Concentio
US Privacy Law

Do You Need a Cookie Banner in the US? (2026)

No US law requires a European-style cookie popup. But between CCPA, 20 state privacy laws, GPC mandates, and a wave of CIPA lawsuits, the practical answer is more complicated than a simple no.

Concentio July 6, 2026 18 min read

The Direct Answer

No US federal or state law requires the kind of cookie consent popup you see on European websites. If you run a website that only serves American visitors and you do not sell or share personal data, you can skip the popup.

But that is rarely the full picture.

If you run Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, or any advertising tracker, you are almost certainly collecting personal information under the definitions used by California and a growing list of other states. And those states have requirements: opt-out links, privacy notices, Global Privacy Control support, and rules against deceptive consent interfaces.

The practical reality in 2026: most commercial US websites need some form of consent management. Not because a law says "show a cookie popup," but because the combination of 20 state privacy laws, GPC mandates, dark pattern prohibitions, and CIPA litigation risk makes a consent tool operationally necessary.

Disclaimer: This article is general information, not legal advice. Requirements vary by state, business size, data practices, and the specific tools on your website.

Related guides

US vs EU: Two Different Consent Models

Before diving into US rules, it helps to understand why cookie banners exist in the first place.

European law (GDPR and the ePrivacy Directive) follows an opt-in model. Non-essential cookies are blocked until the visitor clicks "Accept." If they never interact with the banner, those cookies never load. That is why every European website shows a cookie popup. The law requires it.

US law follows an opt-out model. Cookies and tracking can start when the page loads. The visitor has the right to stop them afterward. Instead of a popup asking for permission upfront, US law requires things like a "Do Not Sell or Share My Personal Information" link, a functioning opt-out mechanism, and support for browser-based opt-out signals like Global Privacy Control.

These are fundamentally different philosophies:

EU (GDPR / ePrivacy) US (CCPA / State Laws)
Default Cookies blocked until consent Cookies allowed by default
Model Opt-in Opt-out
Banner required? Yes, by law Not explicitly
Key obligation Get consent before tracking Let visitors stop tracking
Signal Consent banner interaction Do Not Sell link, GPC

This distinction is why a European cookie popup feels wrong for a US-only website. The compliance mechanism is different. But "no popup required" does not mean "no obligations."

The US Privacy Landscape in 2026

The United States has no federal privacy law. Congress tried twice. The American Data Privacy and Protection Act (ADPPA) passed committee in 2022 but never got a full vote. The American Privacy Rights Act (APRA) was introduced in April 2024 and died at the end of the 118th Congress in January 2025. Neither has been reintroduced.

What the US has instead is a patchwork. As of mid-2026, 19 states have comprehensive privacy laws in effect, with at least two more (Oklahoma and Alabama) signed and scheduled for 2027.

Every one of these state laws follows the opt-out model. None of them require a European-style cookie popup. But all of them impose obligations on how websites handle personal information, including data collected through cookies, pixels, and tracking scripts.

The pace is accelerating. In 2023, four states had active privacy laws. By 2025, the count was fourteen. In 2026, nineteen. The direction is clear: comprehensive privacy regulation is becoming the default across the country, not the exception.

When You Actually Need a Cookie Banner

There are specific scenarios where a US website genuinely needs some form of consent interface:

1. You serve visitors from the EU or UK

If any portion of your traffic comes from Europe or the United Kingdom, GDPR and UK PECR require opt-in consent before non-essential cookies. You need a banner for those visitors. There is no threshold or exemption based on how small your European traffic is.

2. You sell or share personal information

Under CCPA and most state privacy laws, if you "sell" or "share" personal information, you must give visitors a way to opt out. The definitions of "sell" and "share" are broad. Using Google Analytics with Google Ads linking, running Meta Pixel for retargeting, or loading third-party advertising cookies all qualify as "sharing" personal information under California law.

3. You use targeted advertising

Most state privacy laws give consumers the right to opt out of targeted advertising. If you run any ad-tech on your website, visitors from covered states have the right to stop it. A consent management tool with an opt-out mechanism is the standard approach.

4. You want to reduce CIPA litigation risk

A growing wave of lawsuits under the California Invasion of Privacy Act targets websites that load tracking scripts without disclosure. A consent banner that explains what scripts load and gives visitors control is one of the strongest defenses. More on this below.

5. You process sensitive data

Several state laws (including Connecticut, Colorado, Oregon, and Maryland) require opt-in consent for processing sensitive personal information. Health data, precise geolocation, and biometric data fall into this category. If your website collects anything in this zone, you may need affirmative consent before the relevant trackers fire.

