11 US states now have active comprehensive privacy bills

Julie Rubash, Chief Privacy Counsel
January 23, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Hawaii and Massachusetts Introduce Comprehensive Privacy Legislation

Massachusetts and Hawaii joined the list of states with active comprehensive privacy bills, bringing the total number of states to 11. 


The Massachusetts Data Privacy Protection Act was introduced in both the House and the Senate and would include some unique elements, including a private right of action and a prohibition on the use of sensitive covered data (defined to include information identifying an individual’s online activities over time and across third-party websites or online services) for targeted advertising.

The Hawaii Consumer Data Protection Act would also include a private right of action but is otherwise more closely aligned with existing privacy laws, including a right to opt out of targeted advertising. 


CNIL Fines VOODOO €3M for Using IDFV for Advertising Without Consent

The French Data Protection Authority (CNIL) announced a €3 million fine against video game developer VOODOO based on allegations the company’s mobile apps would still read a user’s IDFV technical identifier and process the IDFV and browsing habits for advertising purposes, even if the user refused ad tracking through Apple’s ATT request.

The CNIL found this to be in violation of the French Data Protection Act, which implements the GDPR and ePrivacy.


CNIL fines over consent issues are popping up frequently lately, including fines announced earlier this month against TikTok and Apple

EDPB Adopts Cookie Banner Report For Handling NOYB Complaints

The European Data Protection Board (EDPB) announced its adoption of a report created by the Cookie Banner Taskforce reflecting the common denominator agreed by supervisory authorities in their interpretation of applicable provisions of the GDPR and ePrivacy Directive when handling cookie complaints from advocate NOYB.

Among other determinations, the report concludes that:

  1. ePrivacy applies to the placement of cookies, while the GDPR applies to subsequent processing of personal data, even if consent for both is obtained at the same time;
  2. The GDPR’s one-stop-shop mechanism does not apply to ePrivacy issues; for GDPR issues, the competent supervisory authorities will be identified based on factual elements of each case and aren’t necessarily defined based on ability to access a website from each Member State;
  3. Consent to cookies must be expressed by a positive action by the user and (according to most DPAs) must include a refuse/reject/not consent option that is readable and not embedded in a paragraph of text or placed outside the cookie banner (unless there is sufficient visual support to draw the user’s attention to it);
  4. Pre-ticked boxes do not constitute valid consent; (5) the legal basis for the placement/reading of cookies cannot be legitimate interest;
  5. Cookies allowing website owners to retain the preferences expressed by users. regarding a service, should be deemed essential;
  6. No specific withdrawal of consent mechanism is required, but consent should be as easy to withdraw as to give (a small hovering and permanently visible icon and a linked placed in a visilble and standardized place are mentioned as acceptable examples).


The report notes that the positions in the report reflect a minimum threshold to assess the NOYB complaints; however, the positions will have to be combined with national requirements of each Member State and therefore should not be relied upon as a green-light of compliance.

Accordingly, this report reflects a good baseline for companies to determine the minimum requirements for cookie banners, upon which national requirements should be layered, as appropriate.  

EDPB to Finalize Opinion on Draft U.S. Adequacy Decision in “Coming Weeks”

In the same announcement as noted above, the EDPB announced that Commissioner for Justice Didier Reynders had presented the European Commission’s draft adequacy decision for the EU-US Data Privacy Framework and that the board “is currently working on its opinion on the draft decision, which will be finalized in the coming weeks”.


Once the EDPB provides its opinion, the decision will still have to be approved by a committee of Member State representatives, and the European Parliament will have a right of scrutiny, before the European Commission can adopt the final decision. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]