional Views bookable
  • IAB TCF compatible CMP
  • IAB GPP standard
  • A/B testing & optimization
  • additional user accounts

Beginner

19
Monthly for
a website
  • 100,000 views / month incl.
  • additional Views:0.1  / 1000
  • GDPR Compliant
  • Customizable designs
  • 3 crawls/day
  • Support: tickets
  • A/B testing & optimization
  • IAB TCF compatible CMP
  • IAB GPP standard
  • additional user accounts
Very popular

Standard

49
Monthly for up to
3 websites or apps
  • 1 million views / month incl.
  • additional Views:0.05  / 1000
  • GDPR Compliant
  • IAB TCF compatible CMP
  • IAB GPP standard
  • Customizable designs
  • A/B testing & optimization
  • 10 crawls/day
  • Support: Ticket & Email
  • additional user accounts

Agency

195
Monthly for up to
20 websites or apps
  • 10 million views / month incl.
  • additional Views:0.02  / 1000
  • GDPR Compliant
  • IAB TCF compatible CMP
  • IAB GPP standard
  • Customizable designs
  • A/B testing & optimization
  • 100 crawls/day
  • 10 additional user accounts
  • Support: Ticket, email & phone
  • Personal account manager

Enterprise

On demand
Monthly price by individual agreement
  • Any Views / Month
  • additional Views:0.02  / 1000
  • GDPR Compliant
  • IAB TCF compatible CMP
  • IAB GPP standard
  • Customizable designs
  • A/B testing & optimization
  • Any crawls/day
  • any add. user accounts
  • Support: Ticket, email & phone
  • Personal account manager

Overview:

When did data protection laws come into force in the United States?

The Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) came into effect on October 1, 2019, and was further amended in 2019 and 2021 by Senate Bills 220 and 260
CCPA stands for California Consumer Privacy Act and was passed in 2020. It applies in California or with respect to Californian citizens
The “update” to the CCPA is the CPRA or California Privacy Rights Act, which was introduced on July 1, 2021. Under CPRA, some regulations are specified and tightened
VCDPA stands for Virginia Consumer Data Protection Act and applies to companies doing business in the state of Virginia. The VCDPA entered into force on 1 January 2023
CPA or Colorado Privacy Act is the privacy law of the state of Colorado. This law took effect on July 1, 2023 and must be implemented by companies based in Colorado
CTDPA stands for Connecticut Data Privacy Act and is the federal data protection law in the state of Connecticut. The law came into force on 1 July 2023
UCPA or Utah Consumer Privacy Act does not take effect until December 31, 2023. This law also affects all companies that process a certain amount of data from citizens of the state
Washington State’s My Health My Data Act (MHMD) has been in effect since March 31, 2024, and sets strict requirements for organizations that collect, share, or process health data
The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, applies to companies that operate in Texas or serve Texas residents
The Oregon Consumer Data Privacy Act (OCDPA), which takes effect on July 1, 2024, establishes Oregon as a state that provides comprehensive protections for consumers and applies to companies operating in the state
The Florida Digital Bill of Rights (FDBR) was signed on June 6, 2023 and will take effect on July 1, 2024. This law introduces a number of measures to protect consumer privacy
The Montana Consumer Data Privacy Act (MTCDPA), which takes effect on October 1, 2024, applies to companies that do business in Montana or target Montana residents
The Iowa Consumer Data Protection Act, effective January 1, 2025, is aimed at data controllers and data processors that process significant amounts of personal information of Iowa residents or derive significant revenue from the sale of such information
On March 6, 2024, Senate Bill 255 was signed by the Governor of New Hampshire and will take effect on January 1, 2025. The Attorney General of New Hampshire is responsible for enforcing the law
On April 17, 2024, the Governor of Nebraska signed the Nebraska Data Privacy Act, which will take effect on January 1, 2025. The law imposes obligations on companies that process personal data in Nebraska and grants consumers rights such as confirmation, correction, deletion and revocation of data processing activities
The Delaware Personal Data Privacy Act, effective January 1, 2025, establishes Delaware’s position on consumer data protection, consistent with general trends in the United States
At the On January 16, 2024, the Governor of New Jersey signed the New Jersey Privacy Act (NJPA), which will go into effect on January 15, 2025. The law sets out obligations focusing on data economy, security and personal rights, as well as special protection measures for sensitive data and children
The Tennessee Information Protection Act (TIPA), which takes effect on July 1, 2025, sets strict criteria for how companies must handle the personal information of Tennessee residents
The Maryland Online Data Privacy Act (MODPA) takes effect on October 1, 2025. It prohibits the sale of sensitive data and tightens data minimization requirements. Violations can result in fines of up to $10,000 per violation
The Indiana Privacy Act, effective January 1, 2026, is directed at both “data controllers” and “data processors” operating in Indiana or targeting Indiana residents
Kentucky passed the Kentucky Consumer Data Privacy Act (KCDPA) on April 4, 2024, which will take effect on January 1, 2026. The law regulates the processing of personal data and for data controllers in Kentucky with exceptions for various institutions and types of data

These are the important US privacy norms

What data protection laws are there in the US?

