The Direct Answer
No US federal or state law requires the kind of cookie consent popup you see on European websites. If you run a website that only serves American visitors and you do not sell or share personal data, you can skip the popup.
But that is rarely the full picture.
If you run Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, or any advertising tracker, you are almost certainly collecting personal information under the definitions used by California and a growing list of other states. And those states have requirements: opt-out links, privacy notices, Global Privacy Control support, and rules against deceptive consent interfaces.
The practical reality in 2026: most commercial US websites need some form of consent management. Not because a law says "show a cookie popup," but because the combination of 20 state privacy laws, GPC mandates, dark pattern prohibitions, and CIPA litigation risk makes a consent tool operationally necessary.
Disclaimer: This article is general information, not legal advice. Requirements vary by state, business size, data practices, and the specific tools on your website.
Related guides
- GDPR Cookie Consent Requirements for websites subject to European law
- Does Google Analytics Require Consent? covering GA4 under GDPR and US law
- Does Meta Pixel Require Consent? covering Facebook Pixel compliance
- Best Cookiebot Alternative with US compliance comparison
- Free Cookie Scanner to see what trackers are on your website
US vs EU: Two Different Consent Models
Before diving into US rules, it helps to understand why cookie banners exist in the first place.
European law (GDPR and the ePrivacy Directive) follows an opt-in model. Non-essential cookies are blocked until the visitor clicks "Accept." If they never interact with the banner, those cookies never load. That is why every European website shows a cookie popup. The law requires it.
US law follows an opt-out model. Cookies and tracking can start when the page loads. The visitor has the right to stop them afterward. Instead of a popup asking for permission upfront, US law requires things like a "Do Not Sell or Share My Personal Information" link, a functioning opt-out mechanism, and support for browser-based opt-out signals like Global Privacy Control.
These are fundamentally different philosophies:
| EU (GDPR / ePrivacy) | US (CCPA / State Laws) | |
|---|---|---|
| Default | Cookies blocked until consent | Cookies allowed by default |
| Model | Opt-in | Opt-out |
| Banner required? | Yes, by law | Not explicitly |
| Key obligation | Get consent before tracking | Let visitors stop tracking |
| Signal | Consent banner interaction | Do Not Sell link, GPC |
This distinction is why a European cookie popup feels wrong for a US-only website. The compliance mechanism is different. But "no popup required" does not mean "no obligations."
The US Privacy Landscape in 2026
The United States has no federal privacy law. Congress tried twice. The American Data Privacy and Protection Act (ADPPA) passed committee in 2022 but never got a full vote. The American Privacy Rights Act (APRA) was introduced in April 2024 and died at the end of the 118th Congress in January 2025. Neither has been reintroduced.
What the US has instead is a patchwork. As of mid-2026, 19 states have comprehensive privacy laws in effect, with at least two more (Oklahoma and Alabama) signed and scheduled for 2027.
Every one of these state laws follows the opt-out model. None of them require a European-style cookie popup. But all of them impose obligations on how websites handle personal information, including data collected through cookies, pixels, and tracking scripts.
The pace is accelerating. In 2023, four states had active privacy laws. By 2025, the count was fourteen. In 2026, nineteen. The direction is clear: comprehensive privacy regulation is becoming the default across the country, not the exception.
When You Actually Need a Cookie Banner
There are specific scenarios where a US website genuinely needs some form of consent interface:
1. You serve visitors from the EU or UK
If any portion of your traffic comes from Europe or the United Kingdom, GDPR and UK PECR require opt-in consent before non-essential cookies. You need a banner for those visitors. There is no threshold or exemption based on how small your European traffic is.
2. You sell or share personal information
Under CCPA and most state privacy laws, if you "sell" or "share" personal information, you must give visitors a way to opt out. The definitions of "sell" and "share" are broad. Using Google Analytics with Google Ads linking, running Meta Pixel for retargeting, or loading third-party advertising cookies all qualify as "sharing" personal information under California law.
3. You use targeted advertising
Most state privacy laws give consumers the right to opt out of targeted advertising. If you run any ad-tech on your website, visitors from covered states have the right to stop it. A consent management tool with an opt-out mechanism is the standard approach.
4. You want to reduce CIPA litigation risk
A growing wave of lawsuits under the California Invasion of Privacy Act targets websites that load tracking scripts without disclosure. A consent banner that explains what scripts load and gives visitors control is one of the strongest defenses. More on this below.
