US state privacy laws overview
In the absence of a single federal privacy statute, several US states have enacted comprehensive consumer privacy laws with overlapping but non-identical rules. Most grant access, deletion, and correction rights and require opt-outs for targeted advertising and 'sale'. This page gives an educational overview of the common pattern and how it touches analytics.
The common pattern
Most US comprehensive state laws share a structure modelled loosely on Virginia's: they apply above certain processing thresholds, grant consumers rights to access, delete, correct, and port data, and require opt-outs for the 'sale' of personal data and for 'targeted advertising' and profiling. Many require recognising universal opt-out signals. The definitions and thresholds, however, differ state by state.
- Access, deletion, correction, portability rights
- Opt-out of sale and targeted advertising/profiling
- Thresholds and definitions vary by state
Where analytics fits
Purely first-party measurement for your own site is usually low-risk under these laws, but the moment analytics or ad tags disclose identifiers to a third party for cross-context or targeted advertising, the opt-out obligations can attach. Because the laws differ, the safe operating posture is to map each tag's data flow and check it against every state statute that covers your users rather than assuming one state's rules generalise.
How it appears in analytics and logs
If your analytics or ad tags disclose identifiers for targeted advertising, several state laws may require an opt-out path — a missing one is a likely compliance gap.
Diagnostic use case
Get oriented to the shared structure of US state privacy laws before mapping your analytics data flows against the specific state statutes that apply to you.
What WebmasterID can help detect
WebmasterID's first-party, no-cross-context-advertising model keeps you clear of the data flows most state opt-outs target.
Common mistakes
- Assuming all state laws are identical to one another.
- Treating first-party measurement and ad-tag sharing as the same risk.
- Ignoring universal opt-out signal requirements.
Privacy and accuracy notes
This page is educational and not legal advice. Each state law has its own thresholds, definitions, and exemptions; consult counsel and the official statute for your situation.
Related pages
- CPRA: California's privacy framework
The California Privacy Rights Act (CPRA) amended and expanded the CCPA, adding a right to limit sensitive personal information, a 'sharing' opt-out for cross-context behavioural advertising, data-minimisation and retention duties, and a dedicated regulator, the California Privacy Protection Agency. This page explains, educationally, what the CPRA changed for analytics.
- Virginia VCDPA and analytics
Virginia's Consumer Data Protection Act (VCDPA) was an early comprehensive US state privacy law and a template many others followed. It uses controller and processor roles, grants access/deletion/correction/portability rights, and requires opt-outs for targeted advertising, sale, and certain profiling. This page explains, educationally, how it intersects with analytics.
- Colorado Privacy Act and opt-out signals
The Colorado Privacy Act (CPA) is a comprehensive US state law granting access, deletion, correction, and portability rights and opt-outs for targeted advertising, sale, and profiling. It is notable for requiring controllers to honour a universal opt-out mechanism. This page explains, educationally, how that affects analytics and ad tags.
- Privacy-first analytics
First-party measurement built for the US state-law patchwork.
Sources and verification notes
- IAPP — US State Privacy Legislation TrackerReference tracker of enacted comprehensive state laws.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.