What Every US Website Must Have

Even without a cookie popup, US websites that collect personal information through cookies or tracking technologies must have these elements:

Do Not Sell or Share Link

California requires a "Do Not Sell or Share My Personal Information" link on every page if you sell or share personal data. Colorado, Connecticut, Virginia, and others have similar requirements using different language ("opt out of targeted advertising" or "opt out of sale of personal data").

Privacy Policy with Cookie Disclosure

Your privacy policy must disclose what cookies and tracking technologies your website uses, what categories of personal information they collect, the purposes for collection, and whether you share data with third parties. Nearly every state law requires this.

Global Privacy Control Support

Twelve states now legally require businesses to honor GPC signals. If a visitor's browser sends a GPC signal, your website must treat it as a valid opt-out request. This is not optional in California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas.

Functioning Opt-Out Mechanism

The opt-out must actually work. It is not enough to have a link that opens a form. The mechanism must stop the sale or sharing of personal information when activated. That means your website needs the technical ability to suppress specific cookies and scripts when a visitor opts out.

No Dark Patterns

California, Connecticut, Colorado, and other states explicitly prohibit dark patterns in consent and opt-out interfaces. Accept and decline options must have equal visual weight. You cannot use confusing language, hidden opt-outs, or extra steps to discourage people from exercising their rights.

State-by-State Privacy Law Reference

The table below covers all US states with comprehensive privacy laws in effect or signed as of mid-2026. Each follows the opt-out model, but the specifics differ.

State Law Effective GPC Required Opt-Out Rights
California CPRA Jan 2023 Yes Sale, sharing, targeted ads, profiling
Virginia VCDPA Jan 2023 No Sale, targeted ads, profiling
Colorado CPA Jul 2023 Yes Sale, targeted ads, profiling
Connecticut CTDPA Jul 2023 Yes Sale, targeted ads, profiling
Utah UCPA Dec 2023 No Sale, targeted ads
Texas TDPSA Jul 2024 Yes Sale, targeted ads, profiling
Oregon OCPA Jul 2024 Yes Sale, targeted ads, profiling
Montana MTCDPA Oct 2024 Yes Sale, targeted ads, profiling
Delaware DPDPA Jan 2025 Yes Sale, targeted ads, profiling
Iowa ICDPA Jan 2025 No Sale, targeted ads
Nebraska NDPA Jan 2025 Yes Sale, targeted ads, profiling
New Hampshire NHPA Jan 2025 Yes Sale, targeted ads, profiling
New Jersey NJDPA Jan 2025 Yes Sale, targeted ads, profiling
Tennessee TIPA Jul 2025 No Sale, targeted ads, profiling
Minnesota MCDPA Jul 2025 Yes Sale, targeted ads, profiling
Maryland MODPA Oct 2025 Yes Sale, targeted ads, profiling, sensitive data opt-in
Indiana INCDPA Jan 2026 No Sale, targeted ads, profiling
Kentucky KCDPA Jan 2026 No Sale, targeted ads, profiling
Rhode Island RIDTPPA Jan 2026 No Sale, targeted ads, profiling
Oklahoma OCDPA Jan 2027 No Sale, targeted ads, profiling
Alabama APDPA May 2027 No Sale, targeted ads, profiling

The trend is unmistakable. More than half of these laws took effect in 2024 or later. If your website has visitors from multiple states, you cannot realistically track which rules apply to each visitor without automated tooling.

Global Privacy Control: The Signal You Cannot Ignore

Global Privacy Control is a browser-level signal. When enabled, it tells every website the visitor loads that they want to opt out of data selling and sharing. Major browsers including Firefox, Brave, and DuckDuckGo support it natively, and extensions add support to Chrome and Safari.

What makes GPC different from older signals like Do Not Track is that GPC has legal teeth. Twelve US states require businesses to honor it. In California, the requirement is explicit in CPRA regulations. Since January 2026, California businesses must also display a visible "Opt-Out Request Honored" message when a GPC signal is processed.

Ignoring GPC is not a gray area. The $1.55 million Healthline settlement in July 2025, the largest CCPA settlement to date, centered partly on failure to properly honor GPC signals. Healthline's opt-out tool was misconfigured, and personal information continued flowing to advertisers after consumers opted out.

For website owners, this means your website needs the technical ability to detect a GPC signal and suppress data sharing when it is present. A consent management platform handles this automatically. Doing it manually across every tracking script and advertising pixel is fragile and error-prone.

The CIPA Litigation Wave

Perhaps the most surprising force pushing US websites toward cookie consent tools has nothing to do with privacy legislation. It comes from a 1967 California wiretapping statute.

The California Invasion of Privacy Act (CIPA) was written to prevent telephone wiretapping. Plaintiff attorneys have repurposed it to target modern website tracking. The legal theory: cookies, tracking pixels, session replay tools, and chat widgets constitute "wiretapping" or "pen register" activity when they record visitor interactions without adequate disclosure.

