California’s CPRA and Virginia’s VCDPA take effect

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.

UNITED STATES

California’s CPRA and Virginia’s VCDPA Take Effect

January 1 marked the effective date of the Virginia Consumer Data Protection Act (VCDPA) and the date that the California Privacy Rights Act (CPRA), amending the California Consumer Privacy Act (CCPA), became fully operative.

ENFORCEMENT IMPACT

The CPRA includes a 6-month grace period, so it will not actually be enforceable until July 1, 2023; however, the underlying CCPA can still be enforced during such period.

The VCDPA does not include an enforcement grace period; however, it does include a 30-day cure period for alleged violations. 

Comprehensive Privacy Bills Introduced in Four States

Kentucky, New York, Oklahoma and Tennessee started the year with fresh comprehensive privacy bills, all modified versions of bills introduced in previous sessions. 

The Oklahoma bill would (like in previous versions) require general explicit opt-in consent for the collection of personal information.

The New York and Tennessee bills largely resemble existing comprehensive privacy laws in Virginia and Colorado, while Kentucky contains some divergent elements, including a right to opt out of “tracking”. 

WHY IT MATTERS

It is still very early in the year, but the coming weeks should give us an indication of how much of a focus state privacy legislation will take in 2023.

22 states had active comprehensive privacy legislation by the end of January 2022, resulting in the passage of two comprehensive privacy laws, in Utah and Connecticut. 

Google Enters $9.5M Settlement with DC Over Location Tracking

The District of Columbia Attorney General announced that Google will pay $9.5 Million to settle allegations that it deceived and manipulated consumers to gain access to their location data.

In addition to the monetary penalty, Google will be required to implement additional measures to clearly inform users of data collection practices and improve user ability to identify and disable location-related account settings. 

MORE CONTEXT

This DC settlement comes after Google entered a $391.5M settlement in November 2022 with 40 other state attorneys general over similar allegations, all on the basis of state laws prohibiting unfair or deceptive acts and practices. 

EUROPE

Irish DPC Fines Meta €390M Based on EDPB Decisions

The Ireland Data Protection Commission (DPC) announced that it fined Meta Ireland €210 million for GDPR violations relating to Facebook and €180 million for violations related to Instagram, both based on reliance by the services on the “contract” legal basis for data processing operations, including for behavioral advertising.

The decisions came after the European Data Protection Board issued determinations in the case, finding that Meta Ireland was not entitled to rely on the “contract” legal basis for its processing of personal data for behavioral advertising.

In addition to paying the monetary fine, Meta Ireland will be required to bring its data processing operations into compliance within three months.

WHY IT MATTERS

This decision settles the question of whether the processing of personal data for the performance of a contract is a suitable legal basis for behavioral advertising, at least in the context of the facts and circumstances of Facebook and Instagram. 

CNIL Fines Apple €8M For Reading Personalized Ad IDs Without Consent

The French Data Protection Authority (CNIL) announced an €8 million fine against Apple, based on allegations that identifiers were automatically read on the Apple App Store without consent and used for personalized advertising purposes.

The CNIL found that the identifiers were not strictly necessary and therefore should not be read without prior consent; however, the ad targeting settings in version 14.6 of the iPhone operating system were pre-checked by default, violating the Data Protection Act (France’s local law implementing the EU GDPR and ePrivacy directive).

The CNIL’s announcement noted that the GDPR’s one-stop shop mechanism (requiring cooperation among interested data protection authorities across EU member states) does not apply in this circumstances, because the decision applies provisions of the Data Protection Act transposed from the ePrivacy directive, not the GDPR. 

The fine is higher than the €6 million fine recommended by an advisor to the CNIL in December.

MORE CONTEXT

Although the decision notes that Apple’s new iOS 15 no longer uses an identifier for personalized ads before presenting a mechanism to obtain prior valid consent for the reading of the identifier, the corrective measures do not correct the existence of the breach for past facts in Apple’s iOS 14.6.

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.