The cookie consent question is one of the most common things business owners ask. The answer depends on who visits your website, what you are tracking, and which state laws apply to you.
What Triggers the Requirement
Cookie consent requirements are driven by two factors: the laws that apply to you based on your visitors' home states, and what you are actually doing with cookies and tracking technology on your site.
If you only use essential cookies — the kind that make your website function (login sessions, shopping carts, security tokens) — most laws do not require consent for those. The consent requirement activates when you use analytics cookies, advertising pixels, or other tracking that is not strictly necessary for the site to function.
Which States Require Cookie Consent
Several active state privacy laws require businesses to honor opt-out requests for targeted advertising, and some require proactive consent for certain types of tracking. The states where cookie consent is most clearly required or strongly recommended:
- California (CCPA/CPRA): Must honor opt-out requests. If you use tracking for cross-context behavioral advertising, you need a mechanism to honor the Global Privacy Control (GPC) signal.
- Colorado (CPA): Must honor GPC signals as valid opt-out requests.
- Connecticut (CTDPA): Must recognize and process opt-out preference signals.
- Oregon (OCPA): GPC recognition required.
- Texas (TDPSA): Must provide opt-out for targeted advertising.
- Virginia, Montana, Minnesota, and others: Opt-out rights for targeted advertising apply.
What the Global Privacy Control Is
The GPC is a browser signal — users enable it in their browser or through a privacy extension, and it automatically sends an opt-out signal to every website they visit. Several state laws require websites to recognize and honor this signal. If you serve visitors from California, Colorado, Connecticut, or Oregon, your website needs to detect and respond to the GPC signal.
What You Actually Need
For most businesses serving US customers across multiple states, here is the practical minimum:
- A cookie policy that lists what cookies and tracking tools you use and why
- A consent management platform (CMP) that handles cookie categorization and consent records — most start around $10–30/month (OneTrust, Cookiebot, and CookieYes are common options)
- GPC signal detection and response if you have visitors from California, Colorado, Connecticut, or Oregon
- A "Do Not Sell or Share" link if you use advertising pixels that share data with ad platforms
What About Google Analytics?
Google Analytics 4 collects data. Whether that constitutes "selling" or "sharing" personal data under state law depends on how it is configured and what you do with the data. At minimum, your privacy policy should disclose your use of analytics tools and explain how users can opt out. Google provides an opt-out browser add-on and GA4 has data retention controls that help with compliance.
The bottom line: If you have visitors from California, Colorado, Connecticut, Oregon, or Texas — and you use any tracking beyond essential cookies — you need a consent mechanism. The cost of not having one is higher than the cost of setting one up.
Not sure if your tracking practices require consent?
We review your website and tracking setup and tell you exactly what you need.
Book a Free Consultation