The numbers tell the story:

  • 2022: 54 CIPA filings targeting website tracking
  • 2024: 675 filings
  • 2026 (projected): 3,500+ filings

Since June 2022, over 1,641 digital wiretapping lawsuits have been filed across 28 states. 83% of them were filed in California.

What makes CIPA dangerous for website owners is the damages. CIPA allows statutory damages of up to $5,000 per violation with no requirement to prove actual harm. Compare that to CCPA's maximum of $7,500 per intentional violation, which requires the state AG to bring the case. CIPA claims can be filed as private class actions.

The targets are ordinary marketing tools: Meta Pixel, Google Analytics, Hotjar, FullStory, Microsoft Clarity, chat widgets, and session replay software. If your website loads any of these without clearly disclosing what they do and giving visitors control, you are exposed.

A proposed safe harbor bill (SB 690) that would have exempted CCPA-regulated activities from CIPA claims was shelved in 2025. A 2026 version passed the Assembly Appropriations Committee, but the legislative deadline is August 31, 2026, and the outcome is uncertain. Even if it passes, protections would not take effect until January 1, 2027.

In the meantime, a cookie consent banner that discloses what scripts load and offers visitors control is one of the strongest defenses against CIPA claims.

Enforcement Actions and Real Fines

US enforcement against cookie and tracking violations has escalated sharply since 2024. These are not theoretical risks:

State Attorney General Actions

  • Healthline, $1.55M (July 2025): Largest CCPA settlement to date. Healthline shared health-related browsing data with advertising partners and failed to properly honor GPC opt-out signals.
  • Honda, $632,500 (March 2025): California fined Honda for an asymmetrical cookie consent interface. The accept button was prominent; the decline option was buried. This was specifically cited as a dark pattern violation.
  • Roku (April 2025): Michigan sued Roku for hiding advertising opt-out mechanisms, making it unreasonably difficult for users to exercise their rights.
  • General Motors, Allstate, Google (2025): Texas brought enforcement actions for improper consent on location and biometric data sharing.

Multi-State Enforcement

In late 2025, seven states (California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon) formed the Consortium of Privacy Regulators, specifically targeting GPC non-compliance. This consortium has announced coordinated enforcement sweeps, meaning a violation in one state can trigger scrutiny from six others.

FTC Enforcement

The Federal Trade Commission has pursued enforcement actions against companies for deceptive tracking practices under Section 5 of the FTC Act. The Gravy Analytics/Venntel case targeted the sale of billions of location data points harvested through cookies and SDKs. The FTC has also published guidance explicitly calling out dark patterns in cookie consent interfaces.

Common Tools and Their US Compliance Risks

Most websites use at least some of these tools. Each one creates specific obligations under US state privacy laws:

Tool US Compliance Risk Key Issue
Google Analytics (GA4) Medium to High Linking GA4 with Google Ads constitutes "sharing" under CCPA. Data flows to Google for ad measurement.
Meta Pixel High Sends browsing data to Meta for cross-context behavioral advertising. Clearly "sharing" under CCPA.
TikTok Pixel High Similar to Meta Pixel. Data sent to TikTok for ad targeting and measurement.
Hotjar Medium Session recordings capture visitor interactions. CIPA litigation risk for recording without disclosure.
Microsoft Clarity Medium Session replay tool. Same CIPA concerns as Hotjar. Records clicks, scrolls, and page interactions.
LinkedIn Insight Tag Medium to High Enables retargeting and demographic reporting. Data shared with LinkedIn for advertising.

If your website runs any combination of these tools, you have obligations under multiple state privacy laws. The question is not whether you need to comply, but how.

Run a free scan on your website to see exactly which cookies and trackers are active.

If You Serve Both US and EU Visitors

Many websites serve visitors from both sides of the Atlantic. This creates a practical problem: EU law requires opt-in consent (block cookies first, ask permission), while US law allows opt-out (cookies run, visitors can stop them later).

There are two ways to handle this:

Option 1: Apply EU rules to everyone

Show an opt-in cookie banner to all visitors regardless of location. This is the simplest approach but it comes with a cost: blocking analytics and advertising scripts for US visitors until they click "Accept" means you lose data on every visitor who ignores the banner. For US-focused websites, this can reduce analytics coverage by 30-50%.

Option 2: Geo-aware consent policies

Use a consent management platform that applies different rules based on visitor location. EU visitors see an opt-in banner with script blocking. US visitors see an opt-out mechanism with a Do Not Sell link. This preserves analytics coverage for US traffic while meeting EU requirements for European traffic.

The second approach is what most commercial websites choose, and it is what Concentio supports out of the box.

How Concentio Helps

Concentio is built to handle both US and EU consent requirements without forcing you to choose one model for everyone:

  • Geo-aware consent policies: Different consent rules apply based on visitor location. GDPR opt-in for EU traffic, opt-out with Do Not Sell for US traffic.
  • GPC signal detection: Concentio automatically detects Global Privacy Control signals and honors opt-out requests across all 12 states that require it.
  • Automated cookie scanning: The built-in scanner detects cookies, tracking pixels, and third-party scripts on your website so you know exactly what is running.
  • Script blocking: Non-essential scripts are blocked before consent for EU visitors and suppressed when US visitors opt out.
  • Google Consent Mode v2: Full support for both Basic and Advanced modes, sending the correct consent signals to Google tags.
  • Dark pattern compliance: Consent interfaces are designed with equal visual weight for accept and decline options, meeting California and Connecticut dark pattern requirements.
  • Consent proof: Every consent interaction is stored as a verifiable record, giving you documentation for both regulatory inquiries and CIPA defense.

Start free with Concentio and scan your first website in under two minutes.

US Cookie Compliance Checklist

Use this checklist to evaluate your website's current compliance posture:

Compliance checklist

  • Privacy policy: Does it disclose all cookies, tracking technologies, categories of data collected, and purposes?
  • Do Not Sell link: If you sell or share personal data, is there a clear "Do Not Sell or Share My Personal Information" link on every page?
  • GPC support: Does your website detect and honor Global Privacy Control signals? This is legally required in 12 states.
  • Opt-out mechanism: When a visitor opts out, do tracking scripts actually stop? Or does data continue flowing?
  • Dark patterns: Are your accept and decline options equally prominent? No extra steps, confusing language, or buried opt-outs?
  • Cookie inventory: Do you know every cookie and third-party script on your website? Run a free scan to find out.
  • Vendor data flows: Do you know which vendors receive personal data from your website and for what purposes?
  • CIPA exposure: If you serve California visitors, are session replay tools, chat widgets, and tracking pixels disclosed?
  • Minor visitors: If your website may attract visitors under 16, do you have opt-in consent for data collection?
  • Consent records: Can you produce documentation of consent interactions if a regulator or plaintiff asks?

FAQ

No US law requires an EU-style opt-in cookie popup. However, CCPA and 20 other state privacy laws require opt-out mechanisms, Do Not Sell links, and GPC signal support. A consent management tool is the most practical way to meet these requirements.

CCPA does not require opt-in consent before placing cookies for most visitors. It requires a Do Not Sell or Share My Personal Information link, honoring Global Privacy Control signals, and opt-in consent for visitors under 16.

Global Privacy Control (GPC) is a browser signal that tells websites the visitor wants to opt out of data selling or sharing. Twelve US states legally require businesses to honor GPC signals, including California, Colorado, Connecticut, and Texas.

As of mid-2026, 19 US states have comprehensive privacy laws in effect, with at least 2 more signed and scheduled for 2027. All follow an opt-out model rather than the EU opt-in model.

The California Invasion of Privacy Act (CIPA) is a 1967 wiretapping law now used to target website tracking. Plaintiffs claim cookies and pixels are wiretapping. Filings grew from 54 in 2022 to 675 in 2024, with projections exceeding 3,500 in 2026. Statutory damages reach $5,000 per violation.

If you use advertising cookies, analytics, or tracking pixels and your visitors include people from states with privacy laws, you need opt-out mechanisms. A consent management tool makes this operationally feasible across 20 different state requirements.

Opt-in consent (used in the EU under GDPR) blocks non-essential cookies until the visitor agrees. Opt-out consent (used in the US) allows cookies by default but gives visitors the right to stop them. US websites need opt-out mechanisms, not opt-in popups.

No. As of mid-2026, there is no comprehensive federal privacy law in the United States. The ADPPA and APRA both failed in Congress. Privacy regulation remains a state-by-state patchwork.

Risks include state attorney general enforcement actions, CIPA class action lawsuits with up to $5,000 per violation in damages, and FTC enforcement for deceptive practices. Fines have reached $1.55 million in recent CCPA settlements.

Yes. Concentio uses geo-aware consent policies to show opt-in banners to EU visitors and opt-out mechanisms to US visitors. It supports GPC signal detection, Do Not Sell links, script blocking, and Google Consent Mode v2.

The bottom line: US cookie consent is not about a popup. It is about giving visitors real control over their data, meeting the specific requirements of whichever state laws apply, and protecting your business against a rapidly expanding enforcement and litigation landscape.

Concentio handles all of this with geo-aware policies, automated scanning, GPC support, and consent proof storage.

Start free with Concentio →

Ready to Handle US Cookie Compliance?

Concentio detects trackers, supports GPC signals, applies geo-aware consent policies, and stores consent proof. Start free with unlimited domains.

Start free with Concentio