US state-privacy patchwork
Fingerprinting under the US state laws.
1 US state laws regulate browser and device fingerprinting today, starting with CCPA and the Virginia template that 12 other states have copied with variations. This page compares them at a glance for multi-state controllers. Not legal advice.
How to read this page
California's CCPA stands apart, with broader sale-and-share opt-out, a private right of action for breaches, and the most active regulator. Every other state in the live set follows the Virginia template with named variations: cure-period sunset timing, Universal Opt-Out Mechanism recognition, DPA requirement, profiling opt-out scope, and consumer-count thresholds. Click any state row for the full per-state page.
The 13 live state laws
Sorted by effective date| State | Acronym | Effective | Max penalty | How the law treats fingerprinting | Updated |
|---|---|---|---|---|---|
| California, United States | CCPA | 1 January 2020 (CCPA), CPRA amendments effective 1 January 2023 | $2,500 per violation; $7,500 per intentional violation or violation involving a minor's data | Notice + the ability to opt out of 'sale' and 'sharing' of fingerprints; opt-in only for sensitive data and minors under 16. | 2026-06-06 |
Tooling
One fingerprinting deployment, all 13 states.
Benny the Doorman is fingerprinting that defers to your CMP, supports the Universal Opt-Out Mechanism, and ships with per-state DPA addenda. If your deployment is VCDPA-compliant, it carries through most of the cluster with documented overlays.
