States continue to enact laws regulating genetic data. Since our last update, the Connecticut governor has signed SB 4, an omnibus privacy law which contains provisions regulating direct-to-consumer (“DTC”) genetic testing companies. You can read our full analysis of SB 4 here.

Continue Reading Connecticut Enacts Genetic Privacy Law

Earlier this month, the Cybersecurity & Infrastructure Security Agency (CISA), in collaboration with the National Security Agency and other international partners, released guidance for organizations on adopting agentic artificial intelligence systems (i.e., systems composed of one or more agents that fundamentally rely on an AI model, such as an LLM

Continue Reading CISA Releases Guidance on the Careful Adoption of Agentic AI Services

On May 11, 2026, the Department of Justice, acting on notification from the Federal Trade Commission, and the Illinois Attorney General, filed a complaint against “Premium Home Service” and its owner for alleged violations of Section 5 of the FTC Act, the Consumer Reviews Rule, and the Gramm-Leach-Bliley Act (GLB Act).  The Complaint seeks injunctive relief, monetary relief, and civil penalties.  

Continue Reading FTC and DOJ Continue Focus on Consumer Reviews Rule with Complaint Against Premium Home Service

On May 26, 2026, the Cybersecurity & Infrastructure Security Agency (“CISA”), announced a revised schedule of virtual town halls as part of its rulemaking implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  These town halls were initially scheduled for March and April 2026 but were delayed by the lapse in funding for the Department of Homeland Security that ended on April 30, 2026, and are now scheduled to begin on June 15, 2026.  The “specific topics of interest” CISA highlighted in its original announcement remain unchanged.

Continue Reading CISA Announces Revised Schedule of Town Halls for CIRCIA Rulemaking

On May 13, 2026, the Federal Trade Commission (“FTC”) announced that Shutterstock, Inc. had agreed to a $35 million settlement resolving allegations that the company engaged in unfair and deceptive subscription practices. The FTC asserted claims under Section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), alleging that Shutterstock charged consumers who did not understand they were enrolling in a subscription, failed to adequately disclose material subscription terms, and made cancellation unnecessarily difficult. The complaint did not seek civil penalties, and the final settlement requires only consumer redress. 

Continue Reading FTC Settles with Shutterstock Over Subscription Practices

On 7 May 2026, negotiators from the Council of the European Union, the European Parliament, and the European Commission reached a provisional agreement on the terms of the Digital Omnibus on AI, marking the first set of amendments to the EU AI Act since its adoption in June 2024. The final package of amendments reflects a mix of pragmatic timeline extensions, focused simplification measures, and a small number of substantive policy changes.

Continue Reading EU AI Act Update: Timeline Relief, Targeted Simplification, and New Prohibitions

On April 28, 2026, Maryland Governor Moore signed HB 895 (the Protection From Predatory Pricing Act) into law, which will impose limitations on the use of personalized pricing in the food retail and grocery delivery context.  The law will go into effect on October 1, 2026.  As we have detailed in prior blog posts, there has been a wave of personalized pricing proposals at the state level, and the FTC is focusing attention on pricing in the grocery sector.

Continue Reading Maryland Enacts Law on Personalized Food Pricing

On April 17, 2026, the Italian data protection authority (the “Garante”) published Provision No. 284 setting out guidelines on the use of “tracking pixels” in emails (the “Guidelines”). This publication closely follows the recommendation issued by the French data protection authority on the same topic, which is discussed in a

Continue Reading Italian DPA Publishes Guidelines on Email Tracking Pixels

The European Commission has set a clear timeline for rolling out age verification across the EU:

  • by June 30, 2026, Member States are encouraged to submit implementation plans; and
  • by December 31, 2026, at least one EU‑compliant age verification solution should be available in each Member State.

This timeline, set

Continue Reading EU Sets the Clock on Age Verification: Rollout Urged by End‑2026
On 29 April 2026, the UK Information Commissioner’s Office (“ICO”) updated its guidance on the use of storage and access technologies (i.e., cookies and other technologies that store or access information stored on users’ devices) under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”). These updates follow on the heels of two public consultations about the clarity of this guidance. We set out details of three of the most relevant updates for private companies below. Perhaps the most interesting element of the updated guidance, however, is an indication that the ICO is intending to follow through on its plan to enable the use of information storage / access technologies for “privacy-preserving” advertising purposes without consent. The ICO has not made explicit changes to its guidance, and the consultation response reiterates that the use of information storage / access technologies for online advertising—including related activities like frequency capping and ad measurement—currently requires consent under Regulation 6 of PECR. However, the ICO states that it will soon submit evidence to the UK Government on advertising-related activities that could be exempt from the PECR consent requirement, which the Government may then use to amend PECR to introduce statutory exemptions. It remains to be seen what the ICO will propose, but this could make it easier to engage in certain ad-related activities in the UK. Continue Reading Three notable changes to the UK ICO’s guidance on cookies, and a hint of a more permissive approach to advertising cookies in the future