It's one of the most common questions US site owners ask: do I legally need a cookie banner? The honest answer is that the popup you've seen all over European sites, the one that blocks the page until you click "Accept," is generally not required in the United States. But that's not the same as "you can do nothing." US law asks for different things, and skipping them is where companies get fined.
This guide separates the myth from the actual obligations, state by state.
Opt-out, not opt-in
The core reason US and EU requirements feel so different is the consent model. Under the EU's GDPR and ePrivacy rules, you generally need opt-in consent before setting non-essential cookies, which is why the blocking banner exists. US state laws, led by California, use an opt-out model: you can set cookies and share data by default, but you must tell people you're doing it and give them a way to say no. That's why a US-focused site typically needs a notice and an opt-out link rather than a consent wall.
Sensitive data is the exception, and it flips the model. As covered in our sensitive data guide, most states require opt-in consent before you process health, precise location, or other sensitive categories.
What you actually need for US compliance
For a business in scope of the state privacy laws, the real checklist looks like this:
- A privacy notice and notice at collection. You must disclose what you collect, why, and what rights people have, at or before the point of collection.
- An opt-out of sale and sharing if you let ad tech vendors read cookies or otherwise share data for advertising. In California that means a "Do Not Sell or Share My Personal Information" link, or a combined "Your Privacy Choices" link. Our guide to building that link has the specifics.
- Honoring Global Privacy Control in the roughly dozen states that require it. This is non-negotiable in California, Colorado, Connecticut, Texas, and others. See our universal opt-out mechanisms guide.
- Opt-in for sensitive data in most states, plus a right to limit sensitive personal information in California.
- A way to handle rights requests such as access and deletion. See our guide on handling data subject requests.
Notice that a blocking banner is nowhere on this list. A footer link plus proper signal handling can satisfy most US requirements.
Do the laws even apply to you?
Most of the broad state privacy laws only kick in above certain thresholds. A typical one covers businesses that process the data of 100,000 or more state residents a year, or a smaller number (often 25,000) if they make a meaningful share of revenue from selling data. Smaller sites can fall below every one of those thresholds.
Two cautions before you decide you're exempt. First, California's thresholds also trigger on gross revenue (about $26.6 million), so a high-revenue company is covered even with modest data volumes. Second, some laws have no threshold at all: Washington's My Health My Data Act can apply to a small business that handles consumer health data. Being small doesn't automatically put you out of reach.
The copy-a-GDPR-banner trap
A tempting shortcut is to grab a European-style opt-in banner and slap it on a US site. It usually backfires. Blocking analytics until a US visitor clicks "Accept" isn't required, and it quietly destroys your measurement data, because many visitors never interact with the banner at all. Worse, it can create a false impression: a banner that says "we use cookies, click accept" doesn't satisfy the actual California duties, which are to disclose selling/sharing, post an opt-out, and honor GPC. You can end up with a worse analytics picture and a compliance gap.
The reverse mistake is just as common: assuming that because you're US-only, you owe nothing. If you run advertising pixels and you're over the thresholds, you owe notice, an opt-out, and GPC handling in the states that require it. The right answer is rarely "GDPR banner" or "nothing." It's a US-appropriate opt-out layer.
When a banner still makes sense
Even though US law rarely mandates a blocking banner, there are good reasons to run one:
- You have EU or UK traffic. If any of your visitors are in Europe, GDPR-style opt-in applies to them, and a geo-aware banner lets you show opt-in in Europe and opt-out controls in the US. See the UK's PECR rules for that side.
- You use Google's advertising and analytics tools. Google Consent Mode expects a consent signal, and a banner is the cleanest way to produce one. Our guide on whether Google Analytics is compliant covers this.
- You want a single, auditable record of choices. A consent tool logs what each visitor chose, which is exactly the evidence regulators asked for in the California enforcement cases.
The practical setup
The cleanest approach for a US or mixed-audience site is geo-aware: detect where each visitor is, then show the right experience. A European visitor gets an opt-in banner. A California visitor gets notice plus opt-out controls and a "Your Privacy Choices" link. A visitor from a state with no broad privacy law still gets your privacy notice. And a Global Privacy Control signal is honored automatically in the states that require it, no matter what the banner shows.
Done this way, "do I need a banner?" stops being a yes/no question. You deploy one flexible consent layer that adapts to each visitor's jurisdiction, so you're covered whether the rule is opt-in, opt-out, or nothing at all. For the full statutory map, see the complete US state privacy laws guide.