US State Laws (CCPA & More)

What are US State Privacy Laws?

The United States does not have a single federal privacy law. Instead, privacy is regulated at the state level, with multiple states introducing their own legislation.

The most well-known is California’s CCPA/CPRA, but many other states now enforce similar laws. These regulations focus primarily on:

• Giving users the right to opt out of data selling or sharing
• Increasing transparency around data collection
• Allowing users to access or delete their personal data

For Shopify merchants, these laws apply if you:

• Sell to customers in the United States
• Use advertising, analytics, or tracking technologies
• Share data with third parties (e.g. Meta, Google)

Unlike GDPR, most US laws follow an opt-out model, meaning tracking can be enabled by default—but users must be able to opt out easily.

Current US State Privacy Laws (20 as of 2026)

As of now, the following US state privacy laws are either active or enacted:

• California – CCPA / CPRA
• Virginia – VCDPA
• Colorado – CPA
• Connecticut – CTDPA
• Utah – UCPA
• Texas – TDPSA
• Oregon – OCPA
• Montana – MCDPA
• Iowa – ICDPA
• Indiana – INCDPA
• Tennessee – TIPA
• Florida – FDBR
• Delaware – DPDPA
• New Jersey – NJDPA
• New Hampshire – NHPA
• Nebraska – NDPA
• Kentucky – KCDPA
• Rhode Island – RIDTPA
• Maryland – MODPA
• Minnesota – MCDPA (MN)

While details vary, most laws share similar principles and requirements.

Key Requirements for Shopify Merchants

US privacy laws are centered around consumer rights and transparency. The most important obligations include:

• “Do Not Sell or Share My Personal Information”
  Users must be able to opt out of data selling or sharing, especially for advertising purposes.
• Opt-Out Mechanisms
  Merchants must provide clear and accessible ways for users to opt out of tracking or data sharing.
• Global Privacy Control (GPC) Signals
  Some states (especially California) require honoring browser-based opt-out signals automatically.
• Data Access and Deletion Rights
  Users can request access to or deletion of their personal data.
• Transparency Requirements
  Businesses must clearly disclose what data is collected and how it is used.
• Non-Discrimination
  Users who opt out must not be penalized (e.g. worse pricing or service).

Risk of Non-Compliance

Enforcement of US privacy laws is increasing, with states actively monitoring compliance—especially around advertising and tracking.

Potential consequences include:

• Fines up to $7,500 per violation (California and similar states)
• Investigations by state authorities
• Lawsuits or consumer complaints
• Reduced effectiveness or suspension of advertising accounts due to improper consent handling

Non-compliance is especially risky for Shopify stores relying on Meta Ads, Google Ads, and remarketing.

How Consentmo Helps Shopify Merchants Stay Compliant

Consentmo provides a flexible, region-aware solution that adapts to different US state requirements automatically.

• Built-in “Do Not Sell/Share” Mechanism
  Enables compliant opt-out functionality required under CCPA/CPRA and similar laws.
• Opt-Out Consent Model for US Visitors
  Automatically applies opt-out logic instead of opt-in, aligning with US regulations.
• Global Privacy Control (GPC) Support
  Detects and honors browser-level opt-out signals where required.
• State-Level Smart Geotargeting
  Applies different rules depending on the visitor’s state (e.g. stricter handling for California).
• Consent-Based Script Control
  Adjusts tracking behavior based on user preferences and opt-out status.
• Privacy Request Pages
  Allows users to request access or deletion of their data.
• Consent Logging and Audit Trail
  Stores user preferences and actions for compliance verification.

US Compliance for Shopify: What to Keep in Mind

US privacy laws are evolving quickly, with new states introducing regulations each year. While the model is generally opt-out, expectations around transparency and user control are increasing.

To stay compliant, merchants should ensure that:

• Users can easily opt out of data selling or sharing
• Opt-out signals (such as GPC) are respected
• Privacy policies reflect actual data practices
• All tracking tools are disclosed clearly
• State-specific requirements are applied correctly

Managing this manually across multiple states can quickly become complex.

Summary

US state privacy laws require Shopify merchants to provide clear opt-out mechanisms, transparent disclosures, and user data rights across multiple jurisdictions.

To comply, merchants must:

• Offer a “Do Not Sell or Share” option
• Enable user opt-outs for tracking and data sharing
• Respect GPC signals where required
• Provide access and deletion rights
• Maintain clear privacy disclosures

Consentmo simplifies compliance by combining opt-out management, geotargeting, consent controls, and privacy tools into one Shopify-native solution that adapts to each state automatically.