US State Data Privacy Laws (CCPA/CPRA, VCDPA, etc.)
The patchwork of US state privacy laws, led by California, regulating consumer data rights.
What Is USDP?
In the absence of a comprehensive federal privacy law, the United States has developed a patchwork of state-level data privacy laws. This began with the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), and has expanded to dozens of states including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA).
While each state law has its nuances, they generally grant consumers the right to know what data is collected, the right to delete that data, the right to opt-out of the 'sale' or 'sharing' of their data for cross-context behavioral advertising, and the right to limit the use of sensitive personal information.
Compliance requires building scalable mechanisms to honor these consumer rights across your digital properties, updating privacy notices, and executing specialized Data Processing Agreements with your vendors to ensure they act strictly as Service Providers rather than Third Parties.
Does USDP Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
B2C Companies Targeting US Consumers
If you sell to or target consumers in states with active privacy laws (especially California), compliance is mandatory.
Marketing and AdTech Platforms
Companies that rely on third-party cookies, tracking pixels, or cross-site data sharing are the primary targets of these regulations.
B2B SaaS with California Revenue
If you meet the revenue threshold ($50M+ gross) or data processing thresholds (e.g., 100k+ consumers/households), CCPA/CPRA applies to you, including B2B and employee data.
- Small B2B startups that do not meet the revenue thresholds ($50M in CA) or data volume thresholds for applicability.
- Entities fully regulated by sectoral laws like HIPAA or GLBA, where exemptions for covered data may apply (though exemptions vary by state).
Why USDP Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
Aggressive State Enforcement
California's Privacy Protection Agency (CPPA) is actively enforcing the law, famously fining Sephora $1.2M for failing to honor Global Privacy Control (GPC) signals.
B2B and Employee Data Now In Scope
As of 2023, CPRA exemptions for HR and B2B data expired. Your employees and B2B contacts now have the same rights as consumers in California.
The Domino Effect of State Laws
With over a dozen states passing laws, managing compliance state-by-state is impossible. Companies must adopt a unified, highest-common-denominator approach now.
The Requirements
The core security controls and evidence parameters audited for USDP.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for USDP.
Data Discovery & Applicability
Determine which state thresholds you meet. Map your data flows, specifically identifying where data is 'sold' or 'shared' (e.g., Meta Pixel, Google Analytics).
Website & Consent Updates
Deploy a CMP that supports GPC. Update your external Privacy Policy with state-specific disclosures and the 'Do Not Sell/Share' link.
Vendor & Operations Overhaul
Renegotiate vendor contracts to include CPRA Service Provider addendums. Train staff on handling consumer rights requests.
With Existing Certifications
4-6 weeks: If you are already GDPR compliant, you have the data mapping and DSR workflows. Focus purely on the 'Do Not Sell/Share' mechanisms, GPC integration, and US-specific vendor addendums.
Starting from Scratch
3-4 months: Building a data inventory, evaluating ad-tech data flows, and implementing automated consent management from scratch requires significant engineering resources.
The Mistakes That Delay Most USDP Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Misunderstanding 'Sale' of Data
Under CCPA, 'sale' isn't just exchanging data for money. It includes exchanging data for *any valuable consideration*. Using a Facebook Pixel for retargeting is considered a 'sale' or 'sharing'.
Treat all third-party marketing, analytics, and advertising cookies as 'sharing' under CPRA and allow users to opt-out.
Ignoring the Global Privacy Control (GPC)
Many companies deploy a cookie banner but fail to configure their site to listen for the GPC browser signal, which is a massive enforcement priority for California regulators.
Ensure your CMP is explicitly configured to listen for and honor GPC signals automatically.
Using GDPR cookie banners in the US
GDPR requires 'opt-in' consent before dropping cookies. US laws generally operate on an 'opt-out' model (except for sensitive data). Using a strict GDPR banner in the US unnecessarily hurts your analytics.
Use geo-targeted consent. Show strict opt-in for EU users, and the required opt-out links for US users.
Rishabh's Take on USDP
Practitioner Voice“The US privacy landscape is a mess right now. If you try to comply with California, Virginia, and Colorado separately, you will lose your mind. The only scalable strategy is the 'highest common denominator' approach: build your program to meet CPRA (the strictest), deploy a CMP that handles GPC, treat all ad-tech pixels as a 'sale/share', and apply those rights to all US consumers regardless of their state. Don't play the game of trying to verify if a user is from Utah or California—just honor the request.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
USDP Insights
Read practical security, engineering, and audit management playbooks from the GRC hub.
USDP Checklist
Assess your baseline control posture against USDP criteria in 10 minutes.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about USDP compliance and certification processes.