Online Privacy

Subscribe to Online Privacy via RSS

For those operating in the European Union, the list of digital technology laws is becoming daunting. Compliance with GDPR to the AI Act — with stops along the way for the ePrivacy Directive and many more – is a significant undertaking. To simplify this confusion, the European Commission is proposing modifications to many of its data laws. It released the first attempt of these changes in the Digital Omnibus Regulation ProposalContinue Reading Might We See a Streamlining of EU Digital Compliance?

The Dutch Data Protection Authority recently updated its cookie banner guidance. This comes after the agency, the Autoriteit Persoonsgegevens (or AP), promoted a goal earlier this year to monitor 500 websites a year to ensure their use of cookies complies with GDPR. The Dutch are not the only ones concerned about cookie banners. See, for example, activity from the UK that we wrote about last year. Of note, the Dutch authority stresses in its guide that even if a company uses third-party consent management platforms, the site operator is still responsible for compliance.Continue Reading Is Your Website’s Cookie Banner Up to Date? New Guidance from Dutch DPA

California is getting serious about age checks online, and businesses should pay attention. Thanks to the passage of AB 1043, starting January 1, 2027, software makers and app stores will need to know the user’s age (or at least their age bracket) and signal it to apps every time a download or launch happens. For businesses that may be unclear whether COPPA or CCPA’s provisions for teenagers apply to their app, this law is aimed at clarifying that ambiguity.Continue Reading “How Old Are You, Anyway?” California’s New Law Makes Apps Ask… And Remember!

Many courts have held that that information gathered by video-related pixels are not “personal” for purposes of the Video Privacy Protection Act. Nevertheless, plaintiff class action attorneys continue to file these VPPA actions in federal court.Continue Reading Behind the Pixel: Not Always Personal Information Under VPPA

Minnesota has a new law that, beginning a year from now, will require that social media companies warn users of the potential negative mental health effects of social media use each time a user accesses a social media platform. The warning label will need to include specific content, including information about mental health resources (like the national suicide prevention and mental health crisis hotline). The law also specifically prohibits including “extraneous information” in the warning label. It must be on-screen (not in a company’s website terms) and remain on screen until the user either acknowledges and agrees to it, or leaves the site.Continue Reading Minnesota May Be First to Require Social Media Warning Label

Vermont has joined the list of states attempting to regulate the use of children’s information collected online, passing an Age-Appropriate Design Code Act. This law mirrors ones we have seen in other US states as well as the UK, and applies to online services reasonably accessed by minors, that collect personal data. We expect it to be challenged, but if it is not, it would go into effect January 1. Among other things, the law provides the following:Continue Reading Growing List of States Attempting to Regulate Kids’ Online Privacy: Vermont Joins the Group

The Michigan Attorney General has filed a complaint against Roku, a popular TV content platform, alleging, among other things, violations of the Children’s Online Privacy Protection Act and the Video Privacy Protection Act (and a similar Michigan law). As most are aware, COPPA requires prior parental consent before collecting information from children online. It gives standing to both the FTC and to states’ attorneys general, but no private right of action. Most cases brought since COPPA’s passage have been brought by the FTC, however, and not by states. This current Michigan case comes after a group of 43 states, including Michigan, sent a letter to the FTC urging it to strengthen and update its COPPA Rule.Continue Reading Michigan AG Sues Roku Over Alleged Privacy Violations

Virginia’s governor recently signed into law a bill that amends the Virginia Consumer Data Protection Act. As revised, the law will include specific provisions impacting children’s use of social media. Unless contested, the changes will take effect January 1, 2026. Courts have struck down similar laws in other states (see our posts about those in Arkansas, California, and Utah) and thus opposition seems likely here as well. Of note, the social media laws that have been struck down in other states attempted to require parental consent before minors could use social media platforms. This law is different, as it allows account creation without parental consent. Instead, it places restrictions on account use for both minors and social media platforms.Continue Reading Virginia Will Add to Patchwork of Laws Governing Social Media and Children (For Now?) 

In a landmark ruling, the Ninth Circuit expanded the application of specific personal jurisdiction principles to the realm of nationwide e-commerce. On April 21, 2025, an en banc panel issued a 10–1 decision ruling that allegations that Shopify embedded cookies that tracked a California consumer’s location data were sufficient to establish specific personal jurisdiction over Shopify in California (reversing the Court’s prior opinion on this exact issue). In the wake of this decision, businesses may face increased legal challenges in various states. To protect against far-flung lawsuits in unwanted jurisdictions, e-commerce businesses should, if practicable, refrain from collecting location data and engaging in other online activities that may be seen as targeting consumers of a particular state.Continue Reading Ninth Circuit Upends Internet Personal Jurisdiction Law–Briskin v. Shopify

Arkansas’ second attempt at regulating minor’s access to social media – in the form of the Social Media Safety Act (SB 689) – has again been struck down as unconstitutional. The court permanently enjoined the state from enforcing the law. It was a modified version of Arkansas’ 2023 SB 396, that was also blocked. The plaintiff in both challenges was NetChoice, a group familiar to anyone following kids’ social media laws. As a result of NetChoice’s efforts, similar laws have been blocked in California, Utah, Maryland, Mississippi, Ohio, and Texas. Courts in those states, as in Arkansas, found that the laws were unduly burdensome on free speech, with overly broad content restrictions not tailored to prevent harm to minors.Continue Reading Arkansas’ Kids Social Media Law: Another One Bites the Dust

The New York Attorney General recently entered into an assurance of discontinuance with Saturn Technologies, operator of an app used by high school and college students. The app was designed to be a social media platform that assists students with tracking their calendars and events. It also includes connection and social networking features and displayed students’ information to others. This included students’ location and club participation, among other things. According to the NYAG, the company had engaged in a series of acts that violated the state’s unfair and deceptive trade practice laws.Continue Reading New York AG Settles with School App