On April 21, 2025, the Federal Trade Commission (FTC) announced that it had filed a complaint against Uber Technologies, Inc. and Uber USA LLC (collectively, Uber), a rideshare and delivery company. Among other things, the FTC alleges in its complaint that Uber violated Section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA) by charging consumers for its Uber One subscription service without their consent and making it difficult for users to cancel the service despite its “cancel anytime” promises.Continue Reading FTC Files Consumer Protection Complaint Against Uber for Deceptive Billing and Cancellation Practices
The UK’s Online Child Safety Duties Are Coming into Force: Steps to Take Now
On April 24, 2025, the UK’s Office of Communications, commonly known as Ofcom—the regulator responsible for enforcing the UK’s Online Safety Act (OSA)—issued its Protecting Children from Harm Online Statement. The statement requires online services to conduct and document a children’s risk assessment in accordance with the OSA by July 24, 2025. Services will be required to implement measures to protect children from content that is harmful to them by July 25, 2025.Continue Reading The UK’s Online Child Safety Duties Are Coming into Force: Steps to Take Now
CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations
On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.Continue Reading CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations
Utah Enacts Mental Health Chatbot Law
On March 25, 2025, Utah Governor Spencer Cox signed HB 452, which establishes new rules for the use of artificial intelligence (AI) mental health chatbots accessible to any “Utah user,” defined as, “an individual located in the state at the time the individual accesses or uses a mental health chatbot.” Digital health companies and AI chatbot providers should take note of this new law to ensure compliance with its requirements.Continue Reading Utah Enacts Mental Health Chatbot Law
UK Regulator Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack
On March 27, 2025, the Information Commissioner’s Office (ICO) announced a fine of 3 million GBP (3.9 million USD) against a software provider (the company) for security deficiencies following a ransomware incident (e.g., lack of multi-factor authentication (MFA)). This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). This post provides an overview of the decision and outlines the key points companies should consider, including the security measures the ICO expects them to implement.Continue Reading UK Regulator Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack
EU Data Act Imposes New Data Sharing Obligations
As of September 12, 2025, the EU Data Act will impose new obligations concerning the sharing of, and access to, data generated by certain products and services offered in the EU. This alert highlights the data sharing obligations for providers of connected devices and related services.Continue Reading EU Data Act Imposes New Data Sharing Obligations
Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer
On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.Continue Reading Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer