Iubenda logo
Start generating


Table of Contents

How to comply with US state privacy laws using iubenda

US state privacy laws, for example the CCPA/CPRA and VCDPA, are placing new requirements on businesses, and, as a result, new legal and technical burdens as well.

These US state privacy laws provide customers more control over their personal information by granting additional rights and requiring businesses to be transparent about their privacy practices. There are, however, significant differences in scope, consumers’ rights, and enforcement. See our US privacy cheatsheet for more information.

Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting.

With iubenda, you can meet these new legal requirements.

US state privacy laws require you, among others, to provide your users with an up-to-date Privacy Policy, including specific information, such as US users’ privacy rights and a description of your personal information processing practices.

🔎 For an in-depth look into what should be in a privacy policy, take a look at our dedicated privacy policy check-lists:

With our Privacy and Cookie Policy Generator, you can now enable, with a single US toggle, a compliance solution for all US state privacy laws that we currently support and ALL upcoming US state legislations that we will support in the future.

👉 Generate your US Privacy Policy or update your existing policy by clicking “Enable disclosures for users residing in the United States” to activate the new US-specific sections and clauses.

Us laws privacy cookie policy

You can find the switch here:

  • log into your privacy policy admin area
  • enter the editing of your privacy policy, which can be found via Dashboard, then click on your policy and go to Edit from the privacy policy section
  • under the heading “Enable disclosures for users residing in the United States” choose Enable

This allows you to consider your specific case and react to where your users/clients are based and choose accordingly.

Once you have enabled it, you will see the links to the state-specific sections of your privacy policy have been added to your Privacy Policy.

📌 New options available for US state privacy laws 

When you enable “Enable disclosures for users residing in the United States” in the legislation-specific standards, various US-related options will appear on all services you add to your Privacy and Cookie Policy:

  • Consider as a sale of personal data according to the CCPA (California)
  • Consider as a sale of personal data according to the VCDPA (Virginia)
  • Consider as sharing of personal information according to the CCPA (California)
  • Consider as targeted advertising according to the VCDPA (Virginia)
  • Mark as a third-party service

We have introduced an automated services mapping feature that displays the checkboxes as pre-selected according to the definitions of sale, sharing and targeted advertising set by applicable laws.

For custom services {those added from “Create custom service”} all checkboxes will be presented as unchecked, and you could make the proper selections.

When marking the processing by a service as falling within the categories listed above, the related wording will be automatically added or removed in the privacy policy section dedicate to the relevant US state we cover.

Any predefined setup can be freely overwritten and you should customize it according to your specific case.

new options for US

💡 Since the definition of targeted advertising, sale and sharing may vary from state to state, as well as the exceptions to such legal concepts, we strongly suggest you to check these concepts in depth, for example with the help of our US privacy cheatsheet – Comparison table.

📌 Sensitive Personal Data types 

When you enable “Enable disclosures for users residing in the United States”in legislation-specific standards, for some services, where applicable, you will see a new field at the service level called “Sensitive Personal Data”.

And for such a service, you can select one or multiple sensitive personal data types, as shown below:

Sensitive Personal Data types

The definition of sensitive personal data may vary according to the applicable US state law. When you select specific sensitive data here, it will be displayed in the privacy policy as sensitive data processed by you (only in the section of the policy with disclosures pertaining to the relevant US state).

💡 Consult our comparison table on the definition of sensitive data across the US state laws we cover.

📌 Addition of new US-specific clauses 

Our Privacy and Cookie Policy Generator offers additional clauses related to specific processing activities, as required by some US state privacy laws. This includes, among others, clauses related to the processing of children’s personal information (in relation to both California and Virginia) and to the processing of personal data of Virginia consumers for the purpose of profiling activities.

These additional clauses can be of great help but they contain broad and generic descriptions since we do not know exactly how you process your users’ personal information. Therefore, we highly recommend that you check if they apply to your case and if needed describe your processing activities in more detail by adding custom clauses.

New clauses specific processing activities

💡 For more information on privacy policies click here.

Privacy Controls and Cookie Solution →

📌 US privacy controls 

If you process consumers’ personal information for certain purposes, including but not limited to, targeted advertising, sale or sharing, some of the US state privacy laws such as the CPRA (CCPA amendment) and VCDPA, require you to:

  • clearly inform users about this processing and their right to opt out;
  • provide your users with easily accessible privacy controls to exercise their right to opt out at any time and respect their choices.

Our Privacy Controls and Cookie Solution helps you comply with these requirements.

How do I comply?

Once you have completed the activation of the new US-specific clauses within the Privacy and Cookie Policy Generator, make sure the “US State Laws” within the Privacy Controls and Cookie Solution are enabled: the solution will auto-configure to help you meet the new US requirements allowing your users to exercise their right to opt out.