Companies that are located in, do business or provide services in, or otherwise deal with U.S. residents are most likely covered by one of the many data protection laws.

  • Unlike in many other countries, data protection laws in the USA are regulated at the state level – until there is a national data protection law. Companies should therefore check whether or which federal laws apply to them. In detail these could be:
  • CCPA / CPRA – California

    CCPA stands for California Consumer Privacy Act and was enacted in 2019. It applies especially in California or in relation to California residents. The “update” to CCPA is CPRA or California Privacy Rights Act. Under the CPRA, some regulations are specified and tightened.

  • Nevada – NPICICA

    Nevada’s privacy law, the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA), went into effect on October 1, 2019, and underscores consumers’ rights to control their personal information collected online. Amendments such as Senate Bill 220 (SB-220) and Senate Bill 260 (SB-260) expanded these rights by requiring website operators to provide mechanisms that allow consumers to opt out of the sale of their data. While Nevada’s data privacy laws are not as comprehensive as those in other states such as California, they still provide penalties for violations, with the Nevada Attorney General imposing fines of up to $5,000 per violation. Companies must disclose certain information in their privacy policies and provide mechanisms that allow consumers to opt out of the sale of data.

  • VCDPA—Virginia

    VCDPA stands for Virginia Consumer Data Protection Act and refers to companies that do business in the state of Virginia or target citizens from this state. The VCDPA entered into force on January 1, 2023.

  • CPA—Colorado

    CPA or Colorado Privacy Act is the privacy law of the state of Colorado. This law took effect on July 1, 2023, and must be implemented by companies based in Colorado or processing data of residents of the state. The law imposes a requirement on websites, the universal opt-out mechanism, which requires websites to provide their users with a single opt-out button for the marketing and analytics services used by the website.

  • UCPA-Utah

    The US data protection law for the state of Utah in the western USA is called UCPA or Utah Consumer Privacy Act. Unlike the two aforementioned laws, the UCPA does not come into effect until December 31, 2023. This law also affects all companies that process a certain amount of data (here 100,000 per year) of state residents.

  • CAPDP—Connecticut

    CTDPA stands for Connecticut Data Privacy Act (also known as the Connecticut Act Concerning Personal Data Privacy and Online Monitoring) and is the federal data protection law in the state of Connecticut. The law went into effect on July 1, 2023 and affects companies that are based in, conduct business in, or process data from residents of the state.

  • TDPSA – Texas

    The Texas Data Privacy and Security Act (TDPSA), which will take effect on July 1, 2024, applies to companies that operate in Texas or provide services to Texas residents.

  • OCDPA-Oregon

    The Oregon Consumer Data Privacy Act (OCDPA), effective July 1, 2024, applies to companies that operate in the state or provide services to its residents. It includes GDPR-like roles for data controllers and processors, requires detailed data protection notices and requires data protection assessments for high-risk activities.

  • MTCDPA – Montana

    The Montana Consumer Data Privacy Act (MTCDPA), which takes effect October 1, 2024, applies to companies doing business in Montana or targeting Montana residents and sets thresholds for applicability based on the amount of personal data processed and the revenue generated from the sale of personal data, exempting certain companies and types of data.

  • CDPA-Iowa

    The Iowa Consumer Data Protection Act, effective January 1, 2025, targets data controllers and data processors that process significant amounts of personal information of Iowa residents or derive significant revenue from the sale of such information.

  • DPDPA-Delaware

    The Delaware Personal Data Privacy Act, effective January 1, 2025, establishes Delaware’s position on protecting consumer data, consistent with general trends in the United States, but is notable in that it does not exempt most nonprofit organizations and institutions of higher education.

  • TIPA-Tennessee

    The Tennessee Information Protection Act (TIPA), effective July 1, 2025, sets strict criteria for how companies must handle the personal information of Tennessee residents. The TIPA sets restrictive applicability thresholds based on turnover and volume of data processing and defines detailed consumer rights, including access, rectification, deletion, data portability and objection to certain data uses.

  • CDPA-Indiana

    The Indiana Data Protection Act, effective January 1, 2026, addresses both “data controllers” and “data processors” operating in Indiana or targeting Indiana residents. The law sets certain thresholds for applicability and exempts various entities such as government agencies and HIPAA covered entities.

