With the rise of state-level data privacy laws in the US, website owners must now adapt to a fragmented legal landscape. Cookie banners—which inform users about tracking technologies and request consent—are regulated differently depending on the state. While some states require opt-out links or consent prompts, others emphasize fairness in design or respect for browser-based privacy signals like Global Privacy Control (GPC).
In this guide, we break down the requirements of the most influential states and emerging jurisdictions, with accessible tables and plain-language explanations to help you build a compliant and user-friendly cookie experience.
California – CCPA / CPRA
(🌉 California, the most privacy-forward state)
California continues to lead the way in consumer data protection through the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). Websites that meet the revenue or data-processing thresholds must display a cookie banner that clearly informs users about the collection and sharing of personal data.
Key requirements include the presence of a prominent "Do Not Sell or Share My Personal Information" link, easy-to-use accept and reject buttons (with equal prominence), and the honoring of browser-based privacy preferences such as the Global Privacy Control (GPC). For minors under 16, explicit opt-in is required.
The banner must explain what cookies are used, what personal information is collected, and include links to a privacy or cookie policy. Misleading designs—commonly known as "dark patterns"—are explicitly prohibited.
California Cookie Banner Requirements
| Feature | Status | Description |
|---|---|---|
| "Accept All" button | ✅ Required | Must be prominently displayed on first visit |
| "Do Not Sell/Share" link | ✅ Required | Separate, visible opt-out mechanism |
| Granular customization | 🟡 Recommended | Optional "Customize" link for specific cookie categories |
| Equal prominence for accept/reject | ✅ Required | Buttons must have the same visual weight and clarity |
| Global Privacy Control (GPC) | ✅ Required | Sites must respect GPC browser signals for opt-out |
| Opt-in for minors under 16 | ✅ Required | Requires affirmative consent |
| No dark patterns | ✅ Required | Interface must not mislead or manipulate users |
| Link to privacy/cookie policy | ✅ Required | Banner or page must clearly explain what's collected and why |
Colorado – CPA
(⛰️ Colorado emphasizes targeted advertising opt-outs)
Under the Colorado Privacy Act (CPA), websites must allow users to opt out of targeted advertising and the sale of personal data. Cookie banners must include an "Opt Out of Targeted Advertising" option and respect sensitive data handling rules.
Colorado also mandates honoring GPC signals and encourages transparent user interfaces. While granular customization is not legally required, it's a best practice.
Colorado Cookie Banner Requirements
| Feature | Status | Description |
|---|---|---|
| "Accept All" button | ✅ Required | Must be clearly visible on first load |
| "Opt Out of Targeted Advertising" | ✅ Required | Separate option must be prominent |
| Granular cookie controls | 🟡 Recommended | Encouraged for transparency and UX |
| Global Privacy Control (GPC) | ✅ Required | Websites must act on browser-level opt-outs |
| Consent for sensitive data | ✅ Required | Affirmative opt-in required before processing sensitive info |
| Policy explanation and links | ✅ Required | Include purposes, rights, and how to opt out |
| Equal visibility for all choices | ✅ Required | Avoid highlighting only the "Accept" button |
Connecticut – CTDPA
(🌲 Connecticut enforces fairness in consent design)
Connecticut's privacy law prioritizes consent "symmetry"—meaning users must be able to accept or reject cookies just as easily. The cookie banner must not mislead users or obscure the reject option. Like other states, it requires honoring browser signals such as GPC.
Banners should also support granular cookie choices and remember a user's previous selections.
Connecticut Cookie Banner Requirements
| Feature | Status | Description |
|---|---|---|
| "Accept All" and "Reject All" symmetry | ✅ Required | Buttons must be equally accessible and visible |
| Granular customization | 🟡 Recommended | Offer detailed controls by cookie type |
| GPC signal support | ✅ Required | Browser-level privacy settings must be respected |
| Persistence of prior consent | ✅ Required | Cannot silently override previous choices |
| Transparent opt-out mechanisms | ✅ Required | Links or tools must clearly explain how to opt out |
Virginia – VCDPA
(📜 Virginia takes a notice-based approach)
Virginia's privacy law is more flexible and less design-prescriptive. However, it still requires businesses to inform users of their right to opt out of targeted ads and the sale of personal data.
