California’s CPRA and Virginia’s VCDPA take effect

Julie Rubash, Chief Privacy Counsel
January 9, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


California’s CPRA and Virginia’s VCDPA Take Effect

January 1 marked the effective date of the Virginia Consumer Data Protection Act (VCDPA) and the date that the California Privacy Rights Act (CPRA), amending the California Consumer Privacy Act (CCPA), became fully operative.


The CPRA includes a 6-month grace period, so it will not actually be enforceable until July 1, 2023; however, the underlying CCPA can still be enforced during such period.

The VCDPA does not include an enforcement grace period; however, it does include a 30-day cure period for alleged violations. 

Comprehensive Privacy Bills Introduced in Four States

KentuckyNew YorkOklahoma and Tennessee started the year with fresh comprehensive privacy bills, all modified versions of bills introduced in previous sessions. 

The Oklahoma bill would (like in previous versions) require general explicit opt-in consent for the collection of personal information.

The New York and Tennessee bills largely resemble existing comprehensive privacy laws in Virginia and Colorado, while Kentucky contains some divergent elements, including a right to opt out of “tracking”. 


It is still very early in the year, but the coming weeks should give us an indication of how much of a focus state privacy legislation will take in 2023.

22 states had active comprehensive privacy legislation by the end of January 2022, resulting in the passage of two comprehensive privacy laws, in Utah and Connecticut. 

Google Enters $9.5M Settlement with DC Over Location Tracking

The District of Columbia Attorney General announced that Google will pay $9.5 Million to settle allegations that it deceived and manipulated consumers to gain access to their location data.

In addition to the monetary penalty, Google will be required to implement additional measures to clearly inform users of data collection practices and improve user ability to identify and disable location-related account settings. 


This DC settlement comes after Google entered a $391.5M settlement in November 2022 with 40 other state attorneys general over similar allegations, all on the basis of state laws prohibiting unfair or deceptive acts and practices. 


Irish DPC Fines Meta €390M Based on EDPB Decisions

The Ireland Data Protection Commission (DPC) announced that it fined Meta Ireland €210 million for GDPR violations relating to Facebook and €180 million for violations related to Instagram, both based on reliance by the services on the “contract” legal basis for data processing operations, including for behavioral advertising.

The decisions came after the European Data Protection Board issued determinations in the case, finding that Meta Ireland was not entitled to rely on the “contract” legal basis for its processing of personal data for behavioral advertising.

In addition to paying the monetary fine, Meta Ireland will be required to bring its data processing operations into compliance within three months.


This decision settles the question of whether the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising, at least in the context of the facts and circumstances of Facebook and Instagram. 

CNIL Fines Apple €8M For Reading Personalized Ad IDs Without Consent

The French Data Protection Authority (CNIL) announced an €8 million fine against Apple, based on allegations that identifiers were automatically read on the Apple App Store without consent and used for personalized advertising purposes.

The CNIL found that the identifiers were not strictly necessary and therefore should not be read without prior consent; however, the ad targeting settings in version 14.6 of the iPhone operating system were pre-checked by default, violating the Data Protection Act (France’s local law implementing the EU GDPR and ePrivacy directive).

The CNIL’s announcement noted that the GDPR’s one-stop shop mechanism (requiring cooperation among interested data protection authorities across EU member states) does not apply in this circumstances, because the decision applies provisions of the Data Protection Act transposed from the ePrivacy directive, not the GDPR. 

The fine is higher than the €6 million fine recommended by an advisor to the CNIL in December.


Although the decision notes that Apple’s new iOS 15 no longer uses an identifier for personalized ads before presenting a mechanism to obtain prior valid consent for the reading of the identifier, the corrective measures do not correct the existence of the breach for past facts in Apple’s iOS 14.6.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]