CookieChimp Logo
Get Started

What Are the US State Privacy Laws Cookie Consent Requirements?

Everything you need to know about US State Privacy Laws cookie consent compliance in 2026. Complete guide covering opt-out requirements, cookie banner elements, consent records, and technical implementation for United States - Multiple States.

Opt-out Children's Privacy Rules

Summary

This guide provides comprehensive technical implementation requirements for Other US States - Opt-Out (IA, IN, KY, RI, FL). Iowa (ICDPA), Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), and Florida (FDBR): opt-out rights for sale and (in most) targeted advertising. These states do NOT mandate universal opt-out (GPC) recognition.

This jurisdiction follows an opt-out consent model, meaning websites can place certain cookies initially but must provide clear mechanisms for users to opt-out of non-essential tracking. Users must be informed about cookies and given easy options to refuse them.

Additional requirements for this jurisdiction include: special protections and consent mechanisms for children's personal data.

Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.

Key Requirements Overview

Consent Model
Opt-out
Default State
Mixed
Cookie Walls
Discouraged

Technical Requirements

Prior consent for non-essential cookies
Purpose granularity required
Equal prominence for accept/reject buttons
No pre-checked boxes allowed
Dark patterns prohibited
Proof of consent required
Local storage covered by regulation

Implementation Guidance

Iowa (effective Jan 1, 2025), Indiana (Jan 1, 2026), Kentucky (Jan 1, 2026), Rhode Island (Jan 1, 2026), and Florida's Digital Bill of Rights (July 1, 2024) follow an opt-out model but do NOT require honoring universal opt-out mechanisms such as GPC. Iowa's law is the weakest of the group — it has no standalone right to opt out of targeted advertising and recognizes no UOOM. Florida's FDBR applies only to very large for-profit companies (generally over $1B in global gross revenue meeting additional criteria), so most businesses are out of scope there. Provide a clear opt-out of sale and targeted advertising via your privacy page or preference center; honoring GPC is still recommended as a forward-looking best practice.

Special Protections

Children's Privacy

Opt-in consent generally required to process the data of known children under 13 (COPPA-aligned); some of these states extend heightened protections to teens.

Sensitive Data

Opt-in consent (or, in Iowa, the right to opt out) required for sensitive data processing.

Record Keeping Requirements

Required Consent Record Fields

For each consent action, you must maintain records containing:

  • Timestamp ISO
  • Opt Out Status
  • Policy Version
Re-consent Trigger: Not Required Generally

CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management

Frequently Asked Questions About US State Privacy Laws Cookie Consent

Other US States - Opt-Out (IA, IN, KY, RI, FL) is a privacy regulation applicable in United States - Multiple States. Iowa (ICDPA), Indiana (INCDPA), Kentucky (KCDPA), Rhode Island (RIDTPPA), and Florida (FDBR): opt-out rights for sale and (in most) targeted advertising. These states do NOT mandate universal opt-out (GPC) recognition. It requires websites to provide clear mechanisms for users to refuse non-essential cookies (opt-out model).

Yes. Under US State Privacy Laws, websites must display a cookie consent banner that includes: link privacy policy, manage preferences button. The banner must be shown to inform users about cookie usage and provide opt-out options.

US State Privacy Laws follows an opt-out consent model. This means websites may place certain cookies but must provide clear and easy ways for users to opt out of non-essential tracking.

Opt-in consent generally required to process the data of known children under 13 (COPPA-aligned); some of these states extend heightened protections to teens.

US State Privacy Laws requires maintaining consent records that include: timestamp iso, opt out status, policy version.

Legal Disclaimer: For engineering implementation guidance only. Not legal advice. This guide provides technical implementation guidance only and should not be considered legal advice. Privacy laws are complex and frequently updated. We recommend consulting with qualified legal counsel to ensure full compliance with applicable regulations.

Found an issue or have feedback on this page?

Explore Other Jurisdictions

View All

California (CPRA/CCPA Regs)

United States - California

Opt-out GPC

Covers 'sharing' for cross-context behavioral advertising.

Learn more

Colorado (CPA)

United States - Colorado

Opt-out GPC

Targeted advertising and sale require easy opt-out.

Learn more

Virginia (CDPA)

United States - Virginia

Opt-out

Opt-out rights for targeted ads and sale; no mandatory GPC recognition.

Learn more

Connecticut (CTDPA)

United States - Connecticut

Opt-out GPC

Opt-out for targeted ads and sales; GPC recognition required from Jan 2025.

Learn more

Utah (UCPA)

United States - Utah

Opt-out

Opt-out for sale and targeted advertising; no GPC requirement.

Learn more

Texas (TDPSA)

United States - Texas

Opt-out GPC

Opt-out for sale and targeted ads; must honor UOOMs like GPC.

Learn more