Data Privacy

Vermont recently enacted two privacy bills to regulate health-related information. These include H.639, a genetic privacy bill regulating direct-to-consumer genetic testing companies, and the Vermont Data Privacy and Online Surveillance Act (S.71), a comprehensive privacy law that extends heightened protections to “consumer health data.” You can read our full

Continue Reading Vermont Enacts Privacy Legislation to Regulate Health-Related Information

On May 26, 2026, the French data protection authority (“CNIL”) published updated versions of its Reference Methodology 001 (“MR-001”, available here in French) and Reference Methodology 003 (“MR-003”, available here in French), two key frameworks governing the processing of personal data in the context of health research.

Continue Reading CNIL Updates Two Standards For Health Research (MR-001 and MR-003)

On April 17, 2026, the Italian data protection authority (the “Garante”) published Provision No. 284 setting out guidelines on the use of “tracking pixels” in emails (the “Guidelines”). This publication closely follows the recommendation issued by the French data protection authority on the same topic, which is discussed in a

Continue Reading Italian DPA Publishes Guidelines on Email Tracking Pixels
On 29 April 2026, the UK Information Commissioner’s Office (“ICO”) updated its guidance on the use of storage and access technologies (i.e., cookies and other technologies that store or access information stored on users’ devices) under Regulation 6 of the Privacy and Electronic Communications Regulations 2003 (“PECR”). These updates follow on the heels of two public consultations about the clarity of this guidance. We set out details of three of the most relevant updates for private companies below. Perhaps the most interesting element of the updated guidance, however, is an indication that the ICO is intending to follow through on its plan to enable the use of information storage / access technologies for “privacy-preserving” advertising purposes without consent. The ICO has not made explicit changes to its guidance, and the consultation response reiterates that the use of information storage / access technologies for online advertising—including related activities like frequency capping and ad measurement—currently requires consent under Regulation 6 of PECR. However, the ICO states that it will soon submit evidence to the UK Government on advertising-related activities that could be exempt from the PECR consent requirement, which the Government may then use to amend PECR to introduce statutory exemptions. It remains to be seen what the ICO will propose, but this could make it easier to engage in certain ad-related activities in the UK. Continue Reading Three notable changes to the UK ICO’s guidance on cookies, and a hint of a more permissive approach to advertising cookies in the future

On April 1, 2026, the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024. This decision limits the potential statutory damages plaintiffs may obtain for pending BIPA cases.

Continue Reading Seventh Circuit Holds that BIPA Amendment Applies Retroactively

U.S. state lawmakers have introduced more than 40 bills across at least 24 states to regulate personalized algorithmic pricing in 2026 thus far, already outpacing the number of personalized algorithmic pricing bills introduced in all of 2025.  While their definitions and scope vary, the 2026 bills broadly refer to “personalized

Continue Reading State Lawmakers Introduce New Wave of Personalized Algorithmic Pricing Bills

On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24).  The case concerns the GDPR right of access and the conditions for claiming damages.  In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.

Continue Reading EU Court Defines Limits to the GDPR Right of Access

On March 12, 2026, the Italian Data Protection (“Garante”) adopted a decision concerning the transfer of personal data of banking customers from Intesa Sanpaolo S.p.A. (the “Bank”) to Isybank S.p.A., a newly established digital bank within the same corporate group.  The Garante found that the Bank’s processing in connection with the transfer of approximately 2.4 million customers to Isybank was unlawful.

We set out the decision’s key findings below.

Continue Reading Italian DPA Fines Bank over the Transfer of Customer Data in the Context of a Corporate Transaction

On March 2, 2026, the UK Department for Science, Innovation and Technology (“DSIT”) launched its consultation, titled “Growing up in the online world: a national conversation”. The consultation is open until 26 May 2026, after which the government will publish a summary of responses and its proposed approach. DSIT has indicated that it intends to move quickly on the consultation’s findings, drawing on newly granted powers that allow for accelerated implementation of online safety measures.

The consultation seeks views on a wide range of potential measures to strengthen children’s safety and wellbeing online, including more robust age‑assurance mechanisms, a statutory minimum age for social media, raising the UK’s age of digital consent, restrictions on certain features (such as livestreaming and disappearing messages), and new obligations for AI chatbots and generative‑AI services.

DSIT’s proposals could significantly expand regulatory expectations beyond the Online Safety Act 2023 (“OSA”)—including potential age‑based access limits (including differing safeguards as between teens and younger children), feature‑level restrictions, and enhanced duties for AI‑enabled services. Early engagement will be important to ensure that the government takes account of the views of affected service providers and understands the operational and technical implications of the measures proposed.

Continue Reading UK Government Launches Consultation on Children’s Online Experiences, Including New Obligations for AI