The Dutch Data Protection Authority recently updated its cookie banner guidance. This comes after the agency, the Autoriteit Persoonsgegevens (or AP), promoted a goal earlier this year to monitor 500 websites a year to ensure their use of cookies complies with GDPR. The Dutch are not the only ones concerned about cookie banners. See, for example, activity from the UK that we wrote about last year. Of note, the Dutch authority stresses in its guide that even if a company uses third-party consent management platforms, the site operator is still responsible for compliance.Continue Reading Is Your Website’s Cookie Banner Up to Date? New Guidance from Dutch DPA

A recent settlement with an education service provider and three states – California, Connecticut, and New York – serves as a reminder to deactivate the credentials of departed employees. The case arose following a data breach suffered by Illuminate Education, which provides assessment software to K-12 school systems. As part of its services, the company stores sensitive details like students’ special education and accommodation needs.Continue Reading The Ghost of Employees Past: The Data Breach Risks from User-Credential Management

The European Data Protection Supervisor (EDPS) AI guidance for EU institutions has lessons for businesses. This includes when inputting personal information into these tools. The recommendations from the guidance fall into five categories, which businesses can take as potential principles. Namely:Continue Reading Protecting Personal Data in the Age of AI: Lessons from the Latest EDPS Guidance

The Southern District of California recently reminded companies that it has concerns about steps to take to make online terms binding. The case arose from a putative class action over alleged false pricing practices brought against Maggy London International Ltd. an online clothing retailer.Continue Reading Are Your Online Terms Enforceable?: Lessons from California

The Consortium of Privacy Regulators is growing. Meanwhile, CalPrivacy has announced a new program, a data broker “strike force.”Continue Reading State Privacy Action Grows: Consortium Expands, California Launches Data Broker Strike Force

California has set what may be an emerging trend with AB 45, restricting collection and use of personal information collected near family planning facilities. The law was signed recently by h Governor Newsom and is set to go into effect January 1, 2027. It provides for penalties of $25,000 fine per violation.Continue Reading Keep Out! California Draws the Privacy Fence Around Health Data

If you thought social media needed a warning label, many state regulators agree. California recently passed a new warning label law, which will take effect on January 1, 2027. That is, unless it is challenged. Meanwhile, Colorado is fighting to keep alive a similar law following a NetChoice challenge. Other states (like Arkansas, California, Florida, Utah, Maryland, Mississippi, Ohio, and Texas) have not been successful, seeing similar laws stopped on First Amendment grounds.Continue Reading Warning! States Continue to Worry About Social Media and Teens

Italy became the first EU country to enact a comprehensive national AI law when its AI law (Law No. 132/2025) took effect last month. The law is intended to work with the existing EU AI Act, but with more details and specific obligations. In fact, it mirrors many of the themes that are being implemented in US AI laws (like those in Texas, Virginia (vetoed), and Colorado). This may be one of many similar laws we see coming out of Europe this year, and the potential for a fragmented AI regulatory patchwork in the EU.Continue Reading When in Rome—Make Your AI Do As the Regulators Do

California is getting serious about age checks online, and businesses should pay attention. Thanks to the passage of AB 1043, starting January 1, 2027, software makers and app stores will need to know the user’s age (or at least their age bracket) and signal it to apps every time a download or launch happens. For businesses that may be unclear whether COPPA or CCPA’s provisions for teenagers apply to their app, this law is aimed at clarifying that ambiguity.Continue Reading “How Old Are You, Anyway?” California’s New Law Makes Apps Ask… And Remember!

California recently passed an amendment accelerating how quickly businesses must notify following a data breach. Previously, the requirement was to notify affected individuals “without unreasonable delay.” Beginning January 1, 2026, the law mandates that businesses notify individuals within 30 calendar days after the discovery or notification of a breach. (New York also shortened its reporting this earlier this year). While some flexibility remains for law enforcement needs or to fully investigate the incident and restore data systems, this change places a clear emphasis on prompt action and accountability. Businesses in California will also face a new requirement when a data breach impacts over 500 residents. The law also calls for a copy of the notice sent to consumers to be submitted to the California Attorney General within 15 days of notifying individuals. Previously, there were no specific deadlines for sending a copy of the notice to the AG office.Continue Reading 2026 Data Breach Law Updates – California and Oklahoma