U.S. Privacy and Data Protection Updates | Insights | Q2 2025 (State Law)

The State of Cookie and Tracking Laws: Opt-In, Opt-Out, and What Lies Ahead

For companies operating online, the question of whether to implement opt-in or opt-out cookie notices—especially in California and other states—remains a moving target, shaped by new legislation, regulatory enforcement, and the nuances of sensitive data and minors’ privacy.

Opt-In vs. Opt-Out: What’s Required in California?

California resides as the leader for privacy regulation in the U.S., with the California Consumer Privacy Act (CCPA). This set the tone for how companies handle consumer data. Under the CCPA, covered businesses are required to provide consumers with a clear and conspicuous way to opt out of the sale or sharing of their personal information—typically seen as a “Do Not Sell or Share My Personal Information” or “Your Privacy Choices” link.

Opt-in consent is also required in specific circumstances:

• Sensitive Personal Information: If your business collects sensitive data (e.g., Social Security numbers, precise geolocation, genetic data), you may be required to get opt-in consent and provide a mechanism for consumers to limit the use or disclosure of that information.
• Minors: For those under 16, explicit opt-in consent is required before selling or sharing personal information under certain laws. Other laws require opt-in consent for minors under age 13.
• Where Consumers Reside: The rules that apply depend on where your users are located, not just where your business is based. If you have users in California or other states with privacy laws, you must comply with those states’ requirements as applicable to you.

A well-designed cookie banner can help meet notice requirements, but it must be more than a formality. Regulators have made it clear that banners must offer “symmetry of choice”—it should be just as easy to reject tracking as to accept it, with no dark patterns or hidden options. Business should also be aware that other laws may also require opt-in consent, such as laws for certain industries or practices, including financial services and biometric data.

Other States Follow Suit

States like Connecticut, Texas, and Colorado, and now about two dozen states, have also enacted their own privacy laws, many of which echo California’s approach but with their own requirements. Enforcement is ramping up, and regulators are increasingly focused on ensuring that cookie consent mechanisms are clear, direct, and not misleading.

Even in states without comprehensive privacy laws, consumer protection statutes are being used to hold companies accountable for opaque or deceptive tracking practices. Transparency and user control are now baseline expectations, and each law has its own nuances.

Legislative Update: CIPA, Tracking Pixels, and Pending Reform

Cookie notices are also helpful in defending against the wave of class action lawsuits under the California Invasion of Privacy Act (CIPA) and similar laws targeting companies for using tracking pixels, cookies, and similar technologies without consumer consent. While lawsuits, arbitrations, and demand letters have been prevalent in this area, the California Senate is considering SB 690, a bill that would carve out an exemption for tracking technologies used for “commercial business purposes,” potentially shutting down key plaintiff arguments in these lawsuits. Nonetheless, despite recent rulings and legislative changes, CIPA claims remain viable, and plaintiffs/claimants have still been sending demands under CIPA and similar state laws.

The California Opt Me Out Act: One-Click Privacy

Another major development is the California Opt Me Out Act (AB 566), which would require browsers to include a built-in opt-out preference signal (OOPS). This would allow consumers to set their privacy preferences once, and have them respected across all websites and apps—making it much easier to exercise opt-out rights under the CCPA.

The era of vague cookie banners and passive consent, or even no cookie notice at all, is seismically shifting and nearing its end. Regulators and consumers expect clear, user-friendly, and effective privacy controls—especially when sensitive data or minors are involved or data is “sold.” Given the complexity and the stakes of privacy regulations, it’s essential to consult with legal counsel to ensure your practices are up to date and tailored to your risk profile.

Kronenberger Rosenfeld, LLP regularly assists clients with legal reviews to ensure their businesses remain compliant. Contact us today through our submission form.