US State Targeting for CPRA, VCDPA, and State Privacy Laws

US state-level targeting enables compliance with the patchwork of privacy laws emerging across the United States. Unlike the EU’s unified GDPR, the US has state-specific privacy legislation like California’s CPRA, Virginia’s VCDPA, Colorado’s CPA, Connecticut’s CTDPA, and Utah’s UCPA—each with unique requirements. DigiConsent Pro’s state targeting lets you show different consent banners to residents of different states, ensuring compliance where required without unnecessary restrictions elsewhere.

This comprehensive guide covers everything you need to know about configuring state-specific targeting for US privacy law compliance.

Understanding US State Privacy Laws

The United States lacks comprehensive federal privacy legislation comparable to GDPR. Instead, individual states have enacted their own privacy laws, creating a complex compliance landscape for websites serving US visitors.

Current State Privacy Laws

As of 2025, several US states have comprehensive consumer privacy laws in effect or pending:

California – CPRA (California Privacy Rights Act)

• Most comprehensive US privacy law
• Effective: January 1, 2023
• Key requirements: Right to opt-out of sale/sharing, sensitive personal information handling, Do Not Sell My Personal Information mechanism
• Applies to: Businesses meeting revenue or data volume thresholds serving California residents

Virginia – VCDPA (Virginia Consumer Data Protection Act)

• Second state to enact comprehensive privacy law
• Effective: January 1, 2023
• Key requirements: Opt-out of targeted advertising and data sales, consent for sensitive data processing
• Applies to: Businesses meeting data volume thresholds serving Virginia residents

Colorado – CPA (Colorado Privacy Act)

• Effective: July 1, 2023
• Key requirements: Similar to Virginia—opt-out rights, sensitive data consent, universal opt-out mechanism support
• Applies to: Businesses meeting revenue or data volume thresholds serving Colorado residents

Connecticut – CTDPA (Connecticut Data Privacy Act)

• Effective: July 1, 2023
• Key requirements: Opt-out rights for data sales and targeted advertising, consent for sensitive data
• Applies to: Businesses meeting data volume thresholds serving Connecticut residents

Utah – UCPA (Utah Consumer Privacy Act)

• Effective: December 31, 2023
• Key requirements: More business-friendly, opt-out of data sales and targeted advertising
• Applies to: Businesses meeting revenue and data volume thresholds serving Utah residents

Additional states including Montana, Oregon, Texas, Delaware, Iowa, Indiana, Tennessee, and Florida have enacted or are considering similar legislation, making state-level targeting increasingly important.

Key Differences from GDPR

US state privacy laws differ significantly from GDPR:

• Opt-out vs Opt-in: Most US laws allow opt-out models rather than requiring opt-in consent for non-essential cookies (California CPRA being partial exception)
• Do Not Sell Focus: US laws emphasize preventing data “sales” (broadly defined) rather than comprehensive consent for all data processing
• Targeted Advertising: Specific focus on opt-out from targeted/personalized advertising
• Applicability thresholds: US laws typically exempt smaller businesses based on revenue or data volume, unlike GDPR’s broader application
• Sensitive data: Additional protections for sensitive personal information with opt-in requirements

When to Use State Targeting

State targeting is valuable when:

• Your business meets applicability thresholds for state privacy laws (revenue, data volume)
• You want to show privacy notices only where legally required, avoiding unnecessary restrictions in non-regulated states
• You need different consent mechanisms for different states (CPRA vs VCDPA requirements differ slightly)
• You want to optimize user experience by minimizing privacy interruptions where not legally required
• You’re expanding into states with new or pending privacy legislation and need scalable compliance

If your business doesn’t meet state law thresholds, you may not need state-specific targeting at all. However, implementing privacy best practices voluntarily can build trust and prepare for future growth.

Setting Up California (CPRA) Targeting

California’s CPRA is the most comprehensive US state privacy law. This walkthrough creates CPRA-compliant configuration for California residents.

Step 1: Create California State Rule

1. Navigate to Settings > DigiConsent > Geolocation
2. Click Add New Location Rule
3. In Targeting Type, select US State
4. In the State dropdown, select California
5. Name your rule “California – CPRA Compliance”

Step 2: Configure Banner for CPRA

Banner Message:

CPRA emphasizes transparency and opt-out rights. Example banner text:

"We use cookies and similar technologies to improve your experience, analyze traffic, and personalize content and advertising. California residents have the right to opt out of the sale or sharing of their personal information. Click 'Do Not Sell My Info' to opt out, or 'Accept' to continue with all cookies enabled."

Button Configuration:

• Accept Button: “Accept” or “Accept All”
• Do Not Sell Button: “Do Not Sell My Personal Information” or “Do Not Sell My Info” (CPRA specifically requires clear opt-out of sales/sharing)
• Settings Button: “Cookie Preferences” or “Manage Cookies” for granular control

The “Do Not Sell” button is critical for CPRA compliance—it must be prominently displayed and clearly labeled.

