Four newer state privacy laws clustered around 2025, and lumping them together is a mistake, because they diverge on the one thing cookie compliance turns on: whether you have to honor a universal opt-out signal. Montana, Delaware, and Nebraska say yes. Iowa says no, and it also drops the targeted-advertising opt-out that every other state grants. This guide walks each in turn, then gives you a setup that covers all four.
What they share
All four regulate personal data linked or reasonably linkable to an identifiable individual, so advertising cookies and device identifiers are in scope while functional-only cookies generally aren't. All four use an opt-out model rather than Europe's opt-in: you can set tracking cookies by default, but you owe residents a clear way to opt out. And all four are enforced solely by the state Attorney General (Delaware's Department of Justice), with no private right to sue. The differences are where the compliance work lives.
Montana (MCDPA)
The Montana Consumer Data Privacy Act took effect on October 1, 2024, and its universal opt-out mandate turned on January 1, 2025. Montana honors GPC: a resident's signal is a binding opt-out of sale and targeted advertising. Montana's thresholds are low (it covers processing the data of just 25,000 consumers, half the usual bar), so smaller sites get caught. A 2025 amendment (SB 297, effective October 1, 2025) lowered thresholds further, strengthened the opt-out requirements, and eliminated the cure period ahead of its original 2026 sunset. Sensitive data needs opt-in consent. Penalties run up to $7,500 per violation.
Delaware (DPDPA)
The Delaware Personal Data Privacy Act took effect on January 1, 2025, with its universal opt-out mandate following on January 1, 2026. So as of 2026, Delaware controllers must honor GPC automatically. Delaware sets a low bar too, covering the data of 35,000 consumers, and it drops the minimum-revenue gate. Sensitive data requires opt-in consent. The right to cure expired on December 31, 2025, so the Delaware Department of Justice can now enforce without a fix-it window. Penalties reach up to $10,000 per violation under the state's consumer-fraud statute, the steepest of the four.
Iowa (ICDPA): the outlier
The Iowa Consumer Data Protection Act took effect on January 1, 2025, and it's the weakest broad state privacy law on the books. Two gaps matter for cookies. First, Iowa does not require honoring a universal opt-out mechanism, so there's no GPC mandate. Second, Iowa gives consumers no right to opt out of targeted advertising at all (they can opt out of a sale, but not cross-context targeted ads). Sensitive data gets the lighter treatment as well: instead of opt-in consent, Iowa asks only for notice and an opportunity to opt out. Iowa also grants the longest fix-it window, a 90-day cure period that hasn't sunset. Penalties reach $7,500 per violation. Iowa's statute is Iowa Code Chapter 715D.
Nebraska (NDPA)
The Nebraska Data Privacy Act took effect on January 1, 2025, and it's modeled on Texas rather than the Colorado line. That means no numeric thresholds: it applies to any business operating in Nebraska that processes or sells personal data and isn't a small business under the SBA definition, though even small businesses can't sell sensitive data without consent. Nebraska requires honoring a universal opt-out mechanism, so GPC applies. Sensitive data needs opt-in consent. The AG must give a 30-day cure period that doesn't sunset, and penalties reach $7,500 per violation. Nebraska's guidance lives at the state's data privacy homepage.
The four at a glance
- Honor GPC? Montana yes (Jan 2025), Delaware yes (Jan 2026), Nebraska yes, Iowa no.
- Targeted-ad opt-out? Montana, Delaware, Nebraska yes. Iowa no.
- Sensitive data: opt-in in Montana, Delaware, Nebraska. Notice-and-opt-out in Iowa.
- Cure period: gone in Montana and Delaware. 30 days (permanent) in Nebraska. 90 days (permanent) in Iowa.
- Max penalty: $10,000 in Delaware, $7,500 in the other three.
A setup that covers all four
The simplest safe approach is to build for the strictest common denominator and let the weaker states ride along. Honor GPC everywhere (it satisfies Montana, Delaware, and Nebraska, and does no harm in Iowa). Offer a targeted-advertising opt-out everywhere (required in three, ignored harmlessly in Iowa). Gate sensitive data behind opt-in everywhere (required in three; Iowa's notice-and-opt-out is a subset you'll already satisfy). That single configuration clears all four without per-state banner logic.
CookieBeam's US opt-out states preset does exactly this. GPC honoring is default-on in the runtime, sensitive categories can require opt-in, and the regional consent engine serves the opt-out model to these states while the EU gets opt-in from the same banner. Confirm each state's current statute before you rely on a single configuration; this reflects mid-2026.
The pitfall to avoid
The trap with these four is assuming they move as a group because they arrived together. They don't. If you build only for Iowa (no GPC, no targeted-ad opt-out, notice-only sensitive data), you'll be out of compliance the moment a Montana, Delaware, or Nebraska resident visits. Build for the strict three and Iowa is covered automatically. Always design to the stricter states and let the lenient one inherit. The same logic extends to the two dozen other US state laws now on the books, which is why a per-state banner rarely pays off compared with one strict opt-out configuration that honors GPC everywhere and gates sensitive data behind consent.
Related guides
See universal opt-out mechanisms across US state laws, Global Privacy Control explained, and the complete guide to US state privacy laws. For the states with dedicated deep-dives, read Texas TDPSA (Nebraska's model) and the Colorado Privacy Act.