5. You process sensitive data
Several state laws (including Connecticut, Colorado, Oregon, and Maryland) require opt-in consent for processing sensitive personal information. Health data, precise geolocation, and biometric data fall into this category. If your website collects anything in this zone, you may need affirmative consent before the relevant trackers fire.
What Every US Website Must Have
Even without a cookie popup, US websites that collect personal information through cookies or tracking technologies must have these elements:
Do Not Sell or Share Link
California requires a "Do Not Sell or Share My Personal Information" link on every page if you sell or share personal data. Colorado, Connecticut, Virginia, and others have similar requirements using different language ("opt out of targeted advertising" or "opt out of sale of personal data").
Privacy Policy with Cookie Disclosure
Your privacy policy must disclose what cookies and tracking technologies your website uses, what categories of personal information they collect, the purposes for collection, and whether you share data with third parties. Nearly every state law requires this.
Global Privacy Control Support
Twelve states now legally require businesses to honor GPC signals. If a visitor's browser sends a GPC signal, your website must treat it as a valid opt-out request. This is not optional in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.
Functioning Opt-Out Mechanism
The opt-out must actually work. It is not enough to have a link that opens a form. The mechanism must stop the sale or sharing of personal information when activated. That means your website needs the technical ability to suppress specific cookies and scripts when a visitor opts out.
No Dark Patterns
California, Connecticut, Colorado, and other states explicitly prohibit dark patterns in consent and opt-out interfaces. Accept and decline options must have equal visual weight. You cannot use confusing language, hidden opt-outs, or extra steps to discourage people from exercising their rights.
State-by-State Privacy Law Reference
The table below covers all US states with comprehensive privacy laws in effect or signed as of mid-2026. Each follows the opt-out model, but the specifics differ.
| State | Law | Effective | GPC Required | Opt-Out Rights |
|---|---|---|---|---|
| California | CPRA | Jan 2023 | Yes | Sale, sharing, targeted ads, profiling |
| Virginia | VCDPA | Jan 2023 | No | Sale, targeted ads, profiling |
| Colorado | CPA | Jul 2023 | Yes | Sale, targeted ads, profiling |
| Connecticut | CTDPA | Jul 2023 | Yes | Sale, targeted ads, profiling |
| Utah | UCPA | Dec 2023 | No | Sale, targeted ads |
| Texas | TDPSA | Jul 2024 | Yes | Sale, targeted ads, profiling |
| Oregon | OCPA | Jul 2024 | Yes | Sale, targeted ads, profiling |
| Montana | MTCDPA | Oct 2024 | Yes | Sale, targeted ads, profiling |
| Delaware | DPDPA | Jan 2025 | Yes | Sale, targeted ads, profiling |
| Iowa | ICDPA | Jan 2025 | No | Sale, targeted ads |
| Nebraska | NDPA | Jan 2025 | Yes | Sale, targeted ads, profiling |
| New Hampshire | NHPA | Jan 2025 | Yes | Sale, targeted ads, profiling |
| New Jersey | NJDPA | Jan 2025 | Yes | Sale, targeted ads, profiling |
| Tennessee | TIPA | Jul 2025 | No | Sale, targeted ads, profiling |
| Minnesota | MCDPA | Jul 2025 | Yes | Sale, targeted ads, profiling |
| Maryland | MODPA | Oct 2025 | Yes | Sale, targeted ads, profiling, sensitive data opt-in |
| Indiana | INCDPA | Jan 2026 | No | Sale, targeted ads, profiling |
| Kentucky | KCDPA | Jan 2026 | No | Sale, targeted ads, profiling |
| Rhode Island | RIDTPPA | Jan 2026 | No | Sale, targeted ads, profiling |
| Oklahoma | OCDPA | Jan 2027 | No | Sale, targeted ads, profiling |
| Alabama | APDPA | May 2027 | No | Sale, targeted ads, profiling |
The trend is unmistakable. More than half of these laws took effect in 2024 or later. If your website has visitors from multiple states, you cannot realistically track which rules apply to each visitor without automated tooling.
