Iubenda logo
Start generating

US privacy law
compliance for your site, app and business

State laws are placing new requirements on businesses, and, as a result, new legal and technical burdens as well. Compliance can be complicated. Our solutions take the guesswork out of compliance by doing the heavy technical and legal lifting so that you can focus on growing your business.

Learn more about the legal requirements here

Get started with US Compliance

Which laws apply to me?

In general, US state privacy laws like the CPRA (CCPA amendment) and VCDPA may apply to you if you target users based in those states and simultaneously meet any of the requirements outlined below.

CPRA target shield icon


The California Privacy Rights Act (CPRA) builds on the CCPA’s existing provisions, enriches consumer rights, and adds new requirements for companies that process personal data from California residents.

It applies to legal entities doing business in California for profit, that process consumers' personal information and that meet any one or more of the following requirements:

  • annual gross revenues in excess of $25M;
  • annually buys, sells, or shares the personal information of 100,000 or more consumers or households; or
  • derives 50% or more of its annual revenues from selling, or sharing* consumers' personal information.

* Can include third-party integrations on your website.

Not sure if the CPRA applies to you? Do this 1 min quiz

VCDPA target shield icon


The Virginia Consumer Data Protection Act (VCDPA) was signed into law in March 2021, and Virginia became the second state in the United States to enact a comprehensive data privacy law after California. The VCDPA goes into effect on January 1, 2023.

It applies to persons that conduct business in Virginia or provide products or services that are targeted to residents of Virginia and that:

  • during a calendar year, control or process personal data of at least 100,000 consumers; or
  • control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.

See it in action

What's required to comply with laws in the US?

As regulations differ slightly from state to state, keeping up with every scenario can be a tiresome job. iubenda’s smart solutions apply the most robust standards to help you comply with minimum effort. Simply select US State Laws in your generator to comply with the main regulations across the US.

CCPA world

Detailed disclosures via Privacy Policy

US Requirement

Businesses must include specific disclosures in their privacy policies. These disclosures include descriptions of consumer rights, processing partners, purposes, sources and more. This information must be complete, up-to-date and easily accessible throughout your website/app.

Policies are invalid if they're missing the right information

In order to be compliant, your policy must at the very least contain:

Invalid document icon

Your Privacy Policy under the CPRA (CCPA amendment):

  • Include the categories of personal information that your business has sold or shared with third parties in the last 12 months, a list of relevant third parties, and your business purpose. You also need to disclose if you have not sold or shared users’ personal information within the last 12 months.
  • Add a statement regarding whether or not your business knowingly sells or shares the personal information of users under the age of 16.
  • Include the categories of personal information that your business has disclosed (for business purposes) to third parties in the last 12 months, a list of relevant third parties, and your business’s purpose. You shall also disclose if you have not disclosed consumers’ personal information in the preceding 12 months.
  • State whether or not your business uses or discloses sensitive personal information for purposes other than those specified in the act.
  • Provide any links to online request forms or portals so your users can make requests regarding their personal information being collected, disclosed, or sold.

Here is the full checklist of information that you must include in your privacy policy according to the CPRA requirements.

Your Privacy Policy under the VCDPA:

  • Include the categories of personal data processed by your organization.
  • Include your organization’s purpose for processing personal data.
  • Inform your users of how they may exercise their rights (see below), including how they can appeal a decision on their requests. You must provide one or more methods for users to submit a request.
  • Include the categories of personal data that your organization shares with third parties, if any.
  • Include the categories of third parties, if any, with whom your organization shares personal data.
Privacy and Cookie Policy icon

Privacy and Cookie Policy Generator

Create your privacy and cookie policy in minutes.

Customizable from 1700+ clauses, available in 10 languages and automatically updated if the law changes, our generator allows you to create a legal document in minutes and seamlessly integrate it with your website or app.

Display notice and allow Opt-out

Desktop cookie banner icon
CPRA requirement

The CPRA (CCPA amendment) requires you to display a notice at or before the point of collection which informs consumers of which categories of personal information will be collected and the purposes for the collection. Consumers must also be allowed to opt-out of this processing. As a business you are therefore responsible for informing consumers of this option and providing the actual means for opt-out.

In particular, you must:

  • Detect whether or not a consumer is California-based and whether or not they’ve visited your website before
  • Facilitate opt-out requests via a DNSMPI link
  • Instruct relevant third-parties to cease processing the consumer's information when an opt-out request is received.
  • Serve them a notice at first site visit containing the necessary disclosures
VCDPA requirement

Please be informed that under the VCDPA, there are no indications that opt-out links enabling users to opt-out of the processing of personal data for certain purposes are required.

The provisions of the VCDPA, in fact, treat users’ opt-out rights in the same manner as any other users’ rights granted under the Act.

Your business needs to comply with users’ requests as follows:

  • You need to comply with the request within 45 days. The response period may be extended one time by 45 additional days when reasonably necessary, as long as you inform your user of any extension within the initial 45-day response period, together with the reason for the extension;
  • If you decline to take action regarding your users’ request, inform the user of such rejection within 45 days, indicating the relevant justification and instructions on how to appeal the decision;
  • If you are unable to authenticate a request using commercially reasonable efforts, you are not required to comply with the request, and you may ask for additional information, which is reasonably necessary to authenticate the user and its request.
Cookie solution icon

Privacy Controls and Cookie Solution for CPRA and VCDPA

Notify consumers and manage opt-out. IAB CCPA (CPRA) Compliance Framework integrated.

