US privacy basics for SMB marketing: CPRA, consent, and practical tracking choices

US privacy is state-led. The safest SMB posture: tell people what you collect and why, honor opt-outs, minimize data, and secure it—then add state-required disclosures/consents (e.g., California) with your counsel.

What most SMBs should do now (not legal advice)

• Transparency: Publish a plain-English privacy policy covering categories of data, purposes, sharing, and retention.
• Opt-outs: Provide clear Do Not Sell/Share links where required (e.g., California) and honor Global Privacy Control (GPC) signals when applicable.
• Data minimization: Avoid sending PII into analytics/URLs; limit collection to what you actually use.
• Consent banners: In US states requiring consent or specific disclosures, implement a banner that reflects your practices; don’t gate core site functions.
• Vendor review: Ensure ad/analytics vendors support your obligations (data processing terms, limited data use settings, consent integration).
• Documentation and access: Maintain internal records of data flows and restrict access on least-privilege.

Notes by region (examples; verify applicability)

• California (CPRA): Expanded consumer rights, “sell/share” definitions, sensitive data, and GPC recognition obligations for certain businesses.
• Colorado (CPA): Consent for sensitive data processing; universal opt-out mechanism; data protection assessments for higher-risk processing.
• Virginia (VCDPA) and others: Similar themes—notice, opt-out for targeted ads/sale of personal data, and consumer rights.

Analytics and ads (practical setup)

• GA4: Keep PII out of events/URLs; use IP anonymization defaults; configure data retention appropriately.
• Consent mode: If you also serve EEA/UK, implement Consent Mode v2; for US, align your banner logic to state rules and your policy.
• Ads platforms: Use restricted data processing/limited data use modes when required; verify contracts and settings.

Governance cadence

• Quarterly: Review your policy, vendor list, and banner behavior against current law and practices.
• Incident readiness: Have a basic response plan for access/deletion requests and potential data incidents.

FAQs

• Do all US businesses need a cookie banner?
  Not always—it depends on state laws and your data uses. Many SMBs still deploy a banner for transparency and to prepare for evolving rules.
• Can I use Google Analytics 4 in the US?
  Yes, when configured responsibly (no PII, appropriate retention/settings) and aligned to your policy.
• Do I need to honor Global Privacy Control (GPC)?
  In some states (e.g., California) certain businesses must. Confirm with counsel whether thresholds and rules apply to you.

Sources

• California Privacy Protection Agency — CPRA overview: https://cppa.ca.gov/regulations/index.html
• Colorado Attorney General — CPA rules: https://coag.gov/resources/colorado-privacy-act/
• FTC — Privacy and Data Security guidance: https://www.ftc.gov/business-guidance/privacy-security
• Reformer — GA4 + Consent Mode (context): https://www.reformer.la/ga4-consent-mode-v2-for-smbs-a-practical-privacy-safe-setup