Developing a privacy strategy meeting the requirements of countless unique international regulations is a daunting task for even the most seasoned privacy professionals. Cookie and other tracking consent policies can be especially challenging to develop since some privacy laws provide different rules for how and when consent must be acquired. Brands want to be compliant across all states and beyond, but keeping up with what constitutes compliance is a job in and of itself.
As Kyle Comstock, a privacy expert at Seamless.AI® explains, “the industry continues to see increasing amounts of litigation in the realm of cookies, scripts, pixels, and web beacons. A successful consent strategy supports privacy compliance while also driving the business forward; these are not mutually exclusive pursuits.”
The best and most efficient strategy is to offer as proactive, comprehensive, and transparent a consent model as possible. This can be a challenge to execute: brands rely on cookies and tracking scripts to create a smooth web experience and to track and optimize marketing spend.
We’ve examined each state privacy law closely and grouped them into three basic categories of compliance requirements. Brands that hope to maintain cookie and tracking script reliance for most users can ensure their consent approach is compliant by supporting all three policies outlined below. If your brand is open to a little less cookie reliance, you can simplify, stay compliant, and build more consumer trust using just two of the policies listed.
These recommendations are based on best practices, but are not legal advice. We recommend you work with an attorney to ensure you are fully protected. For example, your brand may be exempt from certain privacy laws mentioned here depending on the nature and size of your business. This guide will assume you are not exempt.
The opt-in notice
For users protected under the General Data Protection Regulation (GDPR), a notice to opt-in to tracking or cookie usage must appear immediately upon site load and before any tracking begins. The notice should offer clear and distinct choices for different types of tracking, such as by distinguishing between marketing cookies and functional cookies. Users must also be able to withdraw consent later, for example through an easily discoverable privacy policy.
Opt-in notices ahead of any tracking or cookie usage are required for:
- The European Union
- The United Kingdom
- Brazil
- South Africa
- Thailand
- Quebec
Opt-in notices may be required in some additional regions when the data is used for automated-decision making or the data processed is considered sensitive. Sensitive data could include:
- Any personal data concerning children
- Any health, medical, or financial data
As we learned from the 2025 Healthline Settlement, even cookies that could imply health status or other sensitive data may be sufficient to trigger advanced handling requirements.
If your organization processes sensitive data or utilizes automated-decision making, you may consider implementing a relevant opt-in notice for:
- Colorado
- Connecticut
- Florida
- Indiana
- Montana
- Tennessee
- Virginia
- Canada
Many privacy laws exempt certain organizations depending on business size and existing compliance requirements. Confirm your compliance requirements with legal counsel.
Opt-out models
Every state with a comprehensive privacy law requires businesses to offer users an opt-out of certain forms of tracking. Even regions that require an opt-in notice for processing sensitive data (listed above) also require businesses to offer an opt-out of targeted advertising based on other, non-sensitive types of personal data.
In these “opt-out” regions, you can set cookies and other trackers by default, but you must give people a way to opt out. For most states, this now includes honoring universal opt-out mechanisms (UOOMs) such as Global Privacy Control (GPC) signals. California, Colorado, and Connecticut have launched coordinated enforcement sweeps targeting GPC noncompliance, so plan to respect these signals for any user who fits in this policy.
State regulations vary in their specific expectations for how and when an opt-out from tracking is presented to the user. For the highest support of cookies & other tracking while staying compliant, utilize the “basic” approach below when possible, and the “advanced” when necessary.
For a simpler solution, apply the “Advanced” model to all states in both categories. Communicating transparently with customers builds trust. Additionally, privacy laws are constantly evolving, and opt-out experience expectations are only getting stricter. The best way to protect your business is to be proactively transparent and ensure you have a tracked consent decision for each user.
Basic opt-out
For most states with an opt-out requirement, a privacy policy linked in the footer of the website is sufficient, as long as this policy also provides detail on how the user can opt-out of tracking if desired.
This approach may be sufficient for:
- Delaware
- Iowa
- Kentucky
- New Hampshire
- New Jersey
- Oregon
- Rhode Island
- Texas
- Utah
If the company does not process any sensitive data, the basic opt-out approach may also be sufficient for:
- Colorado
- Connecticut
- Indiana
- Maryland
- Minnesota
- Tennessee
- Washington
Advanced opt-out
A few regions have stricter opt-out compliance expectations. Inspired by laws such as the California Privacy Protection Act (CCPA), amended by the the California Privacy Rights Act (CPRA), many brands are now allowing users to control their privacy via an opt-out banner upon their first site visit. This banner is presented in addition to a privacy policy in the footer, so that a user may change their decision at any later date.
While these laws don’t necessarily require a banner or pop-up, they do often require that certain tracking opt-outs be “clear and conspicuous,” and the banner has become a broadly adopted best practice for achieving this description. This approach is especially important if your business participates in any selling or sharing of data.
As a best practice when using this model, it’s important to transparently identify cookie categories, and specifically call out any processing of sensitive data or usage of automated decision making. Businesses must also visibly confirm when a user’s opt-out preference signal has been recognized in CA.
Designing your opt-out banner? Follow these tips
In addition to California, this approach is recommended for the following states:
- Colorado
- Connecticut
- Indiana
- Maryland
- Minnesota
- Tennessee
- Washington
While not yet enforced, other states such as New York have similarly proposed much stricter opt-out notice requirements.
No policy
Many states have not yet enacted any law regulating online tracking or requiring businesses to get consent or offer an opt-out. However, legislators are constantly working on new privacy regulations. You can future-proof your business by offering at least the “Basic opt-out” approach to these regions.
By supporting just a few consent models, you can simplify 15+ unique state privacy laws to a manageable and standardized consent program. DataGrail Consent is designed to set you up within best practices quickly, and our team will work with you to achieve the best combination of consent policies to meet your business goals while ensuring compliance.
Final thoughts
By supporting just a few consent models, you can simplify the plethora of unique state privacy laws to a manageable and standardized consent program. DataGrail Consent is designed to set you up within best practices quickly, and our team will work with you to achieve the best combination of consent policies to meet your business goals while ensuring compliance.
Take a tour of DataGrail Consent here.
While your approach to gaining consent can be covered by these models, be sure to take some time specifying what kinds of tracking users are consenting to. In many states, such as California and Delaware, users must consent separately to selling and sharing data. Often, automated decision making must also be consented to separately. Be specific with each type of consent you request.
Lastly, remember that many state privacy laws also require that users be able to access, modify, and/or delete all of their data with you, not just web browsing data. Leverage DataGrail Request Manager to facilitate these requests.
Related resources
