20 reasons why American app publishers need to worry about data privacy laws (plus … how to make privacy sexy)

Since 2020, 20 U.S. states have implemented data privacy laws. That means mobile app publishers don’t just have to worry about data, privacy, and consent when they publish in Europe. They also have to think about it in the U.S.

20 different sets of state regulations mean that app publishers also have to find a way to manage that consent scalably. And given that there are slightly different rules in different countries, publishers need a way to manage privacy and consent scalably both at home and overseas.

I recently chatted with Jerome Perani, CRO of Axeptio, a leading Consent Management Platform (CMP) used by over 70,000 websites worldwide, on the Growth Masterminds podcast.

Adapting your app to align with data privacy laws is a 2-fold challenge:

1. Obey the law
2. Provide a great user experience

That might seem like a challenge, but according to Perani, both are indeed possible at the same time.

Which U.S. states have data privacy laws?

It’s not just Rhode Island, Maryland, and Nebraska. Some of the biggest states on different sides of the political landscape like Florida and California also have data privacy laws now.

Here’s the 20 US states with data privacy laws so far:

1. California
2. Colorado
3. Connecticut
4. Delaware
5. Florida
6. Indiana
7. Iowa
8. Kentucky
9. Maryland
10. Minnesota
11. Montana
12. Nebraska
13. New Hampshire
14. New Jersey
15. Oregon
16. Rhode Island
17. Tennessee
18. Texas
19. Utah
20. Virginia

Since many app publishers tend to treat the U.S. and Canada as a single market, it’s Interesting to note that at least 3 Canadian provinces — BC, Alberta, and Québec — have their own data privacy laws, and that at the federal level, Canada has PIPEDA: the Personal Information Protection and Electronic Documents Act.

Data privacy: 6 things I learned from Jerome Perani

You have to manage your apps with an eye to data privacy laws, but you also have to present a great customer experience as those laws and regulations change over time.

Here’s 6 things I learned:

1. Consent is a marketing opportunity
   Most companies treat data consent as a legal burden rather than a chance to build trust and engage users. Making consent a positive, brand-aligned experience can actually enhance user onboarding.
2. GDPR was initially focused on the web; now it’s switching to apps
   GDPR has been enforced since 2018, but early efforts focused on websites. Recently, regulators have turned their attention to mobile apps, with increasing enforcement actions. For example, Voodoo was recently fined €3M by France. And no … complying with Apple’s ATT does absolutely nothing in terms of your legal obligations to comply with data privacy laws.
3. CMPs help you manage global complexity
   With 20 states and hundreds of countries all writing slightly different laws and regulations, a consent management platform is pretty important to ensure compliance scalably across the globe.
4. Consent should be part of your onboarding process
   Consent collection should be embedded into your onboarding experience, clearly explaining why data is collected. Personalization and engaging, creative messaging improves opt-in rates. Transparency is key — hiding consent settings often leads to a user backlash or even worse, legal action.
5. Globally, more and more nations are enacting data privacy laws
   The U.S we know about. Europe too. But most countries are doing something here, with regulations emerging in regions as distinct as Brazil, India, and Saudi Arabia.
6. There could be more U.S.-EU tension over privacy
   Especially at the federal level, there’s increasing tension between the EU and the USA. The U.S. government, under the Trump administration, looks like it will push back on EU data laws to protect American tech companies … and which have been used to justify fines to big American tech companies of close to €5 billion in total.

Making consent sexy

Yeah, I know. Consent isn’t sexy at all. 

You read about compliance at 11PM when you can’t fall asleep and need to knock yourself out for the night.

But … there’s a potential path to making consent with data privacy laws easy, slightly cool, and maybe even just a tiny bit fun. And by treating consent as part of the user experience, not just a legal formality, marketers can increase opt-in rates, build trust, and create a better, more engaging first impression.

1. Integrate consent into your onboarding flow
   Make it feel natural, not like a roadblock. Instead of interrupting the user’s experience with a legal notice, explain why you need their data as part of their introduction to the app. Example: we personalize your experience based on your preferences … here’s how …”
2. Make it purdy
   Yeah, a legal form isn’t sexy. And a boring pop-up isn’t going to get you what you need. Make it visually appealing and interactive: icons, mini-animations, toggles instead of checkboxes, swiping gestures to indicate consent, and so on. Think like Duolingo, which greets new users like this: “Bonjour! Before we start, tell us what you’re comfortable with.”
3. Talk like a human, not a lawyer
   Don’t say “we collect your data in compliance with GDPR.” Instead, try “we respect your privacy! Let us know what you’re cool with.”
4. Explain the value to THEM, not you
   People are more likely to say yes if they see a clear benefit. For example, a streaming app could say “We use your preferences to recommend the best shows: no more endless scrolling!”
5. Give people choices (but keep it simple)
   Instead of “Accept All” versus “Reject All,” try tiered options so users feel more in control. Think “give me the basics” for minimal tracking, “make it personal” for a more complete customization, and “all the perks” for a fully unique experience.
6. Offer small rewards
   Everyone likes to get something for free. A little incentive can go a long way, like 100 loyalty points for an airline app when people agree. 
7. Make consent adjustable later
   People change their minds. Make it easy to ramp their consent up or down later on. This builds trust and reduces opt-outs because people know they can always change their minds.
8. Use real-world analogies
   Digital can be hard and obscure for normal non-techy people. Help users understand what’s happening with familiar examples. Think … “just like a barista remembers your coffee, we remember your preferences.”

Much more in the full podcast

Hey, check out the full episode for all the goodness. You can find Growth Masterminds wherever you get podcasts, or always watch on our YouTube channel.

Here’s what to expect in this episode:

• 00:00 Introduction to Data Protection Regulations
• 00:45 Guest Introduction: Jerome Piani
• 01:41 The Evolution of Data Protection in Europe
• 04:49 Global Data Protection Landscape
• 12:47 Challenges and Solutions for App Developers
• 17:43 Future of Data Protection Regulations
• 27:02 Conclusion and Final Thoughts