USDP
Getting Started Guide

US State Data Privacy Laws (CCPA/CPRA, VCDPA, etc.)

The patchwork of US state privacy laws, led by California, regulating consumer data rights.

Audit Effort2–4 months for program setup
Key FactNo single federal privacy law; compliance requires navigating state-by-state nuances

What Is USDP?

In the absence of a comprehensive federal privacy law, the United States has developed a patchwork of state-level data privacy laws. This began with the California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), and has expanded to dozens of states including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and Utah (UCPA).

While each state law has its nuances, they generally grant consumers the right to know what data is collected, the right to delete that data, the right to opt-out of the 'sale' or 'sharing' of their data for cross-context behavioral advertising, and the right to limit the use of sensitive personal information.

Compliance requires building scalable mechanisms to honor these consumer rights across your digital properties, updating privacy notices, and executing specialized Data Processing Agreements with your vendors to ensure they act strictly as Service Providers rather than Third Parties.

Does USDP Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

B2C Companies Targeting US Consumers

If you sell to or target consumers in states with active privacy laws (especially California), compliance is mandatory.

Mandatory

Marketing and AdTech Platforms

Companies that rely on third-party cookies, tracking pixels, or cross-site data sharing are the primary targets of these regulations.

Mandatory

B2B SaaS with California Revenue

If you meet the revenue threshold ($50M+ gross) or data processing thresholds (e.g., 100k+ consumers/households), CCPA/CPRA applies to you, including B2B and employee data.

Likely applies
You probably don't need USDP if:
  • Small B2B startups that do not meet the revenue thresholds ($50M in CA) or data volume thresholds for applicability.
  • Entities fully regulated by sectoral laws like HIPAA or GLBA, where exemptions for covered data may apply (though exemptions vary by state).

Why USDP Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

Aggressive State Enforcement

California's Privacy Protection Agency (CPPA) is actively enforcing the law, famously fining Sephora $1.2M for failing to honor Global Privacy Control (GPC) signals.

B2B and Employee Data Now In Scope

As of 2023, CPRA exemptions for HR and B2B data expired. Your employees and B2B contacts now have the same rights as consumers in California.

The Domino Effect of State Laws

With over a dozen states passing laws, managing compliance state-by-state is impossible. Companies must adopt a unified, highest-common-denominator approach now.

The Requirements

The core security controls and evidence parameters audited for USDP.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for USDP.

1
Weeks 1-3

Data Discovery & Applicability

Determine which state thresholds you meet. Map your data flows, specifically identifying where data is 'sold' or 'shared' (e.g., Meta Pixel, Google Analytics).

Key Deliverable:Data Inventory, Applicability Matrix
2
Weeks 4-7

Website & Consent Updates

Deploy a CMP that supports GPC. Update your external Privacy Policy with state-specific disclosures and the 'Do Not Sell/Share' link.

Key Deliverable:Updated Privacy Policy, Configured CMP
3
Weeks 8-12

Vendor & Operations Overhaul

Renegotiate vendor contracts to include CPRA Service Provider addendums. Train staff on handling consumer rights requests.

Key Deliverable:Updated Vendor Contracts, DSR Handling SOPs
With Existing Certifications

4-6 weeks: If you are already GDPR compliant, you have the data mapping and DSR workflows. Focus purely on the 'Do Not Sell/Share' mechanisms, GPC integration, and US-specific vendor addendums.

Starting from Scratch

3-4 months: Building a data inventory, evaluating ad-tech data flows, and implementing automated consent management from scratch requires significant engineering resources.

The Mistakes That Delay Most USDP Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Misunderstanding 'Sale' of Data

Why it happens:

Under CCPA, 'sale' isn't just exchanging data for money. It includes exchanging data for *any valuable consideration*. Using a Facebook Pixel for retargeting is considered a 'sale' or 'sharing'.

How to avoid it:

Treat all third-party marketing, analytics, and advertising cookies as 'sharing' under CPRA and allow users to opt-out.

Ignoring the Global Privacy Control (GPC)

Why it happens:

Many companies deploy a cookie banner but fail to configure their site to listen for the GPC browser signal, which is a massive enforcement priority for California regulators.

How to avoid it:

Ensure your CMP is explicitly configured to listen for and honor GPC signals automatically.

Using GDPR cookie banners in the US

Why it happens:

GDPR requires 'opt-in' consent before dropping cookies. US laws generally operate on an 'opt-out' model (except for sensitive data). Using a strict GDPR banner in the US unnecessarily hurts your analytics.

How to avoid it:

Use geo-targeted consent. Show strict opt-in for EU users, and the required opt-out links for US users.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

USDP Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

USDP Checklist

Assess your baseline control posture against USDP criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about USDP compliance and certification processes.