Iowa sends comprehensive privacy bill to governor

Julie Rubash, Chief Privacy Counsel
March 20, 2023

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Iowa Sends Comprehensive Privacy Bill to Governor

The Iowa legislature passed SF 262, a comprehensive privacy bill, which, if signed by the governor, will make Iowa the sixth U.S. state to pass comprehensive privacy legislation.


If signed, the Iowa law will take effect January 1, 2025. However, other than expanding existing privacy programs into a sixth state, the law, which closely resembles Utah’s privacy law, will not impose any new obligations on covered companies that aren’t already covered under existing privacy laws in other states.

Notably, the ability to opt out of targeted advertising is not listed explicitly in the consumer rights provision. But, an obligation to disclose the manner in which a consumer may exercise the right to opt out is included in the disclosure obligations for controllers, implying that an opt out right may have been intended.

Kentucky Passes Unique Privacy Bill Through One Chamber

The Kentucky Senate passed SB 15, moving the comprehensive privacy legislation to the House.


Unlike the Iowa bill (see above), Kentucky’s bill contains some significant differences from existing U.S. state privacy law.

Notably, the Kentucky bill would introduce the ability to opt out of “tracking” in addition to the separate rights to opt out of targeted advertising or the sale or sharing or personal data.

Interestingly, the definitions of “targeted advertising”, “sharing” and “tracking” contain some overlap, all relating in some way to targeted advertising.

The distinction seems to be whether the controller is displaying targeted advertising, combining first- and third-party data for purposes of targeted advertising, or sharing data for purposes of targeted advertising.

Another notable departure in the Kentucky bill from U.S. privacy laws is the requirement to either obtain consent for the processing of personal data (for a narrowly-defined particular purpose that is not a condition for using the product or service) or ensure that another condition applies (borrowing from the GDPR legal bases for processing, such as legitimate interest, performance of a contract, and compliance with a legal obligation).

The Kentucky session ends March 30, so the legislation will have to move quickly through the House to pass this year. 

Colorado Privacy Act Rules Finalized

The Colorado Attorney General’s Office announced official filing of rules under the Colorado Privacy Act, which will go into effect July 1, 2023.


Among other requirements, the rules include specific requirements for the right to opt out of targeted advertising, including that the opt-out method must be provided either directly or through a link in a clear, conspicuous and readily accessible location outside the privacy notice and that the link text must provide a clear understanding of its purpose. Acceptable examples include “Colorado Opt-Out Rights”, “Personal Data Use Opt-Out”, “Your Opt-Out Rights”, “Your Colorado Privacy Choices”, or “Your Privacy Choices” (which is also approved language under California rules).

The rules also include details on providing and responding to universal opt-out mechanisms (UOOMs), which controllers must recognize starting July 1, 2024 and details on obtaining user consent to processing after receiving a UOOM signal from that user, among other requirements. 


IAB Europe APD Action Plan Implementation Suspended Pending Appeal

 In an update to their press release (scroll to “update 16/03/2023” at the bottom), the Belgium data protection authority (APD) announced that the deadline for IAB Europe to implement changes to its Transparency and Consent Framework (TCF) in response to the APD’s 2022 action under GDPR would be suspended pending a ruling from the Market Court on IAB Europe’s second appeal.

A hearing on the second appeal will take place May 31, 2023.


The underlying action by the APD alleges certain GDPR violations by IAB Europe, at least partially premised on the TCF’s transparency and consent string (TC String) constituting “personal data” under the GDPR and IAB Europe constituting a “controller” under the GDPR of the TC String and other personal data processed by participants using the TCF.

IAB Europe submitted an action plan to address the alleged violations, but, in parallel, IAB Europe submitted an appeal challenging the APD’s interpretations under GDPR.

In response to this first appeal, the Market Court escalated to the CJEU the two questions of whether IAB Europe constitutes a controller and whether the TC String constitutes Personal Data.

Despite these questions still pending, the APD unexpectedly announced, in January 2023, validation of IAB Europe’s action plan and a six-month deadline (until July 2023) to implement the changes.

IAB Europe’s second appeal (as explained in IAB Europe’s press release) challenges the APD’s ability to require changes to the TCF that may need to be rolled back when the CJEU’s response is rendered.

IAB Europe expects a ruling on the second appeal at the end of Q2 or beginning of Q3, after which the implementation period will either resume (pushing the deadline to Q4 2023) if IAB Europe loses the appeal or continue to be on hold pending decisions from the CJEU and Market Court in response to IAB Europe’s first appeal.

Bookmark our FAQ to follow the latest developments in the APD’s decision regarding the IAB TCF.

CNIL To Prioritize Investigation of User Tracking by Mobile Apps

The France data protection authority (CNIL) announced four “Priority Topics for Investigations in 2023

  1. the use of smart cameras by public actors
  2. the use of the personal credit repayment incidents file
  3. access to the electronic patient record in health care institutions
  4. user tracking by mobile applications. 


The CNIL specifically cited the “systemic” use of identifiers that allow users to be tracked for advertising, statistical or technical purposes and noted that checks had already been, and would continue to be, carried out on applications that access such identifiers in the absence of user consent.

The CNIL included in its announcement a link to its guidance on cookies and other tracers issued in October 2020. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]