Privacy laws can feel like they were written to confuse you, but for most US websites the practical steps are manageable. This guide explains GDPR and CCPA in plain English and what you actually need to do.
Key Takeaways
- GDPR can reach US sites that serve EU visitors; CCPA covers many California consumers.
- Consent for tracking and a clear cookie banner are central to both.
- A real, accurate privacy policy is the minimum starting point.
- You must be able to handle data access and deletion requests.
In this article
Who These Laws Apply To
The two laws have different footprints. GDPR is European, but it applies to any business that offers goods or services to, or tracks, people in the EU, regardless of where the business is based. So a US company with EU customers or even EU website visitors it profiles can fall under it. CCPA, and its successor the CPRA, protect California residents and apply to businesses that meet certain revenue or data-volume thresholds.
The takeaway for US owners is that geography doesn't shield you. If you sell to Europe, run ads targeting EU users, or do meaningful business with Californians, one or both laws may reach you. And California is not alone anymore; a growing number of US states have passed their own privacy laws with similar ideas.
- GDPR follows EU users, not the business's location
- CCPA covers California residents above set thresholds
- More US states are passing similar laws

Thinking about your next project?

Consent and Cookie Banners
Both laws care a lot about tracking, and that's where cookie banners come in, though the two frameworks treat consent differently. Under GDPR, you generally need opt-in consent before setting non-essential cookies or trackers, so analytics and ad pixels shouldn't fire until the visitor agrees. CCPA leans more toward opt-out, giving consumers the right to say no to the sale or sharing of their data.
A compliant banner is honest and gives real choices. Pre-ticked boxes and 'accept or leave' dark patterns undermine consent under GDPR. The banner should let people accept, reject, or manage categories, and your site must actually honor those choices by not loading blocked trackers. A banner that ignores the user's answer is worse than none.
- GDPR generally requires opt-in before tracking
- CCPA emphasizes the right to opt out
- Banners must give real choices and honor them
Privacy Policies and Data Requests
A privacy policy is the baseline both laws expect, but it has to be true. It should explain what data you collect, why, who you share it with, how long you keep it, and how users can exercise their rights. A generic template that doesn't match what your site actually does can create more liability than protection, so it needs to reflect your real practices.
Both laws also grant individuals rights over their data, and you need a way to honor them. People can request a copy of their data, ask you to delete it, or opt out of certain uses. That means having a channel to receive requests, a process to verify who's asking, and the technical ability to find and remove someone's data across your systems.
- Publish an accurate, specific privacy policy
- Offer a channel for data access and deletion requests
- Be able to verify requesters and locate their data


Practical Compliance Steps
Start by mapping the data you collect and the tools that touch it, since you can't protect or explain what you don't know you have. Then implement a proper consent banner, publish an accurate privacy policy, and set up a simple process for handling data requests. Serve the whole site over HTTPS and minimize the data you collect to only what you truly need.
None of this is one-and-done. Privacy laws keep evolving and new US states keep joining, so revisit your setup periodically. For higher-risk situations, this guide is a starting point, not legal advice, and a privacy attorney is worth the money. But the technical and design work of compliance is very doable for a typical US site.
- Map what data you collect and where it goes
- Add a real consent banner and accurate policy
- Set up a process for handling data requests
How NeoDimensional Helps
NeoDimensional is a US-based UI/UX design and software development agency, founded by Guljar Hosen. We handle the technical side of privacy compliance: proper consent banners that actually block trackers, data-request workflows, and sites built to minimize the data you collect.
If you're unsure whether your site meets GDPR or CCPA expectations, book a free call. We'll review your setup and build the pieces you're missing.
- Consent banners that truly block trackers
- Data-request workflows built in
- Sites designed to minimize data collection






