Updates on developments in data privacy and cybersecurity
On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.
The CNIL held that the GDPR applied to the…
On December 2, Greystar agreed to a $24 million settlement over allegations it misled renters by omitting mandatory fees from advertised monthly rents. This settlement underscores the FTC’s continuing scrutiny of “junk fees” and signals that the FTC may pursue rulemaking requiring greater transparency in rental fee advertising. …
On December 16, 2025, the EU Commission unveiled its proposal for the Biotech Act. The proposal, which is only the first part of a bigger initiative for regulating biotechnologies, focuses primarily on the health sector. The Commission took the opportunity to broadly revise the Clinical Trial Regulation (“CTR”) – see our blog post here…
In December 2025, the Spanish Agency for the Supervision of Artificial Intelligence (AESIA) published a set of detailed guidance documents and templates aimed at helping providers and deployers of high-risk AI systems under the EU AI Act comply with the relevant requirements of the law. All materials are currently available in Spanish only.…
In advance of the Indiana Consumer Data Protection Act’s (“Act”) effective date on January 1, 2026, the Indiana Attorney General released a Data Consumer Bill of Rights (“Bill of Rights”) that summarizes the rights created in the Act.…
On December 2, 2025, the Court of Justice of the European Union (“CJEU”) issued a decision clarifying the obligations of online marketplace operators with regard to content posted on their platform, where such content includes personal data. This blogpost provides an overview of the decision and its key takeaways.…
Since our mid-year recap on minors’ privacy legislation, several significant developments have emerged in the latter half of 2025. We recap the notable developments below.…
On November 12, 2025, the European Commission launched two public consultations that could significantly reshape EU product compliance rules. To participate, stakeholders – including businesses, consumer groups, and industry associations – are invited to complete the Commission’s online questionnaires, available until February 4, 2026.…
On November 19, 2025, the European Commission unveiled its 2030 Consumer Agenda, setting out priorities for EU consumer policy over the next five years. Below is an overview of the six key measures most relevant to industry.…
Last week, the Third Circuit affirmed dismissal of a putative class action asserting that defendant Quest Diagnostics violated the California Invasion of Privacy Act (“CIPA”) and the Confidentiality of Medical Information Act (“CMIA”) by employing a website pixel to track and collect data about their website activity for advertising purposes. See Cole v. Quest Diagnostics…
