11 US states now have active comprehensive privacy bills

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

Hawaii and Massachusetts Introduce Comprehensive Privacy Legislation

Massachusetts and Hawaii joined the list of states with active comprehensive privacy bills, bringing the total number of states to 11. 

TAKEAWAY

The Massachusetts Data Privacy Protection Act was introduced in both the House and the Senate and would include some unique elements, including a private right of action and a prohibition on the use of sensitive covered data (defined to include information identifying an individual’s online activities over time and across third-party websites or online services) for targeted advertising.

The Hawaii Consumer Data Protection Act would also include a private right of action but is otherwise more closely aligned with existing privacy laws, including a right to opt out of targeted advertising. 

EUROPE

CNIL Fines VOODOO €3M for Using IDFV for Advertising Without Consent

The French Data Protection Authority (CNIL) announced a €3 million fine against video game developer VOODOO based on allegations the company’s mobile apps would still read a user’s IDFV technical identifier and process the IDFV and browsing habits for advertising purposes, even if the user refused ad tracking through Apple’s ATT request.

The CNIL found this to be in violation of the French Data Protection Act, which implements the GDPR and ePrivacy.

TAKEAWAY

CNIL fines over consent issues are popping up frequently lately, including fines announced earlier this month against TikTok and Apple. 

EDPB Adopts Cookie Banner Report For Handling NOYB Complaints

The European Data Protection Board (EDPB) announced its adoption of a report created by the Cookie Banner Taskforce reflecting the common denominator agreed by supervisory authorities in their interpretation of applicable provisions of the GDPR and ePrivacy Directive when handling cookie complaints from advocate NOYB.

Among other determinations, the report concludes that:

1. ePrivacy applies to the placement of cookies, while the GDPR applies to subsequent processing of personal data, even if consent for both is obtained at the same time;
2. The GDPR’s one-stop-shop mechanism does not apply to ePrivacy issues; for GDPR issues, the competent supervisory authorities will be identified based on factual elements of each case and aren’t necessarily defined based on ability to access a website from each Member State;
3. Consent to cookies must be expressed by a positive action by the user and (according to most DPAs) must include a refuse/reject/not consent option that is readable and not embedded in a paragraph of text or placed outside the cookie banner (unless there is sufficient visual support to draw the user’s attention to it);
4. Pre-ticked boxes do not constitute valid consent; (5) the legal basis for the placement/reading of cookies cannot be legitimate interest;
5. Cookies allowing website owners to retain the preferences expressed by users. regarding a service, should be deemed essential;
6. No specific withdrawal of consent mechanism is required, but consent should be as easy to withdraw as to give (a small hovering and permanently visible icon and a linked placed in a visilble and standardized place are mentioned as acceptable examples).

TAKEAWAY

The report notes that the positions in the report reflect a minimum threshold to assess the NOYB complaints; however, the positions will have to be combined with national requirements of each Member State and therefore should not be relied upon as a green-light of compliance.

Accordingly, this report reflects a good baseline for companies to determine the minimum requirements for cookie banners, upon which national requirements should be layered, as appropriate.  

EDPB to Finalize Opinion on Draft U.S. Adequacy Decision in “Coming Weeks”

In the same announcement as noted above, the EDPB announced that Commissioner for Justice Didier Reynders had presented the European Commission’s draft adequacy decision for the EU-US Data Privacy Framework and that the board “is currently working on its opinion on the draft decision, which will be finalized in the coming weeks”.

TAKEAWAY

Once the EDPB provides its opinion, the decision will still have to be approved by a committee of Member State representatives, and the European Parliament will have a right of scrutiny, before the European Commission can adopt the final decision. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.