On May 13, 2025, the European Commission issued its draft Guidelines on the protection of minors online under the DSA (“the Guidelines”). The Guidelines aim to support providers of online platforms that are “accessible to minors” with meeting their obligation to ensure “a high level of privacy, safety, and security” for minors under Article 28(1)
Inside Privacy
Updates on developments in data privacy and cybersecurity
NIST Publishes Updated Incident Response Recommendations and Considerations
Earlier in April, the U.S. National Institute of Standards and Technology (“NIST”) published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“NIST SP 800-61”). NIST SP 800-61 Revision 3 (“Revision 3”) is a significant change, as it not only represents the first update of the document since…
FTC Delays Negative Option Rule Compliance Date to July 14
On May 9, 2025, the FTC announced that it is deferring the compliance deadline for the Negative Option Rule by 60 days to July 14. This announcement came five days before the original compliance date for the majority of the Rule’s provisions. All three Commissioners voted in favor of the deferral.…
Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” Models
On April 29, 2025, the Italian data protection authority (“Garante”) launched a public consultation to collect feedback from stakeholders about the so-called “Pay or Ok” model.
“Pay or Ok” refers to the concept of making access to a website’s content or service conditional on the website visitor performing one of two actions: (1) subscribing against…
Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations
Arkansas Advances Children and Teen Privacy Laws
On April 21, 2025, Arkansas Governor Sarah Huckabee Sanders signed three laws expanding privacy protections for children and teens. The Content Creation Protection Act passed the legislature and is pending signature. This blog summarizes the statutes’ key takeaways.…
Montana Passes Amendments to Consumer Data Privacy Act
On April 15, 2025, the Montana legislature unanimously passed Montana SB 297, a bill that would amend the Montana Consumer Data Privacy Act (“MTCDPA”) with provisions expanding online data protections for minors, narrowing the exemptions under the Gramm-Leach-Bliley Act, and removing a controller’s right to cure, among others. We outline some key provisions below.…
Digital Fairness Act Series – Topic 1: Influencer Marketing
The European Commission (“Commission”) is working on a new EU consumer protection law called the Digital Fairness Act (“DFA”) to better protect consumers in the digital space. The DFA is expected to regulate, among other things, influencer marketing.
With EU consumer protection watchdogs starting to bring cases against companies whose products or services are promoted…
French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles
On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French). The Recommendation is open for public consultation until May 20, 2025.…
California Court Holds Plaintiffs’ Consent Defeats Claims Involving Use of Website Pixel
Early this month, a Northern District of California judge dismissed, with prejudice, a putative class action complaint asserting five privacy-related causes of action, concluding the “issue of consent defeat[ed] all of Plaintiffs’ claims.” Lakes v. Ubisoft, Inc., –F. Supp. 3d–, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025). Specifically, the Court dismissed plaintiffs’ claims under…