Blog

11 US states now have active comprehensive privacy bills

Julie Rubash, Chief Privacy Counsel
January 23, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES


Hawaii and Massachusetts Introduce Comprehensive Privacy Legislation

Massachusetts and Hawaii joined the list of states with active comprehensive privacy bills, bringing the total number of states to 11. 

TAKEAWAY

The Massachusetts Data Privacy Protection Act was introduced in both the House and the Senate and would include some unique elements, including a private right of action and a prohibition on the use of sensitive covered data (defined to include information identifying an individual’s online activities over time and across third-party websites or online services) for targeted advertising.

The Hawaii Consumer Data Protection Act would also include a private right of action but is otherwise more closely aligned with existing privacy laws, including a right to opt out of targeted advertising. 

EUROPE


CNIL Fines VOODOO €3M for Using IDFV for Advertising Without Consent

The French Data Protection Authority (CNIL) announced a €3 million fine against video game developer VOODOO based on allegations the company’s mobile apps would still read a user’s IDFV technical identifier and process the IDFV and browsing habits for advertising purposes, even if the user refused ad tracking through Apple’s ATT request.

The CNIL found this to be in violation of the French Data Protection Act, which implements the GDPR and ePrivacy.

TAKEAWAY

CNIL fines over consent issues are popping up frequently lately, including fines announced earlier this month against TikTok and Apple


EDPB Adopts Cookie Banner Report For Handling NOYB Complaints

The European Data Protection Board (EDPB) announced its adoption of a report created by the Cookie Banner Taskforce reflecting the common denominator agreed by supervisory authorities in their interpretation of applicable provisions of the GDPR and ePrivacy Directive when handling cookie complaints from advocate NOYB.

Among other determinations, the report concludes that:

  1. ePrivacy applies to the placement of cookies, while the GDPR applies to subsequent processing of personal data, even if consent for both is obtained at the same time;
  2. The GDPR’s one-stop-shop mechanism does not apply to ePrivacy issues; for GDPR issues, the competent supervisory authorities will be identified based on factual elements of each case and aren’t necessarily defined based on ability to access a website from each Member State;
  3. Consent to cookies must be expressed by a positive action by the user and (according to most DPAs) must include a refuse/reject/not consent option that is readable and not embedded in a paragraph of text or placed outside the cookie banner (unless there is sufficient visual support to draw the user’s attention to it);
  4. Pre-ticked boxes do not constitute valid consent; (5) the legal basis for the placement/reading of cookies cannot be legitimate interest;
  5. Cookies allowing website owners to retain the preferences expressed by users. regarding a service, should be deemed essential;
  6. No specific withdrawal of consent mechanism is required, but consent should be as easy to withdraw as to give (a small hovering and permanently visible icon and a linked placed in a visilble and standardized place are mentioned as acceptable examples).

TAKEAWAY

The report notes that the positions in the report reflect a minimum threshold to assess the NOYB complaints; however, the positions will have to be combined with national requirements of each Member State and therefore should not be relied upon as a green-light of compliance.

Accordingly, this report reflects a good baseline for companies to determine the minimum requirements for cookie banners, upon which national requirements should be layered, as appropriate.  

EDPB to Finalize Opinion on Draft U.S. Adequacy Decision in “Coming Weeks”

In the same announcement as noted above, the EDPB announced that Commissioner for Justice Didier Reynders had presented the European Commission’s draft adequacy decision for the EU-US Data Privacy Framework and that the board “is currently working on its opinion on the draft decision, which will be finalized in the coming weeks”.

TAKEAWAY

Once the EDPB provides its opinion, the decision will still have to be approved by a committee of Member State representatives, and the European Parliament will have a right of scrutiny, before the European Commission can adopt the final decision. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

FTC and Sensitive Location Data; New Pen Register Class Actions

December 9, 2024

FTC takes action against the sale of sensitive data...

California CPPA Issues Notice of Proposed Rulemaking

November 25, 2024

News out of California this week. The CPPA moved...

Mitigating risk under the Video Privacy Protection Act (VPPA)

November 23, 2024

Because VPPA is just one of many tools being...

Latest White Papers

E-book: Enterprise Guide To Cookie management & Tracker List Curation

July 1, 2024

How to review the tracking tech on your websites...

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]