Iubenda logo
Start generating

Documentation

Table of Contents

How to comply with US state privacy laws using iubenda

US state privacy laws, for example the CCPA/CPRA and VCDPA, CPA, CTDPA and UCPA are imposing new requirements on businesses with significant new legal and technical implications.

These US state privacy laws provide customers more control over their personal information by granting additional rights and requiring businesses to be transparent about their privacy practices. There are, however, significant differences in scope, consumers’ rights, and enforcement. See our US privacy cheatsheet for more information.

Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting.

With iubenda, you can meet these new legal requirements.

US state privacy laws require you, among others, to provide your users with an up-to-date Privacy Policy, including specific information, such as US users’ privacy rights and a description of your personal information processing practices.

🔎 For an in-depth look into what should be in a privacy policy, check our dedicated privacy policy check-lists:

With our Privacy and Cookie Policy Generator, you can now enable, with a single US toggle, a compliance solution for all US state privacy laws that we currently support and ALL upcoming US state legislations that we will support in the future.

👉 Generate your US Privacy Policy or update your existing policy by clicking “Enable disclosures for users residing in the United States” to activate the new US-specific sections and clauses.

Us laws privacy cookie policy

You can find the switch here:

  • log into your privacy policy admin area;
  • enter the editing of your privacy policy, which can be found via our Dashboard, then click on your policy and go to Edit from the privacy policy section;
  • under the heading “Enable disclosures for users residing in the United States” choose Enable.

This allows you to consider your specific case and react to where your users/clients are based and choose accordingly.

Once you have enabled it, you will see the links to the state-specific sections of your privacy policy have been added to your Privacy Policy.

📌 New options available for US state privacy laws 

When you enable “Enable disclosures for users residing in the United States” in the legislation-specific standards, various US-related options will appear on all services you add to your Privacy and Cookie Policy:

  • Consider as a sale of personal information according to the CCPA (California)
  • Consider as a sale of personal data according to the VCDPA (Virginia)
  • Consider as sale of personal information according to the CPA (Colorado)
  • Consider as sale of personal information according to the CTDPA (Connecticut)
  • Consider as sale of personal information according to the UCPA (Utah)
  • Consider as sharing of personal information according to the CCPA (California)
  • Consider as targeted advertising according to the VCDPA (Virginia)
  • Consider as targeted advertising according to the CPA (Colorado)
  • Consider as targeted advertising according to the CTDPA (Connecticut)
  • Consider as targeted advertising according to the UCPA (Utah)
  • Mark as a third-party service

We introduced an automated services mapping feature that displays the checkboxes as pre-selected according to the definitions of sale, sharing and targeted advertising set by applicable laws.

For custom services {those added from “Create custom service”} all checkboxes will be presented as unchecked, and you could make the proper selections.

When marking the processing by a service as falling within the categories listed above, the related wording will be automatically added or removed in the privacy policy section dedicate to the relevant US state we cover.

Any predefined setup can be freely overwritten and you should customize it according to your specific case.

new options for US

💡 Since the definition of targeted advertising, sale and sharing may vary from state to state, as well as the exceptions to such legal concepts, we strongly suggest you to check these concepts in depth, for example with the help of our US privacy cheatsheet – Comparison table.

📌 Sensitive Personal Data types 

When you enable “Enable disclosures for users residing in the United States”in legislation-specific standards, for some services, where applicable, you will see a new field at the service level called “Sensitive Personal Data”.

For each service, you can select one or multiple sensitive personal data types, as shown below:

Sensitive Personal Data types

The definition of sensitive data may vary according to the applicable US state law. When you select specific sensitive data here, it will be displayed in the privacy policy as sensitive data processed by you (only in the section of the policy with disclosures pertaining to the relevant US state).

💡 Consult our comparison table on the definition of sensitive data across the US state laws we cover.

📌 Addition of new US-specific clauses 

Our Privacy and Cookie Policy Generator offers additional clauses related to specific processing activities, as required by some US state privacy laws. This includes, among others, clauses related to the processing of children’s personal information (in relation to California, Virginia, Colorado, Connecticut, and Utah) and to the processing of personal data of Virginia, Colorado, and Connecticut consumers for the purpose of profiling activities.

These additional clauses can be of great help, but they contain broad and generic descriptions since we do not know exactly how you process your users’ personal information. Therefore, we highly recommend that you check if they apply to your case and, if needed, describe your processing activities in more detail by adding custom clauses.