While not legally mandated, best practice includes showing clear "Accept All" and "Opt Out" options and avoiding any layout that prioritizes one over the other.
Virginia Cookie Banner Requirements
| Feature | Status | Description |
|---|---|---|
| "Accept All" button | ✅ Required | Recommended as part of clear notice |
| "Opt Out" or "Do Not Sell" link | ✅ Required | Clear path to exercise rights |
| Equal prominence (symmetry) | 🟡 Recommended | Not required but strongly advised |
| Granular controls | 🟡 Recommended | Transparency and trust-building |
| Respect for GPC | ✅ Required | Required under state law |
| Link to privacy policy | ✅ Required | Must explain data collection and rights clearly |
Utah, Oregon, Indiana, Delaware, New Jersey
(🧭 States with similar laws emerging in 2025)
These states follow similar patterns, requiring clear opt-outs when data is sold or shared and emphasizing transparency in design. Although legal requirements vary slightly, businesses should prepare cookie banners that disclose tracking practices and offer intuitive opt-out paths.
Summary for Emerging States
| Feature | Status | Description |
|---|---|---|
| Opt-out mechanism | ✅ Required | "Do Not Sell" or similar if applicable |
| Disclosure of cookies and purposes | ✅ Required | Must explain what's used and why |
| "Accept All" and opt-out buttons | ✅ Required | Both options should be clear |
| Symmetry in button design | 🟡 Recommended | Avoid deceptive emphasis |
| Support for GPC signals | 🟡 Recommended | Becoming a common requirement |
| Privacy policy link | ✅ Required | Always accessible and up to date |
New York – No Comprehensive Law, But Strict Guidance
(🏙️ New York enforces design fairness through AG actions)
Although New York lacks a formal consumer privacy law, its Attorney General has issued firm guidance against deceptive banner designs. Any cookie banner used in New York must offer clearly labeled and equally prominent "Accept" and "Decline" buttons.
Misuse of ambiguous icons (e.g., an "X" to imply rejection) or misclassification of non-essential cookies may be treated as a deceptive practice under general consumer protection law.
New York Cookie Banner Expectations
| Feature | Status | Description |
|---|---|---|
| Clearly labeled accept/reject options | ✅ Required | No hiding under "X" or unclear labels |
| Equal prominence in layout | ✅ Required | Must not mislead or trick users |
| Avoid dark patterns | ✅ Required | Transparent consent only |
| Cookie categorization accuracy | 🟡 Recommended | Ensure non-essential cookies aren't misrepresented |
Texas, Florida, and Other States Without Privacy Laws
(🚩 No cookie banner mandate—yet)
States like Texas and Florida currently lack comprehensive privacy legislation. However, it's still advisable to implement a transparent, well-structured cookie banner to prepare for future regulation and meet user expectations.
Providing clear cookie information, links to privacy policies, and optional preference settings can help build user trust—even if it's not legally required.
Summary for Non-Regulated States
| Feature | Status | Description |
|---|---|---|
| "Accept All" button | 🟡 Recommended | Supports user transparency |
| Opt-out or customization options | 🟡 Recommended | Future-proof your compliance |
| Link to privacy/cookie policy | ✅ Recommended | Best practice even without a mandate |
| Avoid misleading designs | 🟡 Recommended | Could still trigger consumer complaints |
Final Thoughts: What Should Your Cookie Banner Include?
If your website operates across multiple US states, the simplest and safest approach is to comply with the strictest applicable requirements. That means:
- Offering both "Accept" and "Reject" (or "Opt Out") choices with equal visibility
- Respecting browser signals like the Global Privacy Control (GPC)
- Explaining what cookies are used, and why
- Avoiding any interface that manipulates or misleads the user
A compliant cookie banner is more than a legal checkbox—it's an opportunity to demonstrate transparency, build trust, and future-proof your business.