Global Privacy Control: The Signal You Cannot Ignore
Global Privacy Control is a browser-level signal. When enabled, it tells every website the visitor loads that they want to opt out of data selling and sharing. Major browsers including Firefox, Brave, and DuckDuckGo support it natively, and extensions add support to Chrome and Safari.
What makes GPC different from older signals like Do Not Track is that GPC has legal teeth. Twelve US states require businesses to honor it. In California, the requirement is explicit in CPRA regulations. Since January 2026, California businesses must also display a visible "Opt-Out Request Honored" message when a GPC signal is processed.
Ignoring GPC is not a gray area. The $1.55 million Healthline settlement in July 2025, the largest CCPA settlement to date, centered partly on failure to properly honor GPC signals. Healthline's opt-out tool was misconfigured, and personal information continued flowing to advertisers after consumers opted out.
For website owners, this means your website needs the technical ability to detect a GPC signal and suppress data sharing when it is present. A consent management platform handles this automatically. Doing it manually across every tracking script and advertising pixel is fragile and error-prone.
The CIPA Litigation Wave
Perhaps the most surprising force pushing US websites toward cookie consent tools has nothing to do with privacy legislation. It comes from a 1967 California wiretapping statute.
The California Invasion of Privacy Act (CIPA) was written to prevent telephone wiretapping. Plaintiff attorneys have repurposed it to target modern website tracking. The legal theory: cookies, tracking pixels, session replay tools, and chat widgets constitute "wiretapping" or "pen register" activity when they record visitor interactions without adequate disclosure.
The numbers tell the story:
- 2022: 54 CIPA filings targeting website tracking
- 2024: 675 filings
- 2026 (projected): 3,500+ filings
Since June 2022, over 1,641 digital wiretapping lawsuits have been filed across 28 states. 83% of them were filed in California.
What makes CIPA dangerous for website owners is the damages. CIPA allows statutory damages of up to $5,000 per violation with no requirement to prove actual harm. Compare that to CCPA's maximum of $7,500 per intentional violation, which requires the state AG to bring the case. CIPA claims can be filed as private class actions.
The targets are ordinary marketing tools: Meta Pixel, Google Analytics, Hotjar, FullStory, Microsoft Clarity, chat widgets, and session replay software. If your website loads any of these without clearly disclosing what they do and giving visitors control, you are exposed.
A proposed safe harbor bill (SB 690) that would have exempted CCPA-regulated activities from CIPA claims was shelved in 2025. A 2026 version passed the Assembly Appropriations Committee, but the legislative deadline is August 31, 2026, and the outcome is uncertain. Even if it passes, protections would not take effect until January 1, 2027.
In the meantime, a cookie consent banner that discloses what scripts load and offers visitors control is one of the strongest defenses against CIPA claims.
Enforcement Actions and Real Fines
US enforcement against cookie and tracking violations has escalated sharply since 2024. These are not theoretical risks:
State Attorney General Actions
- Healthline, $1.55M (July 2025): Largest CCPA settlement to date. Healthline shared health-related browsing data with advertising partners and failed to properly honor GPC opt-out signals.
- Honda, $632,500 (March 2025): California fined Honda for an asymmetrical cookie consent interface. The accept button was prominent; the decline option was buried. This was specifically cited as a dark pattern violation.
- Roku (April 2025): Michigan sued Roku for hiding advertising opt-out mechanisms, making it unreasonably difficult for users to exercise their rights.
- General Motors, Allstate, Google (2025): Texas brought enforcement actions for improper consent on location and biometric data sharing.
Multi-State Enforcement
In late 2025, seven states (California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon) formed the Consortium of Privacy Regulators, specifically targeting GPC non-compliance. This consortium has announced coordinated enforcement sweeps, meaning a violation in one state can trigger scrutiny from six others.
FTC Enforcement
The Federal Trade Commission has pursued enforcement actions against companies for deceptive tracking practices under Section 5 of the FTC Act. The Gravy Analytics/Venntel case targeted the sale of billions of location data points harvested through cookies and SDKs. The FTC has also published guidance explicitly calling out dark patterns in cookie consent interfaces.