New clauses specific processing activities

💡 For more information on privacy policies click here.

Privacy Controls and Cookie Solution →

📌 US privacy controls 

If you process consumers’ personal information for certain purposes, including but not limited to, targeted advertising, sale or sharing, some of the US state privacy laws such as the CPRA (CCPA amendment), VCDPA, CPA, CTDPA and UCPA, require you to:

  • clearly inform users about this processing and their right to opt out;
  • provide your users with easily accessible privacy controls to exercise their right to opt out at any time and respect their choices.

Our Privacy Controls and Cookie Solution helps you comply with these requirements.

How do I comply?

Once you have completed the activation of the new US-specific clauses within the Privacy and Cookie Policy Generator, make sure the “US State Laws” within the Privacy Controls and Cookie Solution are enabled: the solution will auto-configure to help you meet the new US requirements allowing your users to exercise their right to opt out.

👉 Simply select where you and your users are based while configuring the Privacy Controls and Cookie Solution, and the solution will do the rest!

Haven’t generated a Privacy Policy with us, or simply want to customize things yourself?

Within the Privacy Controls and Cookie Solution Generator simply enable the US State Laws option and the support to manage users’ opt-out preferences (if applicable).

To do this, make sure you toggle on US State Laws and click on the Edit button.

Next, click on Manual configuration and select the options that apply to your case:

  • Allow users to opt out of the sale of their personal information (CCPA/CPRA, VCDPA, CPA, CTDPA and UCPA)
  • Allow users to opt out of the sharing of their personal information (CCPA/CPRA)
  • Allow users to opt out of targeted advertising (VCDPA, CPA, CTDPA and UCPA)
US Cookie Solution toggle

Important Update on US Privacy Signal Deprecation and Transition to Global Privacy Platform (GPP)


The U.S. Privacy Signal (USP) served as the CCPA Compliance Mechanism, acting as an API facilitating the communication of U.S. privacy signals. This API enabled websites and apps to communicate with third parties and vendors, contributing to the compliance process. However, this signal, last revised in 2020, has been officially deprecated as of January 31, 2024. In its place, the Global Privacy Platform (GPP) actively provides a more comprehensive solution, actively addressing advertising-related privacy considerations across the United States, actively offering broader coverage.

🚀 iubenda has been ahead of the curve, adopting the GPP signal in alignment with the standards for US state laws since December 2022 but also providing support for the new GPP v1.1 from September 23, 2023. If you have not updated your configuration since this change, it is crucial to address this immediately.

  • When you access the Privacy Controls and Cookie Solution Configurator with an outdated CCPA configuration, the solution will automatically shift to the new US state laws and implement the GPP signal.
  • Once you’ve updated your configuration, if you’re using specific API calls, please remember to replace the old __uspapi with the new __gpp, as outlined in the CMP API Specification.
  • After you update the configuration, remember to re-embed your code in your website.

This update can enhance your alignment with broader advertising and privacy considerations in the U.S.

Update to the Global Privacy Platform now to keep your compliance up-to-date and protect your business

Make the switch to GPP now!

Learn more about the Global Privacy Platform

Short answer: no, you don’t need one.

Under the US state privacy laws, a privacy “banner” does not represent a specific requirement, as legislators have generally followed an opt-out approach (certain exceptions apply, see our dedicated guide on the processing of sensitive data, for example). This means that, in most cases, you may perform processing activities, without obtaining users’ prior consent, up until the moment in which users decide to actively deny their consent to such processing.

That’s why you don’t necessarely need a privacy “banner”. If, anyway, you would like to display an informative banner on your website/app that simply contains the links to the privacy policy and to the US privacy controls (if applicable) our Privacy Controls and Cookie Solution has a dedicated option for this.

Inside the US State Laws tile, under the Manual configuration select the option “Display an informative banner on the user’s first visit”

The Privacy Controls must be easily accessible, in order to allow your users to freely exercise their privacy preferences at any time. Furthermore, some US state laws, such as the CCPA, as amended by the CPRA, set a mandatory predefined format (the white and blue icon shown below) and label (“Your privacy choices”) for the link to the Privacy Controls.

Your privacy choices link

How do I comply?

Our Privacy widget helps you to comply with all these requirements in the easiest way possible: a small, unobtrusive widget, with a predefined format and label, will be displayed on every page of your website after your user has set their preferences.

