On June 10, 2025, the Finnish Data Protection Ombudsman published a decision (in FI) where it found that the processing of personal data for enforcing parking violations was unlawful because the enforcement mechanism was not described in the parking rental agreement. This recent decision is a striking example of how data protection and consumer protection law are increasingly intertwined. The case demonstrates that the way in which customer services—and any related enforcement mechanisms for non-performance—are described in contracts is not just a matter of consumer transparency, but a legal requirement for the lawful processing of personal data under Article 6(1)(b) of the GDPR (“processing [that] is necessary for the performance of a contract”).Continue Reading Data Protection Meets Consumer Protection: The Crucial Role of Clear Terms in Service Contracts

Dan Cooper
Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.
According to Chambers UK, his "level of expertise is second to none, but it's also equally paired with a keen understanding of our business and direction." It was noted that "he is very good at calibrating and helping to gauge risk."
Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as the IAPP's European Advisory Board, Privacy International and the European security agency, ENISA.
Overview of Key CJEU Rulings on EU Consumer Protection Law of May 2025
In May 2025, the Court of Justice of the EU (“CJEU”) ruled on five cases applying EU consumer protection law. This blog post provides an overview of the decisions.
- Three of these cases relate to the EU Unfair Contract Terms Directive (“UCTD”), which protects consumers from unfair terms in contracts with businesses. It applies to standard terms that have not been individually negotiated and ensures they are transparent, clear, and balanced. If a term is found to be unfair, it is not binding on the consumer—and its use can expose businesses to enforcement actions, including fines, under national laws.
- The fourth case relates to the EU Directive on Misleading and Comparative Advertising (“DMCA”), which aims to protect businesses and consumers by prohibiting advertising that misleads or distorts competition. It also sets out conditions for permitted comparative advertising—comparing one product or service with another—to ensure fairness and accuracy.
- The fifth case concerns the EU Directive on Electronic Commerce (“DEC”), which sets transparency obligations for online commercial communications. Specifically, it requires that online promotions clearly disclose the conditions for benefiting from the offer, ensuring that consumers are fully informed before making a decision.
We have summarized these cases below.Continue Reading Overview of Key CJEU Rulings on EU Consumer Protection Law of May 2025
Digital Fairness Act Series: Topic 2 – Transparency and Disclosure Obligations for AI Chatbots in Consumer Interactions
AI chatbots are transforming how businesses handle consumer inquiries and complaints, offering speed and availability that traditional channels often cannot match. However, the European Commission’s recent Digital Fairness Act Fitness Check has spotlighted a gap: EU consumers currently lack a cross-sectoral right to demand human contact when interacting with AI chatbots in business-to-consumer settings. It is still unclear whether and how the European Commission is proposing to address this. The Digital Fairness Act could do so, but the Commission’s proposal is only planned to be published in the 3rd quarter of 2026. This post highlights key consumer protection considerations for companies deploying AI chatbots in the EU market.Continue Reading Digital Fairness Act Series: Topic 2 – Transparency and Disclosure Obligations for AI Chatbots in Consumer Interactions
European Commission Publishes Q&A on AI Literacy
On May 7, 2025, the European Commission published a Q&A on the AI literacy obligation under Article 4 of the AI Act (the “Q&A”). The Q&A builds upon the Commission’s guidance on AI literacy provided in its webinar in February 2025, covered in our earlier blog here. Among other things, the Commission clarifies that the AI literacy obligation started to apply from February 2, 2025, but that the national market surveillance authorities tasked with supervising and enforcing the obligation will start doing so from August 3, 2026 onwards.Continue Reading European Commission Publishes Q&A on AI Literacy
European Commission Publishes Draft Guidelines on the Protection of Minors under the DSA
On May 13, 2025, the European Commission issued its draft Guidelines on the protection of minors online under the DSA (“the Guidelines”). The Guidelines aim to support providers of online platforms that are “accessible to minors” with meeting their obligation to ensure “a high level of privacy, safety, and security” for minors under Article 28(1) of the Digital Services Act (“DSA”).
Below we provide an overview of the Guidelines and key takeaways.Continue Reading European Commission Publishes Draft Guidelines on the Protection of Minors under the DSA
Digital Fairness Act Series – Topic 1: Influencer Marketing
The European Commission (“Commission”) is working on a new EU consumer protection law called the Digital Fairness Act (“DFA”) to better protect consumers in the digital space. The DFA is expected to regulate, among other things, influencer marketing.
With EU consumer protection watchdogs starting to bring cases against companies whose products or services are promoted by influencers (see for example here), the DFA’s provisions may apply not only to influencers, but also to companies that deploy or use influencers, to ensure that advertising practices are fair and transparent. This blog post explores two key issues that the European Commission is expected to prioritize in its approach to influencer marketing. It also provides a brief overview of the French legal framework in this area, which some expect to serve as a model for the EU’s forthcoming rules in this area.Continue Reading Digital Fairness Act Series – Topic 1: Influencer Marketing
South Africa Introduces Mandatory e-Portal Reporting for Data Breaches
On April 7, 2025, South Africa’s Information Regulator announced a new requirement for organizations to report data breaches—referred to under local law as “security compromises”—via an online eServices Portal. The announcement marks a significant procedural shift in how companies must comply with the Protection of Personal Information Act, 2013…
Continue Reading South Africa Introduces Mandatory e-Portal Reporting for Data BreachesEU’s Community of Practice Publishes Updated AI Model Contractual Clauses
The “market” for AI contracting terms continues to evolve, and whilst there is no standardised approach (as much will depend on the use cases, technical features and commercial terms), a number of attempts have been made to put forward contracting models. One of the latest being from the EU’s Community of Practice on Public Procurement of AI, which published an updated version of its non-binding EU AI Model Contractual Clauses (“MCC-AI”) on March 5, 2025. The MCC-AI are template contractual clauses intended to be used by public organizations that procure AI systems developed by external suppliers. An initial draft had been published in September 2023. This latest version has been updated to align with the EU AI Act, which entered into force on August 1, 2024 but whose terms apply gradually in a staggered manner. Two templates are available: one for public procurement of “high-risk” AI systems, and another for non-high-risk AI systems. A commentary, which provides guidance on how to use the MCC-AI, is also available.Continue Reading EU’s Community of Practice Publishes Updated AI Model Contractual Clauses
Kenya’s AI Strategy 2025–2030: Signals for Global Companies Operating in Africa
Kenya has released its first National Artificial Intelligence Strategy (2025–2030), a landmark document on the continent that sets out a government-led vision for ethical, inclusive, and innovation-driven AI adoption. Framed as a foundational step in the country’s digital transformation agenda, the strategy articulates policy ambitions that will be of…
Continue Reading Kenya’s AI Strategy 2025–2030: Signals for Global Companies Operating in AfricaCJEU Rules on Fairness of Remuneration Clause in Sports Contract
On March 20, 2025, the Court of Justice of the European Union (“CJEU”) ruled on the fairness, under EU consumer protection law, of a contractual clause allocating a percentage of an athlete’s income to a professional services provider (Case C‑365/23 [Arce]). This ruling sets an important precedent and strengthens the protection afforded by consumer protection law to minors who enter into professional service contracts, whether in sport or elsewhere.Continue Reading CJEU Rules on Fairness of Remuneration Clause in Sports Contract