Common Tools and Their US Compliance Risks
Most websites use at least some of these tools. Each one creates specific obligations under US state privacy laws:
| Tool | US Compliance Risk | Key Issue |
|---|---|---|
| Google Analytics (GA4) | Medium to High | Linking GA4 with Google Ads constitutes "sharing" under CCPA. Data flows to Google for ad measurement. |
| Meta Pixel | High | Sends browsing data to Meta for cross-context behavioral advertising. Clearly "sharing" under CCPA. |
| TikTok Pixel | High | Similar to Meta Pixel. Data sent to TikTok for ad targeting and measurement. |
| Hotjar | Medium | Session recordings capture visitor interactions. CIPA litigation risk for recording without disclosure. |
| Microsoft Clarity | Medium | Session replay tool. Same CIPA concerns as Hotjar. Records clicks, scrolls, and page interactions. |
| LinkedIn Insight Tag | Medium to High | Enables retargeting and demographic reporting. Data shared with LinkedIn for advertising. |
If your website runs any combination of these tools, you have obligations under multiple state privacy laws. The question is not whether you need to comply, but how.
Run a free scan on your website to see exactly which cookies and trackers are active.
If You Serve Both US and EU Visitors
Many websites serve visitors from both sides of the Atlantic. This creates a practical problem: EU law requires opt-in consent (block cookies first, ask permission), while US law allows opt-out (cookies run, visitors can stop them later).
There are two ways to handle this:
Option 1: Apply EU rules to everyone
Show an opt-in cookie banner to all visitors regardless of location. This is the simplest approach but it comes with a cost: blocking analytics and advertising scripts for US visitors until they click "Accept" means you lose data on every visitor who ignores the banner. For US-focused websites, this can reduce analytics coverage by 30-50%.
Option 2: Geo-aware consent policies
Use a consent management platform that applies different rules based on visitor location. EU visitors see an opt-in banner with script blocking. US visitors see an opt-out mechanism with a Do Not Sell link. This preserves analytics coverage for US traffic while meeting EU requirements for European traffic.
The second approach is what most commercial websites choose, and it is what Concentio supports out of the box.
How Concentio Helps
Concentio is built to handle both US and EU consent requirements without forcing you to choose one model for everyone:
- Geo-aware consent policies: Different consent rules apply based on visitor location. GDPR opt-in for EU traffic, opt-out with Do Not Sell for US traffic.
- GPC signal detection: Concentio automatically detects Global Privacy Control signals and honors opt-out requests across all 12 states that require it.
- Automated cookie scanning: The built-in scanner detects cookies, tracking pixels, and third-party scripts on your website so you know exactly what is running.
- Script blocking: Non-essential scripts are blocked before consent for EU visitors and suppressed when US visitors opt out.
- Google Consent Mode v2: Full support for both Basic and Advanced modes, sending the correct consent signals to Google tags.
- Dark pattern compliance: Consent interfaces are designed with equal visual weight for accept and decline options, meeting California and Connecticut dark pattern requirements.
- Consent proof: Every consent interaction is stored as a verifiable record, giving you documentation for both regulatory inquiries and CIPA defense.
Start free with Concentio and scan your first website in under two minutes.
US Cookie Compliance Checklist
Use this checklist to evaluate your website's current compliance posture:
Compliance checklist
- Privacy policy: Does it disclose all cookies, tracking technologies, categories of data collected, and purposes?
- Do Not Sell link: If you sell or share personal data, is there a clear "Do Not Sell or Share My Personal Information" link on every page?
- GPC support: Does your website detect and honor Global Privacy Control signals? This is legally required in 12 states.
- Opt-out mechanism: When a visitor opts out, do tracking scripts actually stop? Or does data continue flowing?
- Dark patterns: Are your accept and decline options equally prominent? No extra steps, confusing language, or buried opt-outs?
- Cookie inventory: Do you know every cookie and third-party script on your website? Run a free scan to find out.
- Vendor data flows: Do you know which vendors receive personal data from your website and for what purposes?
- CIPA exposure: If you serve California visitors, are session replay tools, chat widgets, and tracking pixels disclosed?
- Minor visitors: If your website may attract visitors under 16, do you have opt-in consent for data collection?
- Consent records: Can you produce documentation of consent interactions if a regulator or plaintiff asks?
FAQ
The bottom line: US cookie consent is not about a popup. It is about giving visitors real control over their data, meeting the specific requirements of whichever state laws apply, and protecting your business against a rapidly expanding enforcement and litigation landscape.
Concentio handles all of this with geo-aware policies, automated scanning, GPC support, and consent proof storage.