Why is the new noyb action against websites and data brokers regarding cookie-based authentication important for compliance with the new U.S. privacy laws?
Because they set out to equivocally confirm that if you can identify someone enough for the purpose of targeting them for advertising, you should be able to provide them with the personal data you collect on them.
Per the European Data Protection Board Guidelines on data subject rights, a controller should be able to respond to an access request pertaining to cookie data.
In the case where the data subject “tries to exercise his access right by e-mail or by regular mail, then in this context [the controller] will have no other choice to ask [the data subject] to provide “additional information” (Art. 12(6)) in order to be able to identify the advertising profile associated with [the data subject himself]. In this case, the additional information will be the cookie identifier stored in the terminal equipment of [the data subject].”
Under the CPRA, IP address, electronic identifiers and even probabilistic identifiers are personal information.
Per CPRA and Colorado CPA, you need to provide the individual with access to information you collected about them, including any inferences derived from this.
For more information, read this.