On March 21, 2025, the European Commission announced that the Consumer Protection Cooperation Network (“CPC-N”) had initiated enforcement proceedings against an online gaming company, for allegedly violating EU consumer protection laws and engaging in practices that could pose a particular risk to children.  The gaming company now has one month to propose commitments to remedy the consumer law violations identified by the CPC-N.  Concurrently, the CPC-N published guidelines to promote transparency and fairness in the online gaming industry’s use of virtual currencies.Continue Reading Consumer Watchdogs Turn Their Attention to the Online Gaming Industry

Plaintiffs’ lawyers have continued to bring privacy claims targeting businesses that use vendors to help provide beneficial chat features on their website, as we last reported here.  Late last year, a Southern District of California judge dismissed another set of privacy claims challenging the routine use of these vendor services by Tonal, a popular smart home gym company named as the sole defendant in the lawsuit.  Jones v. Tonal Systems, Inc., 751 F. Supp. 3d 1025 (S.D. Cal. 2024).

Plaintiff Julie Jones, a California resident, claimed that she had visited Tonal’s website and used its chat feature to communicate with a Tonal customer service representative.  This chat feature allegedly incorporated an API run by another company to create and store transcripts of website visitors’ chats with Tonal’s customer service representatives.  According to the complaint, this alleged conduct constituted wiretapping, which Tonal purportedly aided and abetted in violation of Sections 631 and 632.7 of the California Invasion of Privacy Act (“CIPA”).  Plaintiff also asserted other privacy claims based on the same alleged conduct, including the California Unfair Competition Law (“UCL”) and the California Constitution’s right to privacy provision.

The Court granted Tonal’s motion to dismiss each of plaintiff’s claims on multiple grounds. Continue Reading Another California Court Rejects Privacy Claims Targeting Online Chat Feature

On March 25, 2025, the French data protection authority (“CNIL”) published a draft recommendation on the use of location data from connected vehicles (the “Recommendation” – see here in French).  The Recommendation is open for public consultation until May 20, 2025.Continue Reading French CNIL Issues Draft Guidance On The Use of Location Data From Connected Vehicles

The European Commission (“Commission”) is working on a new EU consumer protection law called the Digital Fairness Act (“DFA”) to better protect consumers in the digital space.  The DFA is expected to regulate, among other things, influencer marketing. 

With EU consumer protection watchdogs starting to bring cases against companies whose products or services are promoted by influencers (see for example here), the DFA’s provisions may apply not only to influencers, but also to companies that deploy or use influencers, to ensure that advertising practices are fair and transparent.  This blog post explores two key issues that the European Commission is expected to prioritize in its approach to influencer marketing.  It also provides a brief overview of the French legal framework in this area, which some expect to serve as a model for the EU’s forthcoming rules in this area.Continue Reading Digital Fairness Act Series – Topic 1: Influencer Marketing

On April 7, 2025, South Africa’s Information Regulator announced a new requirement for organizations to report data breaches—referred to under local law as “security compromises”—via an online eServices Portal. The announcement marks a significant procedural shift in how companies must comply with the Protection of Personal Information Act, 2013

Continue Reading South Africa Introduces Mandatory e-Portal Reporting for Data Breaches

Early this month, a Northern District of California judge dismissed, with prejudice, a putative class action complaint asserting five privacy-related causes of action, concluding the “issue of consent defeat[ed] all of Plaintiffs’ claims.”  Lakes v. Ubisoft, Inc., –F. Supp. 3d–, 2025 WL 1036639 (N.D. Cal. Apr. 2, 2025).  Specifically, the Court dismissed plaintiffs’ claims under the (1) Video Privacy Protection Act (“VPPA”); (2) Federal Wiretap Act; (3) California Invasion of Privacy Act (“CIPA”) § 631; (4) common law invasion of privacy; and (5) Article I, Section 1 of the California Constitution. Continue Reading California Court Holds Plaintiffs’ Consent Defeats Claims Involving Use of Website Pixel

On March 26, 2025, Utah Governor Spencer Cox signed into law SB 142, the App Store Accountability Act (the “Act”), enacting the country’s first state law that requires app store providers to verify the age of all users and places obligations on app developers. An “app store provider” is defined as “a person that owns, operates, or controls an app store that allows users in [Utah] to download apps onto a mobile device.” A “developer” is defined as “a person that owns or controls an app made available through the app store in the state.”

The law goes into effect on May 7, 2025, and the obligations on app store providers and developers are not effective until May 6, 2026. Some key provisions are outlined below.Continue Reading Utah Enacts App Store Accountability Act

Many businesses use customer support software that may include call recording features to help ensure a better customer service experience.  A California federal court dismissed a wiretapping lawsuit filed against a software company offering this software tool (TalkDesk), holding that TalkDesk’s alleged recording of customers’ conversations with clothing retailers “is simply not private or personal enough to confer [Article III] standing.”  See Lien, et al., v. Talkdesk, Inc., No. 24-CV-06467-VC, 2025 WL 551664 (N.D. Cal. Feb. 19, 2025).Continue Reading Recording of Customer Service Call “Not Private or Personal Enough” to Confer Article III Standing

The “market” for AI contracting terms continues to evolve, and whilst there is no standardised approach (as much will depend on the use cases, technical features and commercial terms), a number of attempts have been made to put forward contracting models. One of the latest being from the EU’s Community of Practice on Public Procurement of AI, which published an updated version of its non-binding EU AI Model Contractual Clauses (“MCC-AI”) on March 5, 2025. The MCC-AI are template contractual clauses intended to be used by public organizations that procure AI systems developed by external suppliers.  An initial draft had been published in September 2023.  This latest version has been updated to align with the EU AI Act, which entered into force on August 1, 2024 but whose terms apply gradually in a staggered manner.  Two templates are available: one for public procurement of “high-risk” AI systems, and another for non-high-risk AI systems. A commentary, which provides guidance on how to use the MCC-AI, is also available.Continue Reading EU’s Community of Practice Publishes Updated AI Model Contractual Clauses

Kenya has released its first National Artificial Intelligence Strategy (2025–2030), a landmark document on the continent that sets out a government-led vision for ethical, inclusive, and innovation-driven AI adoption. Framed as a foundational step in the country’s digital transformation agenda, the strategy articulates policy ambitions that will be of

Continue Reading Kenya’s AI Strategy 2025–2030: Signals for Global Companies Operating in Africa

On March 20, 2025, the Court of Justice of the European Union (“CJEU”) ruled on the fairness, under EU consumer protection law, of a contractual clause allocating a percentage of an athlete’s income to a professional services provider (Case C‑365/23 [Arce]).  This ruling sets an important precedent and strengthens the protection afforded by consumer protection law to minors who enter into professional service contracts, whether in sport or elsewhere.Continue Reading CJEU Rules on Fairness of Remuneration Clause in Sports Contract