Sensitive Personal Data types

To do this, under the Style & Text section, click Edit on the Privacy widget box, then simply choose the option to add it Manually.

If you choose to add the link manually, remember to place it on your website/app in an easily accessible spot, for example, the footer or the application settings.

📌 Direct link to the Notice at Collection for California consumers 

The CCPA, as updated by the CPRA, requires you to make the Notice at Collection readily available where consumers will encounter it at or before the point of collection of any personal information, including sensitive personal information (if applicable). For example, by posting a conspicuous link to the notice on the introductory page of your website or in the settings menu of your app and on all web pages where personal information is collected.

The purpose of the Notice at Collection is to provide consumers with a timely notice about the categories of personal information, including sensitive personal information, to be collected from them, the purposes for which such information is collected or used, and whether that information is sold or shared, so that consumers have a tool to exercise meaningful control over your use of their personal information.

To learn more about what should be included in the Notice at Collection, read our guide.

How do I comply?

Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this CCPA/CPRA requirement.

To do so:

  1. Make sure you have set the Enable disclosures for users residing in the United States as ENABLED in the legislation-specific standards inside the Privacy and Cookie Policy generator;
  2. Make sure you have enabled the US State Laws option in the Privacy Controls and Cookie Solution;
  3. Under the Style & Text section, click Edit on the Privacy widget box, then simply choose whether you want to automatically add the widget or manually embed the link to the Notice at Collection.
Sensitive Personal Data types

📌 Sensitive personal information 

Under certain US state laws, in order to process consumers’ sensitive personal information, you need to obtain their prior consent.

That’s why you should provide a choice mechanism on your website/app that allows users to freely give (or withdraw) their consent to the processing of their sensitive personal information.

How do I comply?

Our Privacy and Cookie Policy Generator, together with our Privacy Controls and Cookie Solution helps you to comply with this requirement. To know how and learn more about the definition of sensitive personal information according to the different US state privacy laws, read our dedicated guide.

📌 How to make sure that “Do Not Sell” is honored

If the user expresses the choice to opt-out of the sale of their data, this choice must be honored. There are three ways to make sure of this.

1. If the sale is performed by a service/vendor that adheres to the IAB Global Privacy Platform (GPP) and CCPA/CPRA Compliance Framework

In this case, our integration with the IAB Global Privacy Platform (GPP) and CCPA/CPRA Compliance Framework will take care of notifying the vendors that an opt-out from sale has occurred.

2. If the sale is performed by a service/vendor that provides a specific configuration to signal that the user has opted out from sale

This is, for instance, the case with Google, which allows you to send a specific signal whenever an opt-out has occurred. The instructions are provided in this article and apply to Google Ads and Google Analytics.

Other vendors may provide similar instructions.

3. If the sale is performed by a service/vendor that does not adhere to the IAB Global Privacy Platform (GPP) and CCPA Compliance Framework nor provides a way to communicate the opt-out

In this case, you’ll have to apply the class _iub_cs_activate to the script tag of each of these services, change the type attribute from text/javascript to text/plain and add the applicable data-iub-purposes="..." attribute comma separated IDs: e.g. data-iub-purposes="s,sh,adv,sd8"

This is the list of purposes handled by the Privacy Controls and Cookie Solution:

  • s → selling of personal info
  • sh → sharing of personal info
  • adv → targeted advertising
  • sd8 → sensitive Data, Precise Geolocation Data
<script class="_iub_cs_activate" type="text/plain" data-iub-purposes="..." src="...">
...
</script>

This can be done manually or via a tag manager like Google Tag Manager.

We dramatically increased the complexity of our solution to meet current US state laws’ requirements, including what comes next.

  • The Privacy Controls and Cookie Solution now allows you to tag scripts to handle consumers’ opt-out requests.
  • iubenda is now among the few providers compatible with GPP & GPC. Our Privacy Controls and Cookie Solution automatically detects and respects the GPC signal, eliminating the need for users to tag scripts and allowing them to honor opt-out requests effortlessly.
  • The solution now adds a footer widget to your site allowing consumers to opt out of the processing of their personal information for the purpose of targeted advertising, sale or sharing.
  • A Consent Banner will also display to collect an opt-in if you are processing sensitive personal information (such as geolocation data, bank account numbers, etc.). This banner provides the ability to consent or reject to the use of this personal information.

For further information on US state privacy laws: