Comply with US state privacy laws
If your site serves users in the United States, you may need to comply with state-level privacy laws such as the California Privacy Rights Act (CPRA), Colorado Privacy Act (CPA), and similar regulations.
These laws generally require you to:
- Display a clear cookie notice
- Provide a “Do Not Sell or Share My Personal Information” option
- Allow users to opt out of data sales or targeted advertising
- Respect browser-based opt-out signals like Global Privacy Control (GPC)
Supported US state laws
CookieHub supports compliance with the following active state laws:
| State | Law | Opt-out required? |
|---|---|---|
| California | CPRA | ✅ Yes |
| Colorado | CPA | ✅ Yes |
| Connecticut | CTDPA | ✅ Yes |
| Utah | UCPA | ✅ Yes |
| Virginia | VCDPA | ✅ Yes |
| Florida | FDBR | ✅ Yes (limited) |
| Oregon | OCPA | ✅ Yes |
| Texas | TDPSA | ✅ Yes |
| Montana | MTCDPA | ✅ Yes |
| Nevada | SB 220 | ✅ Yes (limited) |
Recommended configuration
New domains
Select the Geo-targeted with CCPA/CPRA opt-out template when creating your domain. This template:
- Enables IAB GPP for users in the US
- Displays the “Do Not Sell or Share My Personal Information” link
- Applies opt-in behavior for other regulated regions
- Respects GPC signals
- Uses a compact bottom banner layout for US users
Existing domains
- Go to Dashboard → Domain list
Select your domain and click Settings
Under Regional settings, ensure:
- United States or specific states are added as regions
The framework is set to IAB GPP
Click Customize for the region → open the Preference Center tab:
- Enable Show personal data tab
- (Optional) Configure automatic opt-out for categories (e.g., Marketing, Analytics) when users opt out via the “Do Not Sell or Share” link or GPC signal
How CookieHub ensures compliance
CookieHub uses frameworks, interface elements, and automation to meet US privacy obligations:
🔹 IAB Global Privacy Platform (GPP)
- Sends the standardized GPP consent string for US privacy laws
- Includes the legacy US Privacy (USP) string for compatibility
- Activated when IAB GPP is enabled for a region
- Supported by Google, Meta (partial), and IAB-compliant vendors
🔹 “Do Not Sell or Share” link
- Shown to US users when applicable
- Lets users opt out of data sale or sharing
- Can trigger cookie category opt-outs
🔹 Global Privacy Control (GPC)
- Automatically detected and respected
- Opts users out of sale/sharing when GPC is received
- Updates GPP and USP strings accordingly
🔹 Cookie categories
- CookieHub Choices controls local service behavior
- Categories (e.g., Marketing, Analytics) can be disabled automatically when users opt out
Vendor support
Not all vendors support IAB GPP or US Privacy signals.
Commonly supported platforms include:
- Meta (partial)
- Other IAB-registered ad tech vendors
For unsupported vendors:
- CookieHub blocks scripts using category assignment
- Additional consent logic can be applied if needed ([see additional consent setup])
Summary of features
| Feature | CookieHub support |
|---|---|
| Show “Do Not Sell or Share” link | ✅ Yes |
| Respect US opt-out laws | ✅ Yes |
| Send IAB GPP and US Privacy strings | ✅ Yes |
| Detect and act on GPC signals | ✅ Yes |
| Disable services via category opt-out | ✅ Yes |
| Support per-state customization | ✅ Yes |