In general, yes.
Cookies can be placed without opt-in consent. Unlike other jurisdictions, the United States does not have specific cookie-related laws in effect at the federal or state levels.
However, there are nine U.S. states that have enacted consumer privacy laws that are currently in effect or will take effect by the end of 2023. These laws generally consider unique persistent identifiers such as cookies to be regulated as personal data and impose corresponding obligations on businesses with respect to personal data. The states are California, Colorado, Connecticut, Florida, Montana, Oregon, Texas, Utah and Virginia.
Although consent is not required to place cookies under these state laws, businesses must provide a privacy notice at the point of data collection describing the categories of personal data collected, the purposes for which the information is collected or used, and whether that information is sold or shared (among other disclosures). The laws also generally require businesses to allow consumers to opt out of the sale of personal data or the sharing of personal data for purposes of online targeted advertising. These opt-outs must be applied to cookies that are used to facilitate the sale or sharing of data. Certain states also require businesses to allow consumers to opt-out of the sale or sharing of personal data for the purposes of targeted advertising through certain recognized universal opt-out mechanisms
In sum, for cookie identifiers that constitute personal data under U.S. state privacy laws, businesses have obligations that include providing notice and an opportunity to opt-out of any sales or sharing of data.
An emerging body of state privacy laws impose obligations on businesses for the collection, use, and disclosure of personal data defined to include unique persistent identifiers such as cookies.
Nine state privacy laws are currently in effect or will be in effect by the end of 2024:
These state privacy laws apply only to entities doing business in the state when certain thresholds are met and only to personal data about residents of each state.
While there is no specific cookie-related law or regulation in force in the state of California, businesses subject to the CCPA must provide a notice at the point of data collection and allow consumers to opt out of the sale or sharing of personal data, which this law calls “personal information.”
“Personal information” generally means information that identifies or is reasonably capable of being associated with a particular consumer or household. This definition encompasses “unique identifiers,” which are persistent identifiers such as cookies that can be used to recognize a consumer, or a device that is linked to a consumer, over time and across different services. When processing personal information such as cookies, businesses must provide a notice at collection describing the categories of personal information collected, the purposes for which the information is collected or used, and whether that information is sold or shared (among other disclosures).
Under the CCPA, businesses are also required to provide consumers with the ability to opt-out of the sale or sharing of personal information. A “sale” generally means the disclosure of personal information to a third party for monetary or other valuable consideration, and regulators have interpreted this to include allowing third parties to collect data via cookies. “Sharing” means making personal information available to a third party for purposes of cross context-behavioral advertising, whether or not for monetary or other valuable consideration.
In sum, businesses that intend to place cookies regulated by the CCPA do not need to obtain consent for the use of cookies, but must provide notice to consumers and the opportunity to opt out of the sale or sharing of personal information facilitated by cookies.
Colorado, Connecticut, Florida, Montana, Oregon, Texas, Utah, and Virginia
As in California, there are no specific cookie-related laws or regulations in force in the states of Colorado, Connecticut, Florida, Montana, Oregon, Texas, Utah, and Virginia. However, businesses subject to these states’ laws similarly must provide a notice at collection and allow consumers to opt-out of the processing of personal data about them for purposes of targeted advertising or sales.
While the definition differs slightly among jurisdictions, “personal data” generally means information that is reasonably linkable to an identifiable individual. Cookies are therefore considered personal data to the extent they are reasonably linkable to a particular individual.
When processing personal data such as cookies under these laws, businesses must provide a privacy notice similar to the notice required in California. In practice, a single privacy notice can be used nationwide. Businesses are also required to provide consumers with an ability to opt out of the processing of personal data for targeted advertising or sales. “Targeted advertising” generally means displaying an advertisement to a consumer that is selected based on personal data obtained or inferred from the consumer’s activities over time and across non-affiliated websites or online applications to predict that consumer’s preferences or interests. A “sale” generally means the exchange of personal data for monetary or other valuable consideration.
Businesses that intend to place cookies that will collect personal data regulated by the Colorado, Connecticut, Florida, Montana, Oregon, Texas, , or Utah, or Virginia laws do not need to obtain consent for the use of cookies, but must give notice to consumers and provide the opportunity to opt out of cookies that facilitate targeted advertising and the sale of personal data.
California, Colorado, Connecticut, Montana, Texas, and Oregon Universal Opt-Out Mechanisms
While specific requirements vary among states, California, Colorado, Connecticut, Montana, Texas, and Oregon each require businesses subject to their state privacy law to allow consumers to opt out of the sale of personal data or the use of personal data for targeted advertising through preference signals, commonly called a Universal Opt-Out Mechanism (UOOM). California (according to regulatory guidance) /currently requires businesses to honor the Global Privacy Control, and Colorado will require businesses to recognize UOOM signals beginning July 1, 2024. Connecticut, Montana, and Texas will require businesses to honor UOOMs in 2025, with Oregon following in 2026.
Businesses that intend to place cookies that collect personal data regulated by these laws to facilitate targeted advertising and the sale of personal data must implement tools to recognize and honor UOOMs as required by the appropriate state deadline.
Yes.
Although there are no laws in the United States specific to cookies, state privacy law requirements are followed and enforced in practice.
N/A
Opt-in consent is not required before placing cookies.
Yes, as long as businesses provide notice of these practices and enable individuals to opt out of data sales and online targeted advertising facilitated by cookies.
Yes.
Opt-in consent is not required before placing cookies.
No.
There are no U.S. federal or state laws explicitly requiring a separate cookie notice. However, the personal data practices associated with cookies must be addressed in the privacy notices described above.
Yes, but some companies choose to use cookie banners to fulfil certain privacy notice and/or opt-out requirements.
Yes.
There are no specific U.S. federal or state laws prohibiting use of cookie walls.
There are no enforcement decisions specifically relating to breach of cookie rules because there are no such rules in the United States. However, enforcement of privacy and data security laws more generally has been a priority for U.S. regulators.
For example, the Federal Trade Commission (“FTC”), the primary federal agency on privacy policy and enforcement, recently announced the conclusion of two enforcement actions implicating the use of cookies or similar technologies. In 2023, the FTC settled two separate cases resolving certain allegations (among others) that businesses misrepresented or inadequately disclosed to consumers that certain personal data collected through cookies, web beacons, or other similar technologies would be shared with advertising partners or other third parties. As part of the settlements, the companies agreed to monetary and injunctive relief.
At the state level, the California Attorney General has been active in enforcing the state’s consumer privacy law since it became effective in January 2020. For example, in 2022, the Attorney General settled a case—the first public enforcement action under the state’s privacy law—with a large retailer for $1.2 million. The case was based in part on allegations that the business’s use of third-party tracking technologies on its website constituted sales.
No such consultations have been announced.
There are currently no specific rules on cookies in the United States.
As noted, the above states have passed laws that regulate personal data, generally defined to include unique identifiers such as cookies, and this trend is likely to continue in the absence of a comprehensive U.S. federal privacy law. The restrictions on sales and sharing under these state laws are driving increased scrutiny on cookie use in business partnerships and contract negotiations. While some organizations are willing to allow cookies on their digital properties that require an opt-out choice, other organizations are unwilling to allow such cookies.
While the U.S. Congress is considering privacy legislation and the Federal Trade Commission is considering a privacy rulemaking, either or both of which could impact cookies, there are no anticipated changes in the near future.
