On March 21, 2025, the European Commission announced that the Consumer Protection Cooperation Network (“CPC-N”) had initiated enforcement proceedings against an online gaming company, for allegedly violating EU consumer protection laws and engaging in practices that could pose a particular risk to children.  The gaming company now has one month to propose commitments to remedy the consumer law violations identified by the CPC-N.  Concurrently, the CPC-N published guidelines to promote transparency and fairness in the online gaming industry’s use of virtual currencies.Continue Reading Consumer Watchdogs Turn Their Attention to the Online Gaming Industry

On May 13, 2025, the European Commission issued its draft Guidelines on the protection of minors online under the DSA (“the Guidelines”).  The Guidelines aim to support providers of online platforms that are “accessible to minors” with meeting their obligation to ensure “a high level of privacy, safety, and security” for minors under Article 28(1) of the Digital Services Act (“DSA”).

Below we provide an overview of the Guidelines and key takeaways.Continue Reading European Commission Publishes Draft Guidelines on the Protection of Minors under the DSA

Earlier in April, the U.S. National Institute of Standards and Technology (“NIST”) published Special Publication (“SP”) 800-61, Incident Response Recommendations and Considerations for Cybersecurity Risk Management, Revision 3 (“NIST SP 800-61”).  NIST SP 800-61 Revision 3 (“Revision 3”) is a significant change, as it not only represents the first update of the document since 2012, but also now maps the document’s recommendations and considerations for incident response to the six functions outlined in the recently-updated NIST Cybersecurity Framework 2.0—Govern, Identify, Protect, Detect, Respond, and Recover.  As a result, Revision 3 includes significant new recommendations and guidance for incident response, and entities should consider reviewing and updating their incident response plans and procedures to incorporate these recommendations, particularly if an entity has aligned its cybersecurity program with the NIST Cybersecurity Framework or used the prior versions of NIST SP 800-61 as a basis for existing incident response plans or procedures.Continue Reading NIST Publishes Updated Incident Response Recommendations and Considerations

On May 9, 2025, the FTC announced that it is deferring the compliance deadline for the Negative Option Rule by 60 days to July 14.  This announcement came five days before the original compliance date for the majority of the Rule’s provisions.  All three Commissioners voted in favor of the deferral.Continue Reading FTC Delays Negative Option Rule Compliance Date to July 14

On April 29, 2025, the Italian data protection authority (“Garante”) launched a public consultation to collect feedback from stakeholders about the so-called “Pay or Ok” model. 

“Pay or Ok” refers to the concept of making access to a website’s content or service conditional on the website visitor performing one of

Continue Reading Italian Garante Launches Public Consultation on the Implementation of “Pay or Ok” Models

On May 6, 2025, the California Privacy Protection Agency (“CPPA”) announced a decision and $345,178 fine related to allegations that Todd Snyder, Inc. violated the California Consumer Privacy Act (“CCPA”) and requirements to change its business practices.Continue Reading Clothing Retailer, Todd Snyder, Inc., Settles CPPA Allegations Regarding California Consumer Privacy Act Violations

On April 28, the House of Representatives voted 409-2 to pass the Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act (“TAKE IT DOWN Act”), which criminalizes the publication of nonconsensual intimate visual depictions (“NCII”) and requires online platforms to establish a notice and takedown process for NCII. The Act, which previously had been passed by the Senate, now goes to the President’s desk for signature. President Trump has indicated that he intends to sign the bill into law.Continue Reading U.S. Congress Passes Bill Establishing Notice and Takedown Regime for Publication of Nonconsensual Intimate Visual Depictions

On April 21, 2025, Arkansas Governor Sarah Huckabee Sanders signed three laws expanding privacy protections for children and teens. The Content Creation Protection Act passed the legislature and is pending signature. This blog summarizes the statutes’ key takeaways.Continue Reading Arkansas Advances Children and Teen Privacy Laws

On April 15, 2025, the Montana legislature unanimously passed Montana SB 297, a bill that would amend the Montana Consumer Data Privacy Act (“MTCDPA”) with provisions expanding online data protections for minors, narrowing the exemptions under the Gramm-Leach-Bliley Act, and removing a controller’s right to cure, among others.  We outline some key provisions below.Continue Reading Montana Passes Amendments to Consumer Data Privacy Act

Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer?  A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet Carter Gifts) and its marketing partner (NaviStone) accused of collecting data about plaintiff’s website visit in violation of the Pennsylvania Wiretapping and Electronic Surveillance Control Act (“WESCA”).Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim

Plaintiffs’ lawyers have continued to bring privacy claims targeting businesses that use vendors to help provide beneficial chat features on their website, as we last reported here.  Late last year, a Southern District of California judge dismissed another set of privacy claims challenging the routine use of these vendor services by Tonal, a popular smart home gym company named as the sole defendant in the lawsuit.  Jones v. Tonal Systems, Inc., 751 F. Supp. 3d 1025 (S.D. Cal. 2024).

Plaintiff Julie Jones, a California resident, claimed that she had visited Tonal’s website and used its chat feature to communicate with a Tonal customer service representative.  This chat feature allegedly incorporated an API run by another company to create and store transcripts of website visitors’ chats with Tonal’s customer service representatives.  According to the complaint, this alleged conduct constituted wiretapping, which Tonal purportedly aided and abetted in violation of Sections 631 and 632.7 of the California Invasion of Privacy Act (“CIPA”).  Plaintiff also asserted other privacy claims based on the same alleged conduct, including the California Unfair Competition Law (“UCL”) and the California Constitution’s right to privacy provision.

The Court granted Tonal’s motion to dismiss each of plaintiff’s claims on multiple grounds. Continue Reading Another California Court Rejects Privacy Claims Targeting Online Chat Feature