Opt-out Consent Regulations

The CCPA was the first comprehensive consumer privacy law in the United States, giving California residents the right to know what personal information businesses collect and to opt out of its sale. It established the opt-out consent model that most subsequent US state privacy laws adopted.

The CPRA is the most comprehensive US state privacy law with a dedicated enforcement agency (CPPA). Cross-context behavioral advertising via cookies constitutes sharing personal information, triggering opt-out obligations. GPC signals must be honored as valid opt-out requests.

The TDPSA is the broadest US state privacy law — no revenue thresholds and no minimum consumer data volume thresholds. Applies to any non-small-business processing personal data of Texas residents. Must honor GPC signals since January 2025. This breadth means far more businesses are captured than under any other state law.

The most restrictive US state privacy law. Sensitive data may only be processed when strictly necessary to deliver a requested service — and sale of sensitive data is completely prohibited even with consent. Under-18 sale and targeted advertising are prohibited regardless of consent. Strictest data minimization in the US.

Colorado's CPA features the highest per-violation penalties among US state privacy laws at $20,000. Must honor GPC signals since July 2024. Participated in a joint GPC enforcement sweep with California and Connecticut in September 2025. The cure period was eliminated in January 2025.

Virginia was the second US state to enact a comprehensive privacy law and became the template for most subsequent state laws. Follows an opt-out model with opt-in for sensitive data. A permanent 30-day cure period distinguishes it from newer laws that sunset cure periods.

Connecticut's CTDPA features a unique consent revocation mechanism for sensitive data and some of the strongest children's data protections. The cure period was eliminated January 2025. The 2025 amendments prohibit sale of children's data or use for targeted advertising even with consent.

Oregon is the first US state to extend comprehensive privacy law coverage to nonprofit organizations. Features the broadest sensitive data definition among US states, uniquely including transgender/nonbinary status and crime victim status. The cure period sunsets January 2026 when GPC signal honoring becomes mandatory.

Montana has the lowest applicability thresholds among US state privacy laws (25,000/15,000 consumers after SB 297). The October 2025 amendments eliminated the cure period, added GPC signal honoring, and introduced a unique duty of reasonable care for minors. Sale of 13-17 data is prohibited.

Delaware features lower applicability thresholds and the broadest children's age protection among US states — under 18 for sale and targeted advertising. The cure period sunsets December 2025. Must honor universal opt-out mechanisms. The AG can also seek restitution and disgorgement.

New Jersey's NJDPA features a unique 15-day opt-out processing requirement (shortest among US states) and explicitly requires that universal opt-out mechanisms must NOT default to opt-in. Covers opt-out of profiling for decisions with legal or similarly significant effects — broader than most states.

Minnesota introduces several first-of-their-kind requirements: mandatory Chief Privacy Officer designation, required data inventory maintenance, and the right to challenge profiling decisions. The sensitive data definition is expanded to include SSN, government IDs, financial accounts, and passwords.

The most business-friendly US state privacy law, requiring both a revenue threshold ($25M+) and data volume threshold — the highest dual threshold among US states. Does not include a right to correct data or opt out of profiling.

Florida's FDBR has the narrowest applicability among US states, targeting only very large technology companies with a $1 billion revenue threshold. However, it has the highest base penalty ($50,000) and treble damages for violations involving children ($150,000). Smart speaker surveillance restrictions apply.

New Hampshire's privacy law includes both civil penalties ($10,000) and criminal penalties for intentional noncompliance ($100,000) — unusual among US state privacy laws. The discretionary cure period uses a multi-factor assessment. Children aged 13-16 are protected from sale and targeted advertising.

Nebraska's NDPA has no revenue or data processing minimums, making it applicable to businesses of all sizes except SBA-defined small businesses. Defines precise geolocation uniquely as within a 1,750-foot (533.4m) radius. Must honor GPC/UOOM signals.

Rhode Island's RIDTPPA has no cure period and applies broadly by also covering commercial websites and ISPs with Rhode Island customers, even without meeting numerical thresholds. Under-18 data is classified as sensitive. Additional per-disclosure penalties apply for intentional unauthorized disclosure.

Tennessee's TIPA has the highest consumer threshold among US state laws (175,000) and a first-of-its-kind NIST safe harbor provision. Controllers maintaining a written privacy program conforming to the NIST framework can assert an affirmative defense. Treble damages apply for willful violations.

Iowa's privacy law has the longest cure period among US states at 90 days and is unique in requiring only notice and opt-out for sensitive data rather than opt-in consent. It does not grant the right to correct data or opt out of profiling or targeted advertising.

Indiana's INCDPA closely follows the Virginia VCDPA template with a permanent 30-day cure period and data protection assessments for high-risk processing. Features a narrower health data definition compared to some other states. Takes effect January 1, 2026.

Kentucky's KCDPA closely follows the Virginia VCDPA template with a permanent 30-day cure period. Does not require honoring GPC/UOOM signals. Data protection impact assessments apply to processing from June 2026. HB 473 (March 2025) refined healthcare and DPIA provisions.

GLBA requires financial institutions to explain information-sharing practices and give customers the right to opt out of sharing with certain third parties. The updated Safeguards Rule mandates comprehensive security programs. Most US state privacy laws exempt GLBA-regulated entities.

Singapore's PDPA takes a less prescriptive approach to cookies than EU/GDPR-style laws — no specific cookie consent mandate exists. However, cookies collecting personal data are subject to the PDPA's consent, notification, and purpose limitation obligations. The 2021 amendments introduced 10% turnover penalties and deemed consent provisions.

New Zealand's Privacy Act does not require opt-in cookie consent — transparency and opt-out mechanisms are the primary requirements. Organizations must be transparent about cookie use and provide opt-out options. Consent is required for targeted advertising. Penalties are low by international standards. New Zealand holds an EU adequacy decision.