On 31 March 2026, the UK’s Information Commissioner’s Office (“ICO”) launched a public consultation on draft updated guidance on automated decision-making (“ADM”), including profiling (“Draft Guidance”) and simultaneously published a report on the use of ADM in recruitment (“Recruitment Report”).

The Draft Guidance is the ICO’s first detailed interpretation of the Data (Use and Access) Act’s (“DUAA”) changes to the UK GDPR’s ADM provisions, and the accompanying Recruitment Report is a sector-specific signal of how the ICO expects those rules to operate in practice.

Continue Reading UK ICO Consults on Draft Automated Decision-Making Guidance and Sets Expectations for ADM in Recruitment

As agentic AI systems move from research labs to enterprise workflows, regulators worldwide are grappling with how to address the potential risks these systems may pose (as discussed in prior blog posts here and here).  In January 2026, Singapore’s Infocomm Media Development Authority (“IMDA”) launched a non-binding Model AI Governance Framework for Agentic AI (“Framework”), just a few months after the Cyber Security Agency released a discussion paper titled “Securing Agentic AI” (“Discussion Paper”).

Together, these documents provide organizations with a structured, operational roadmap to consider when navigating some of the potential security and governance challenges posed by agentic AI.  This blog post highlights some of their key points.

Continue Reading Singapore Issues Governance and Security Guidance for Agentic AI

On April 20, 2026, the Spanish Data Protection Agency (AEPD) has published new guidance on how to comply with the GDPR when using AI‑powered voice transcription tools. The guidance builds on earlier AEPD guidance on this topic from January 2026. This blog post sets out the key takeaways of both guidance documents, which are only available in Spanish.

The AEPD’s guidance confirms a risk‑based approach to AI‑powered voice transcription. Organizations using these tools should not treat transcription as a purely technical feature, but as a processing activity that requires continuous governance, clear transparency, and proactive safeguards. Given the widespread and growing use of transcription tools across business functions, this guidance is likely to be relevant well beyond Spain.

Continue Reading Spain’s Supervisory Authority Issues New Guidance on AI‑Based Voice Transcription

On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.

Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific Research

The Federal Trade Commission (FTC) announced a settlement with dating app operator OkCupid and its affiliate Match Group Americas (Match), resolving allegations that the company had violated Section 5 of the FTC Act by sharing users’ personal information with a third party in a manner that was not disclosed in

Continue Reading FTC Alleges OkCupid Data Sharing Amounted to a Deceptive Practice

On April 14, 2026, the Federal Trade Commission (“FTC” or “Commission”) announced an Advanced Notice of Proposed Rulemaking (“ANPRM”) seeking public comment on whether a new rule is needed to address fee practices by online food and grocery delivery platforms that may obscure total pricing or impede consumers’ ability to

Continue Reading FTC Seeks Comment by May 18 on Food Delivery Pricing and Fees

On April 17, 2026, the Governor of Alabama signed HB 351, Alabama Personal Data Protection Act (ALDPA), into law.  The law resembles Connecticut’s data privacy statute, but omits certain requirements, such as a data protection impact assessment.  Alabama follows  Oklahoma as the second state to enact a comprehensive privacy

Continue Reading Alabama Enacts Comprehensive Privacy Law

On April 1, 2026, the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024. This decision limits the potential statutory damages plaintiffs may obtain for pending BIPA cases.

Continue Reading Seventh Circuit Holds that BIPA Amendment Applies Retroactively