Step 3: Configure Cookie Categories for CPRA

CPRA focuses on data sales and targeted advertising. Configure categories to address these specifically:

Essential Cookies

• Description: “Necessary for website functionality and security”
• Status: Always enabled, cannot be disabled
• Examples: Session cookies, security tokens

Analytics/Performance Cookies

• Description: “Help us understand how visitors use our website”
• Status: Enabled by default, can be disabled
• Examples: Google Analytics (without data sharing)

Advertising/Targeting Cookies (Involves “Sale/Sharing”)

• Description: “Used to deliver personalized advertisements and may involve sharing your information with third parties”
• Status: Disabled if “Do Not Sell” is clicked, enabled by default otherwise
• Examples: Google Ads, Facebook Pixel, retargeting networks

CPRA allows cookies by default with opt-out, so categories can be pre-enabled except when users click “Do Not Sell My Info.”

Step 4: Set Consent Type

For CPRA, use Opt-out consent type:

• Cookies can load by default (unlike GDPR)
• Visitors can opt out via “Do Not Sell” button
• When opting out, advertising/targeting cookies are blocked
• Analytics cookies typically continue unless visitor specifically disables them

Configure the “Do Not Sell” button to specifically disable Advertising/Targeting category while leaving Essential and Analytics enabled.

Step 5: Add “Do Not Sell” Link

CPRA requires a clear, conspicuous “Do Not Sell My Personal Information” link. Implement this in multiple locations:

1. Cookie Banner: Prominent “Do Not Sell” button as configured above
2. Website Footer: Permanent “Do Not Sell My Personal Information” link
3. Floating Manage Button: Enable DigiConsent Pro’s floating button for ongoing access
4. Privacy Policy: Explain rights and how to exercise them

Step 6: Configure Display Settings

For California visitors, balance compliance with user experience:

• Display Delay: Optional 1-2 second delay to reduce immediate interruption
• Scroll Trigger: Can use moderate scroll trigger (20-30%) since opt-out model allows initial cookie usage
• Page Lock: Generally not necessary for CPRA (opt-out model), but can use if you prefer strict approach
• Exit Intent: Useful to catch departing visitors who haven’t made preference choices

Step 7: Save and Test

1. Save configuration
2. Clear all caches
3. Use VPN or proxy set to California
4. Verify CPRA-compliant banner appears
5. Test “Do Not Sell” functionality blocks advertising cookies
6. Test “Accept” allows all cookies
7. Verify floating manage button provides ongoing access

Setting Up Virginia (VCDPA) Targeting

Virginia’s approach is similar to California but with some differences.

VCDPA Key Differences from CPRA

• Focuses on opt-out of “targeted advertising” and “data sales”
• Requires consent (opt-in) for processing sensitive personal information
• Businesses must honor universal opt-out mechanisms (like Global Privacy Control)

Configuration Steps

1. Create Virginia state rule similar to California
2. Banner text emphasizes opt-out of “targeted advertising” rather than “sale”:
   • Example: “We use cookies for analytics and targeted advertising. Virginia residents can opt out of targeted advertising and data sales. Click ‘Opt Out’ to disable targeted advertising or ‘Accept’ to continue.”
3. Configure button: “Opt Out of Targeted Advertising” instead of “Do Not Sell”
4. Use opt-out consent type (cookies enabled by default, opt-out available)
5. Ensure advertising/targeting cookies are disabled when opt-out is selected
6. Consider implementing Global Privacy Control (GPC) support to automatically honor browser-level opt-out signals

Setting Up Colorado, Connecticut, and Utah Targeting

Colorado, Connecticut, and Utah have similar frameworks to Virginia. You can create nearly identical rules for each state with minor variations.

Efficient Multi-State Setup

1. Create and fully configure Virginia rule (as above)
2. Use the Clone Rule function to duplicate it
3. Change target state to Colorado
4. Update rule name to “Colorado – CPA Compliance”
5. Make minor adjustments if needed (generally configuration can be identical)
6. Repeat for Connecticut and Utah

All four states (Virginia, Colorado, Connecticut, Utah) can generally use the same consent approach: opt-out model with clear opt-out mechanism for targeted advertising and data sales.

Managing Multiple State Rules

As more states enact privacy laws, you’ll accumulate multiple state rules. Effective management is crucial.

Grouping Similar States

Most state privacy laws fall into two categories:

Group 1: California (CPRA)

• Most comprehensive requirements
• “Do Not Sell” terminology
• Slightly stricter than other states

Group 2: Virginia-Model States (VCDPA, CPA, CTDPA, UCPA)

• Similar requirements across states
• “Targeted advertising opt-out” terminology
• Can use nearly identical configurations

Create one carefully configured rule for each group, then clone and adjust for individual states.

