Advertising & Marketing

On 29 April 2026, the UK Information Commissioner’s Office (“ICO”) updated its guidance on the use of storage and access technologies (i.e., cookies and other technologies that store or access information stored on users’ devices) under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”). These updates follow on the heels of two public consultations about the clarity of this guidance. We set out details of three of the most relevant updates for private companies below. Perhaps the most interesting element of the updated guidance, however, is an indication that the ICO is intending to follow through on its plan to enable the use of information storage / access technologies for “privacy-preserving” advertising purposes without consent. The ICO has not made explicit changes to its guidance, and the consultation response reiterates that the use of information storage / access technologies for online advertising—including related activities like frequency capping and ad measurement—currently requires consent under Regulation 6 of PECR. However, the ICO states that it will soon submit evidence to the UK Government on advertising-related activities that could be exempt from the PECR consent requirement, which the Government may then use to amend PECR to introduce statutory exemptions. It remains to be seen what the ICO will propose, but this could make it easier to engage in certain ad-related activities in the UK. Continue Reading Three notable changes to the UK ICO’s guidance on cookies, and a hint of a more permissive approach to advertising cookies in the future

The Washington Supreme Court’s decision in Brown v. Old Navy LLC, 4 Wash.3d 580 (2025) has sparked a wave of putative class actions under Washington’s Commercial Electronic Mail Act (“CEMA”), targeting allegedly misleading email subject lines used by national retailers. In the months since, defendants have increasingly turned to constitutional and federal preemption defenses in an effort to stem this growing tide of litigation. To date, however, those arguments have gained little traction. Several district court decisions have denied defendants’ motions to dismiss on these grounds.

Continue Reading District Courts Appear Skeptical of CAN‑SPAM Preemption and Constitutional Challenges to CEMA

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm

A Washington State Supreme Court decision last spring that construed that state’s Commercial Electronic Mail Act (“CEMA”) to broadly prohibit any misleading information in retailers’ email subject lines has opened the floodgates to similar state spam claims. In the past six months, there have been eight putative class action complaints

Continue Reading Recent Class Actions Under State Anti-Spam Laws Target Retail Email Marketing Practices and Raise Questions about CAN-SPAM Act Preemption

On August 7, 2025, the Federal Trade Commission (“FTC”) announced a $45 million settlement with online lead generator MediaAlpha, Inc. and its subsidiary QuoteLab, LLC (collectively, “MediaAlpha”), resolving allegations that the companies misled consumers seeking health insurance products. According to the FTC, MediaAlpha tricked consumers into sharing sensitive personal information under the guise of offering health insurance options through their lead generation sites. MediaAlpha allegedly then used that data for abusive telemarketing, including calling numbers on the National Do Not Call Registry. The FTC also alleged that MediaAlpha auctioned off consumers’ information to third-party lead generators and telemarketers, who similarly used that data to make illegal telemarketing calls.

Continue Reading FTC Takes Aim at Online Lead Generator

In July, the Federal Trade Commission (“FTC”) announced that telemedicine company NextMed agreed to pay $150,000 to settle charges that it deceptively advertised its GLP-1 weight-loss membership programs to consumers. The FTC’s complaint alleged a host of deceptive practices under Sections 5 and 12 of the FTC Act, including making unsubstantiated weight-loss claims, disseminating fake testimonials and consumer reviews, failing to adequately disclose the terms of its memberships, and purposefully making it difficult for consumers to cancel their memberships.

Continue Reading FTC Targets Weight-Loss Membership Program

With the Trump administration’s renewed focus on American manufacturing, FTC Chairman Andrew N. Ferguson’s recent declaration that July 2025 is “Made in the USA” Month appears to signal a renewed emphasis on Made in USA enforcement.  The FTC has a long history of scrutinizing these claims and the more recently-issued Made in USA Rule sets strict compliance standards with the threat of significant monetary penalties for non-compliance.  And while Chairman Ferguson’s statement nods to the importance of preventing deception in this area, it emphasizes that advertisers should be making Made in USA claims whenever they are appropriate.

Continue Reading FTC Declares July as “Made in the USA” Month

This year, state lawmakers have introduced over a dozen bills to regulate “surveillance,” “personalized,” or “dynamic” pricing.  Although many of these proposals have failed as 2025 state legislative sessions come to a close, lawmakers in New York, California, and a handful of other states are moving forward with a range

Continue Reading State Legislatures Advance Surveillance Pricing Regulations

Personalized advertising and pricing are increasingly common online practices, and prompt discussions about fairness and consumer rights in the EU.  This post examines how these practices are regulated under EU consumer protection law, and what we anticipate from the forthcoming Digital Fairness Act (DFA).  We also consider how data protection rules—such as the GDPR—interact with consumer protection laws.

This is the third post in our series on the DFA—a draft EU law currently being prepared by the European Commission and expected to be published in mid-2026.  Previous posts covered influencer marketing and AI chatbots in consumer interactions.

Continue Reading Digital Fairness Act Series — Topic 3: Personalized Advertising and Pricing

On May 9, 2025, the FTC announced that it is deferring the compliance deadline for the Negative Option Rule by 60 days to July 14.  This announcement came five days before the original compliance date for the majority of the Rule’s provisions.  All three Commissioners voted in favor of the deferral.

Continue Reading FTC Delays Negative Option Rule Compliance Date to July 14