  • MHMD – Washington

    Washington State’s My Health My Data Act (MHMD), which took effect on March 31, 2024, imposes strict requirements on companies that collect, share or process health data. The MHMD requires prior consent for the collection of health data and additional consent for its sharing to protect the privacy of healthcare consumers. The law sets out detailed data security requirements and restricts geofencing near healthcare providers.

  • MODPA – Maryland

    Maryland lawmakers have passed the Maryland Online Data Privacy Act (MODPA), a data privacy law that will take effect on October 1, 2025, once passed. Key provisions of the MODPA include a ban on the sale of sensitive data, stricter data minimization requirements, mandatory privacy assessments, unique targeted advertising requirements, and opt-out rights with updated privacy notices. Failure to comply may result in fines of up to $10,000 per violation.

  • FDBR – Florida

    The Florida Digital Bill of Rights (FDBR) was signed on June 6, 2023 and will take effect on July 1, 2024. This law introduces a number of measures to protect consumer privacy. It applies primarily to large companies with gross annual revenues of more than $1 billion, with certain thresholds applying to companies that are heavily involved in digital advertising or operate large digital platforms. The FDBR provides extensive opt-out rights for data collection through voice and facial recognition technologies, sets strict restrictions on the collection of surveillance data without the active consent of the user, and requires clear notices for the sale of sensitive and biometric data. In addition, the law provides special protection for children’s data and prohibits government agencies from moderating content on social media, although some exceptions are provided.

  • NDPA-Nebraska

    The Governor of Nebraska signed the Nebraska Data Privacy Act on April 17, 2024, which will take effect on January 1, 2025. The law imposes obligations on companies that process personal information in Nebraska and grants consumers rights such as confirmation of data processing, correction of inaccuracies, deletion of personal information, and opt-out of certain data processing activities. The law requires data controllers to provide clear privacy notices, restrict data collection, implement data security procedures and conduct data protection assessments. The Nebraska Attorney General can sanction violators with fines of up to $7,500 per violation.

  • SB 255 – New Hampshire

    The Governor of New Hampshire signed Senate Bill 255 on March 6, 2024, which will take effect on January 1, 2025. The law applies to companies operating in New Hampshire that process personal data and establishes obligations for data minimization, purpose limitation and privacy, as well as consumer rights such as access, rectification, erasure, portability and opt-out. Enforcement of the law is the sole responsibility of the New Hampshire Attorney General, who has 60 days to correct any deficiencies.

  • NJPA – New Jersey

    At the On January 16, 2024, the Governor of New Jersey signed the New Jersey Privacy Act (NJPA), which will go into effect on January 15, 2025. The NJPA requires companies to take similar measures as other state privacy laws, such as data minimization, data security, and data subject rights, with particular attention to sensitive data and the protection of children. Data controllers and processors must comply with the provisions regarding consumer requests, data security and data breach notification. The law is enforced exclusively by the Attorney General of New Jersey and contains provisions for regulation and redress for consumers.

  • KCDPA – Kentucky

    Kentucky passed the Kentucky Consumer Data Privacy Act (KCDPA) on April 4, 2024, which will take effect on January 1, 2026. The law regulates the processing of personal data, establishes consumer rights, and authorizes the Kentucky Attorney General to enforce the law. The law applies to controllers that process data of Kentucky residents, with exemptions for various entities and types of data, including financial and health data. Data controllers must provide clear privacy notices, limit data collection, ensure security and respect consumers’ rights, with an emphasis on not processing sensitive data without explicit consent. Enforcement is the responsibility of the Kentucky Attorney General, who provides a 30-day deadline to correct violations and possible civil penalties.

frequently asked Questions

Not sure if you need a CMP?

To help you with things like GDPR, CMP and consent, we’ve rounded up the most common questions here.

The law came into force on July 1, 2023.

CAPDP (sometimes also CTPDP) stands for Connecticut Act Concerning Personal Data Privacy.

The UCPA came into force on December 31, 2023.

Utah Consumer Privacy Act.

The CPA came into force on January 1, 2023.

Colorado Privacy Act.

The VCDPA came into force on January 1, 2023.

VCDPA stands for Virginia Consumer Data Protection Act.

Yes. The federal prosecutor is already diligently handing out fines. The most prominent case so far is that of Sephora with a fine of USD 1.2 million.

The laws have already come into force.

California Privacy Rights Act

California Consumer Privacy Act

Please note that we cannot provide legal advice. Some points of this FAQ may also change over time or be interpreted differently by courts. That’s why you should always consult your lawyer!