On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023.
The Data Advisor
Unique Insights on Privacy and Data Protection Worldwide
CPPA Votes Out Proposed Delete Request and Opt-Out Platform (DROP) Data Broker Regulations
On March 7, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss its proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) and voted to authorize CPPA staff to advance the regulations to formal rulemaking. As mandated by the Delete Act (discussed in a previous alert), the DROP will…
European Privacy Regulators Issue Guidance on Age Assurance
On February 11, 2025, the European Data Protection Board (EDPB) adopted a statement (Statement) on age assurance. The Statement comes at a formative time in the development of age assurance practices, as EU and UK regulatory frameworks increasingly require companies to take steps to identify and protect child users of online services. The Statement outlines…
EU Commission Issues Guidelines on Prohibited AI Practices Under EU AI Act
On February 4, 2025, the European Commission (EC) issued draft guidelines clarifying the AI practices that are prohibited under the European Union’s (EU) Artificial Intelligence (AI) Act. While non-binding, the guidelines offer valuable clarifications and practical examples to help businesses navigate their obligations under the AI Act. The EC has approved the draft guidelines, but…
Upcoming Reporting Obligations Under the EU Digital Services Act
Services subject to the EU’s Digital Services Act (DSA) will be required to publish their annual transparency report by February 16, 2025. This includes providers of hosting services, online platforms, very large online platforms (VLOP), and very large online search engines (VLOSE). The extent of the information required to be disclosed varies depending on the…
Understanding the EU’s Cyber Solidarity Act: Key Takeaways
On February 4, 2025, the European Union’s (EU) Cyber Solidarity Act (CSA) entered into force. The CSA aims to harmonize and strengthen the cooperation between EU authorities to improve their capacity to detect and address large-scale cyber threats.
While the CSA does not impose any obligations on companies, those operating in “highly critical” sectors can…
Consumer Protection Update: With Disruption at the Federal Level, State Attorneys General Are Likely to Loom Large
We are less than a month into the new Trump administration and are seeing an unprecedented wave of activity and major changes at federal agencies. These changes promise to bring significant disruption to the staff and negatively impact the typical activities of numerous agencies, including the nation’s consumer protection watchdog, the Federal Trade Commission (FTC).…
The EU’s AI Act Starts to Apply as of February 2, 2025
On February 2, 2025, the European Union’s (EU) Artificial Intelligence Act (AI Act) will start to apply in phases. This alert summarizes the new obligations that will apply as of February 2, 2025. It also indicates when companies can expect the first enforcement actions, and what the enforcement regime will look like. For more information…
New Federal Children’s Privacy Requirements Are Not Child’s Play: FTC Amends COPPA Rule, Imposing New Obligations on Child-Directed Services
Companies that may have child users, or whose competitors have child users, take note. On January 16, 2025, the Federal Trade Commission (FTC) announced the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). At a high level, the COPPA Rule requires websites or online services to provide notice and obtain verifiable parental…
Ransomware Attacks: UK Government Proposes Ransom Payment Ban and Mandatory Notification Requirements
On January 14, 2025, the UK government unveiled a proposed framework aimed at combating the rise of ransomware attacks by implementing a payment prevention and reporting regime. This would require companies to not only report all ransomware incidents, but also to declare whether they intend to pay a ransom. The government also announced that it…