👉 Simply select the regions where you’re based while configuring the Privacy Controls and Cookie Solution, and the solution will do the rest!

Haven’t generated a Privacy Policy with us, or simply want to customize things yourself?

Within the Privacy Controls and Cookie Solution Generator simply enable the US State Laws option and the support to manage users’ opt-out preferences (if applicable).

To do this, make sure you toggle on US State Laws and click on the Edit button.

Next, click on Manual configuration and select the options that apply to your case:

  • Allow users to opt out of the sale of their personal information (CCPA/CPRA and VCDPA)
  • Allow users to opt out of the sharing of their personal information (CCPA/CPRA)
  • Allow users to opt out of targeted advertising (VCDPA)
US Cookie Solution toggle

🚀 We thought this would be a good time to mention that support for Global Privacy Control signals (a universal opt-out signal) and IAB Global Privacy Platform (GPP) is included!

Short answer: no, you don’t need one.

Under the US state privacy laws, a privacy “banner” does not represent a specific requirement, as legislators have generally followed an opt-out approach (certain exceptions apply, see our dedicated guide on the processing of sensitive data, for example). This means that, in most cases, you may perform processing activities, without obtaining users’ prior consent, up until the moment in which users decide to actively deny their consent to such processing.

That’s why you don’t necessarely need a privacy “banner”. If, anyway, you would like to display an informative banner on your website/app that simply contains the links to the privacy policy and to the US privacy controls (if applicable) our Privacy Controls and Cookie Solution has a dedicated option for this.

Inside the US State Laws tile, under the Manual configuration select the option “Display an informative banner on the user’s first visit”

The Privacy Controls must be easily accessible, in order to allow your users to freely exercise their privacy preferences at any time. Furthermore, some US state laws, such as the CCPA, as amended by the CPRA, set a mandatory predefined format (the white and blue icon shown below) and label (“Your privacy choices”) for the link to the Privacy Controls.

Your privacy choices link

How do I comply?

Our Privacy widget helps you to comply with all these requirements in the easiest way possible: a small, unobtrusive widget, with a predefined format and label, will be displayed on every page of your website after your user has set their preferences.

Sensitive Personal Data types

To do this, under the Style & Text section, click Edit on the Privacy widget box, then simply choose the option to add it Manually.

If you choose to add the link manually, remember to place it on your website/app in an easily accessible spot, for example, the footer or the application settings.

📌 Direct link to the Notice at Collection for California consumers 

The CCPA, as updated by the CPRA, requires you to make the Notice at Collection readily available where consumers will encounter it at or before the point of collection of any personal information, including sensitive personal information (if applicable). For example, by posting a conspicuous link to the notice on the introductory page of your website or in the settings menu of your app and on all web pages where personal information is collected.

The purpose of the Notice at Collection is to provide consumers with a timely notice about the categories of personal information, including sensitive personal information, to be collected from them, the purposes for which such information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over your use of their personal information.

To learn more about what should be included in the Notice at Collection, read our guide.

How do I comply?

Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this CCPA/CPRA requirement.

To do so:

  1. Make sure you have set the Enable disclosures for users residing in the United States as ENABLED in the legislation-specific standards inside the Privacy and Cookie Policy generator;
  2. Make sure you have enabled the US State Laws option in the Privacy Controls and Cookie Solution;
  3. Under the Style & Text section, click Edit on the Privacy widget box, then simply choose whether you want to automatically add the widget or manually embed the link to the Notice at Collection.
Sensitive Personal Data types

📌 Sensitive personal information 

Under certain US state laws, in order to process sensitive personal information of users residing in the US, you need to obtain their prior consent.

That’s why you should provide a choice mechanism on your website/app that allows users to freely give (or withdraw) their consent to the processing of their sensitive personal information.

How do I comply?

Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this requirement. To know how and learn more about the definition of sensitive personal information according to the different US state privacy laws, read our dedicated guide.

We dramatically increased the complexity of our solution to meet current US state-level laws, including what comes next.

  • The Privacy Controls and Cookie Solution now allows you to tag scripts to handle US opt-out requests.
  • iubenda is now among the few providers compatible with GPP & GPC, making it easier to honor opt-out requests without tagging scripts.
  • The solution now adds a footer widget to your site allowing US users to opt out of the processing of their personal information for the purpose of targeted advertising, sale or sharing.
  • A Consent Banner will also display to collect an opt-in if you are processing sensitive personal information (such as geolocation data, bank account numbers, etc.). This banner provides the ability to consent or reject to the use of this personal information.

For further information on US state privacy laws: