Once trailing behind Europe on data protection, the United States is now rapidly catching up. The turning point came with the California Consumer Privacy Act (CCPA), which set a new standard for how personal data is handled across the country. Since then, a wave of state-level privacy laws has reshaped the digital experience — for both companies and users.
In this new edition of Compliance Check-Up, we map out this evolving legal landscape: from California’s early lead and the cultural contrasts with the GDPR, to the rise of shared mechanisms like the Global Privacy Control (GPC) across the U.S.
CCPA: A Pioneering Law That Set the Tone
Enacted in 2020, the California Consumer Privacy Act (CCPA) was one of the first U.S. laws to regulate how personal data is collected and/or used. It quickly became a reference point for other states.
This legal framework applies to businesses that collect and/or use the data of California residents—even if those businesses are located outside the U.S.—provided they meet certain revenue or data processing thresholds.
The CCPA grants consumers a range of new rights, many inspired by the GDPR but rooted in a distinctly American legal culture, including:
- The right to know what personal information is being collected, used, shared, or sold.
- The right to access this data—free of charge, twice a year, covering a 12-month period.
- The right to request deletion of personal data, with some exceptions (e.g., legal obligations, security needs).
- The right to correct inaccurate personal information.
- The right to limit the use and disclosure of sensitive personal data (like geolocation, biometric data, etc.).
- And crucially, the right to opt out of the sale or sharing of personal information.
This last point represents a paradigm shift: under the CCPA, businesses must provide a clear and visible mechanism for users to exercise their opt-out rights. That can take the form of a CCPA-compliant Consent Management Platform (CMP), a “Do Not Sell My Personal Information” footer link leading to a Data Subject Access Request (DSAR) form, or technologies that honor opt-out signals—such as the Global Privacy Control (GPC), which we’ll dive into shortly.
While the CCPA, like the GDPR, includes penalties (including fines) for non-compliance, it differs sharply in its interpretation of consent. This cultural divergence is central—and worth unpacking in more detail.
CCPA vs. GDPR: Two Consent Philosophies
Unlike the GDPR, which mandates prior consent (opt-in) before any tracking or data collection can occur, the CCPA takes the opposite approach.
Under California law, cookies related to the sale or sharing of personal data may be placed as soon as the user lands on the website, without explicit prior consent. However, this is only allowed if several key conditions are met:
- A clearly visible opt-out mechanism must be provided, such as a “Do Not Sell or Share My Personal Information” link or a consent banner managed via a CMP, as discussed earlier;
- The privacy policy must clearly explain the categories of personal data being processed and the third parties involved;
- And the user must have the right to opt out of the sale or sharing of their data at any time.
This distinction has significant implications for how businesses design their consent interfaces. At Axeptio, we support this evolution with three display options that let you choose whether the widget appears immediately or later in the session. While all three options are legally compliant, we recommend using Option 2 or 3 (both of which display a banner on first visit) to ensure users are informed from the start and to enhance the perceived transparency of your brand.
Curious to learn more? Check out our dedicated Product Lab article on this feature:
In short, two frameworks, two cultures, but one shared goal: enabling users to regain control over their personal data. And this movement is no longer limited to California.
A Domino Effect Across U.S. States
Since the CCPA came into force, 13 additional U.S. states have enacted their own data privacy laws, including Colorado, Connecticut, Delaware, Florida, Iowa, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Utah, and Virginia.
Looking ahead, six more states have announced upcoming legislation set to take effect in 2025 or 2026 :
- Tennessee (July 1, 2025)
- Minnesota (July 31, 2025)
- Maryland (October 1, 2025)
- Indiana (January 1, 2026)
- Kentucky (January 1, 2026)
- Rhode Island (January 1, 2026)
"Despite the patchwork nature of these regulations, most share similar foundations. That said, the CCPA still stands out for its detailed definitions and robust requirements. It often serves as a template for others, even if some states introduce their own nuances. For example, certain laws exclude data collected in a professional context—whereas California includes employee and B2B contact data." says Eunice Amisi, Business and Data Lawyer at Axeptio.
For companies operating across jurisdictions, this legal mosaic poses a real compliance challenge. That’s why flexible, scalable consent solutions are gaining traction, just like Axeptio for Brands, which supports key frameworks such as the CCPA, GDPR, Switzerland’s nFADP, and Quebec’s Law 25.
GPC: A Universal Opt-Out Signal for the U.S.?
While U.S. privacy laws still vary widely from state to state, some early signs of convergence are beginning to emerge. One of the clearest examples is the Global Privacy Control (GPC), a browser-based opt-out mechanism designed to standardize how users can exercise their rights across the web.
As mentioned earlier in this article, GPC works by sending a signal from the user’s browser to websites, indicating that they wish to opt out of the sale or sharing of their personal data. In practice, it acts as a persistent anti-tracking setting that applies globally: once enabled, users no longer need to manually search for and click “Do Not Sell My Personal Information” on every site they visit.
The CCPA officially recognizes GPC as a valid opt-out mechanism, and other states, like Colorado and Connecticut, have followed suit. Its growing acceptance points to the possibility of a more harmonized approach to privacy rights, even within the current patchwork of U.S. legislation.
That said, GPC also raises an important question: how can we balance automated choices with the need to provide clear, accessible explanations of how data is used?
This is precisely where a Consent Management Platform (CMP) becomes essential—not just as a technical tool to process a signal, but as a user-facing layer that supports informed decision-making. Especially in a market like the U.S., where most users are still unfamiliar with the concept of consent management, the CMP plays a key educational and onboarding role.
At Axeptio, we’re closely monitoring these developments and adapting accordingly. GPC compatibility will be available in our CMP very soon… so stay tuned!
Find out how Axeptio can help your organization comply with international regulations!