Our solution lets you:

Display banner icon

Display a consent banner to inform users

Profiling cookie icon

Display a "Do Not Sell My Personal Information" (DNSMPI) link in the notice and elsewhere on your site/app thereby supporting opt-out from sale

Detect location icon

Automatically detect and apply the correct standards (including multiple standards) based on location. Our solution allows you to apply both CPRA (CCPA amendment) and GDPR standards to the same users when legally required

Opt out icon

Easily register and automatically pass user preferences (like opt-out) to ad vendors who support the IAB CCPA (CPRA) Compliance Framework (like Google and AdRoll)

Opt out preferences icon

iubenda’s Cookie Solution supports Opt-out Preference Signals like the GPC and GPP as required under the CPRA

Pointed world icon

Keep up-to-date records for manual opt-out

US Requirement

As mentioned above, similary to the CPRA (CCPA amendment), most of these state laws grant users the right to opt out. In cases where the processing is somewhat manual (i.e not related to onsite scripts such as in the case of Direct email marketing) businesses may need to manually implement the opt-out request.

Furthermore, laws like the CPRA mandates that users may not be contacted for a minimum of 12 months after the request. For this reason it's prudent to keep records of opt out details such as the particular user, the date, and sub-contractors to be notified in the case of requests.

Consent Solution icon

Consent Database

Our Consent Database hooks onto your web-forms to let you automatically pass consumer preference details like opt-out via API to a centrally managed visual dashboard. You can record all relevant details including date and time of opt-out, privacy policy version available to the user at the time of opt-out, User-Id, email and even IP address to aid in request verification.
Internal Privacy Management icon

Internal Privacy Management

Our Internal Privacy Management Solution lets you accurately record relevant details necessary for fulfilling Consumer requests with precision.

The Solution records:

  • security details such as which members of your organization has access to user data;
  • any registered sub-contractors processing on your behalf;
  • manually added purposes for the processing;
  • data collection methods and more.

Penalties and fines for non-compliance

California icon

Civil penalty of
$2,500 per violation or;
$7,500 per violation if it is intentional or involves the personal information of a child.

Virginia icon

Civil penalty of
up to $7,500 for each violation.

While these fines might not seem like a lot when compared to other privacy laws, do consider that these fines apply per individual violation and per consumer. For a business with even just a few customers, these fines can add up to a hefty sum.

Overall, what are the main requirements for websites and app owners?

Display banner icon

Sharing and profiling

If you have users from the US, then you may need to comply with laws like the CPRA & VCDPA when it comes to profiling or sharing user information. This means that you must inform users that you’re processing their data this way and give them the ability to stop sharing (opt out).

Store consent proof icon

Consent Records

Some regions like Europe and Brazil require you to keep consent proofs (also known as records of consent). In many cases, without these records, the consents you collect may be considered invalid — placing you in violation of the law.

Cross-region icon

Cross-region requirements

If you have users from various regions (e.g Europe and the US) then you may need to simultaneously comply with laws from multiple regions like California’s CPRA or Europe’s GDPR. This means having region-specific disclosures available in your privacy documents and more.

Trusted by over 90,000 clients in 100+ countries

Armani hotel Milano logo
Last Minute logo
MaxMara logo
Huffpost logo
Arduino logo
Opengov logo
Obey logo
Martini logo
Mit logo
Goethe logo
Jobtome logo
Newyorkcode logo
Honda logo
The Spectator logo
Ustwo logo
Siemens logo
Neals Yard Remedies logo
Capterra rating

“If you, like me, are part of a smart team and hate updating your privacy policy every time you add some code to your site, then iubenda is for you. It's ridiculously affordable, and super easy to use.”

Get started with US Compliance


2379446 self-updating documents already generated


How to prepare for CPRA?

The CPRA becomes law on January 1, 2023, and will be enforced as of July 1, 2023.

At iubenda, we always keep an eye on the latest updates and ensure that all of our documents and products are adjusted in time to help you stay compliant.

If you already have CCPA procedures in place, it might be a good idea for you to start reviewing your processes and taking note of a few things:

More about the CCPA 2.0 and
how it affects you

What you need to do to prepare for the VCDPA

The United States gains another data privacy regulation through Virginia’s Data Protection Act (VCDPA).

The VCDPA takes effect on January 1, 2023.

If your organization falls under the scope of the VCDPA, you should begin looking into compliance solutions that are well-trusted and drafted by lawyers.

So, if you haven’t got one already, start to set up all that you need today, and we’ll inform you when the clauses are available!

More about Consumer Data
Protection Act (VCDPA)

All our products are WCAG Level AAA Compliant

Level AAA conformance, W3C WAI Web Content Accessibility Guidelines 2.1

A 360° solution to make your sites and apps compliant with the law

Compliance for websites and apps

Privacy and Cookie Policy icon

Privacy and Cookie Policy Generator

Create your privacy and cookie policy in minutes.

Customizable from 1700+ clauses, available in 10 languages and automatically updated if the law changes, our generator allows you to create a legal document in minutes and seamlessly integrate it with your website or app.

Cookie Solution icon

Privacy Controls and Cookie Solution

Manage consent preferences for the ePrivacy, GDPR, CPRA (CCPA amendment) and LGPD. Integrated with the IAB TCF and CCPA Compliance Framework.

Our solution allows you to display a fully customizable cookie banner/consent banner, collect cookie consent, implement prior blocking, set advertising preferences, and more.


Compliance for your organization

Consent Solution icon

Consent Database

Collect GDPR & LGPD consent, document opt-ins and CPRA (CCPA amendment) opt-outs via your web forms.

Our solution smoothly integrates with your consent collection forms, syncs with your legal documents and includes a user-friendly dashboard for reviewing consent records of your activities.

Internal Privacy Management icon

Internal Privacy Management

Document all the data processing activity within your organization.

To comply with privacy laws, and particularly the GDPR, companies need to record how they store and use the data they collect from their users. Our solution allows you to easily document all the data processing activities within your organization.