Default Rule for Non-Regulated States

States without comprehensive privacy laws (currently the majority) see your default configuration. Common approaches:

Option 1: No Banner for Non-Regulated States

• Show banners only in states with privacy laws
• Visitors from other states see no consent interface
• Minimizes interruption but may reduce transparency

Option 2: Simple Notice for Non-Regulated States

• Show informational banner explaining cookie usage
• No consent required, just acknowledgment
• Builds trust and transparency even where not legally required

Option 3: Voluntary Opt-Out for Non-Regulated States

• Offer same privacy protections to all US visitors voluntarily
• Competitive differentiator and builds brand trust
• Simplifies implementation (same experience everywhere)

Global Privacy Control (GPC) Support

Several state laws (Colorado, Connecticut, California) require honoring universal opt-out mechanisms like Global Privacy Control.

What is GPC

Global Privacy Control is a browser-level signal indicating user preference to opt out of data sales and targeted advertising. It’s sent via HTTP header (Sec-GPC: 1) or JavaScript API.

Implementing GPC with DigiConsent Pro

Check if DigiConsent Pro includes built-in GPC detection. If available:

1. Enable GPC support in settings
2. Configure which states honor GPC (Colorado, Connecticut, California as minimum)
3. When GPC signal detected from those states, automatically disable advertising/targeting cookies
4. Display notice that GPC preference was honored

GPC compliance is increasingly important as browsers and privacy tools adopt the standard.

Testing State-Specific Rules

State-level geolocation is less precise than country-level (80-90% accuracy vs 95-99%), making thorough testing important.

Testing Methods

VPN Testing:

1. Use VPN service with US city-specific servers
2. Connect to server in Los Angeles (California), Richmond (Virginia), Denver (Colorado), etc.
3. Clear browser cookies and cache
4. Visit site in incognito mode
5. Verify appropriate state banner appears

Proxy Services:

• Use residential proxy services that provide real IP addresses from specific US states
• More accurate than some VPNs for state-level detection

Real Device Testing:

• If possible, test from actual devices in target states
• Ask colleagues, friends, or testers in those states to verify

Handling Detection Errors

State-level geolocation occasionally misidentifies visitor location. Best practices:

• Accept detection limitations: 80-90% accuracy is industry standard for state detection
• Err on side of showing banner: Better to show California banner to non-California visitor than miss actual California resident
• Provide manual override: Let visitors manually select their state if detection is wrong
• Document good faith efforts: Courts and regulators recognize IP geolocation limitations; demonstrating reasonable efforts toward compliance is typically sufficient

Preparing for Future State Laws

Many additional states are considering or enacting privacy legislation. Prepare your configuration for scalability.

Monitoring Emerging Legislation

Track privacy law developments in:

• Texas (pending comprehensive law)
• Florida (enacted but narrow scope)
• Montana, Oregon (enacted, implementation pending)
• Massachusetts, New York, Pennsylvania (proposed legislation)

When new laws pass, create state rules using the cloning approach from existing similar-state configurations.

Scalable Configuration Strategy

1. Maintain “master” configurations for California and Virginia models
2. As new states enact similar laws, clone appropriate master and adjust
3. Document which states follow which model for quick reference
4. Set calendar reminders to review state law changes quarterly

Combining State Targeting with Other Rules

State rules work alongside country and EU rules. Remember the hierarchy:

1. US State Rules (highest priority, most specific)
2. Country Rules
3. EU Rules
4. Default Rule (lowest priority, least specific)

Example Combined Configuration:

• California state rule: CPRA compliance
• Virginia state rule: VCDPA compliance
• Colorado, Connecticut, Utah state rules: Similar to Virginia
• EU rule: GDPR compliance
• US country rule: Simple notice for non-regulated US states
• Default rule: No banner for rest of world

This configuration ensures precise compliance across all major jurisdictions with tailored approaches for each.

Next Steps

With US state targeting configured, explore related Pro features:

• Location-Based Rules: Advanced strategies for managing complex multi-location scenarios
• Display Delay and Triggers: Optimize when banners appear for better user experience
• Floating Manage Button: Provide persistent access to cookie preferences for easy opt-out
• Iframe Blocker Setup: Block third-party content that may involve data sales or targeted advertising

US state targeting gives you surgical precision for compliance with the complex and evolving landscape of American privacy legislation, ensuring you meet state-specific requirements without over-restricting visitors from unregulated jurisdictions.

Similar Articles

• License Management and Administration
• Hero Media Configuration: Adding Images and Videos to Consent Banners
• Review Consent and Admin Hide – Advanced Pro Banner Control Features
• Iframe Blocker Setup: Blocking Third-Party Embeds Until Consent
• Page Locking and Blur Effects for Strict Consent Enforcement
• Installing and Activating Your DigiConsent Pro License