On March 12, 2025, the California Privacy Protection Agency (CPPA) announced a settlement with American Honda Motor Co. (Honda) over alleged violations of the California Consumer Privacy Act (CCPA). The CPPA investigated Honda as part of its investigative sweep into the data privacy practices of connected vehicles and related technologies, announced in July 2023. The CPPA specifically alleged, among other things, that Honda engaged in practices that made it difficult for Californians to exercise their out-opt rights and shared consumers’ personal information with ad tech service providers without proper contractual protections.Continue Reading Lessons from the CPPA’s $632,500 Settlement with Connected Vehicle Manufacturer

On March 7, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss its proposed data broker regulations concerning the Delete Request and Opt-Out Platform (DROP) and voted to authorize CPPA staff to advance the regulations to formal rulemaking. As mandated by the Delete Act (discussed in a previous alert), the DROP will allow California residents to submit a single request to delete all personal information held by all data brokers operating in the state via an accessible mechanism. Data brokers would be required to access the DROP for updates every 45 days and delete the personal information of any state resident that matched the data broker’s records unless a deletion exception set forth in the California Consumer Privacy Act (CCPA) applies. These regulations also follow the CPPA’s November 2024 meeting, during which CPPA staff provided an update on the development of the DROP.Continue Reading CPPA Votes Out Proposed Delete Request and Opt-Out Platform (DROP) Data Broker Regulations

On February 11, 2025, the European Data Protection Board (EDPB) adopted a statement (Statement) on age assurance. The Statement comes at a formative time in the development of age assurance practices, as EU and UK regulatory frameworks increasingly require companies to take steps to identify and protect child users of online services. The Statement outlines key privacy principles that should be followed when developing and deploying age assurance processes, together with the risks to individuals’ rights that can arise.Continue Reading European Privacy Regulators Issue Guidance on Age Assurance

On February 4, 2025, the European Commission (EC) issued draft guidelines clarifying the AI practices that are prohibited under the European Union’s (EU) Artificial Intelligence (AI) Act. While non-binding, the guidelines offer valuable clarifications and practical examples to help businesses navigate their obligations under the AI Act. The EC has approved the draft guidelines, but is still to formally adopt them, which is expected in the near term.Continue Reading EU Commission Issues Guidelines on Prohibited AI Practices Under EU AI Act

We are less than a month into the new Trump administration and are seeing an unprecedented wave of activity and major changes at federal agencies. These changes promise to bring significant disruption to the staff and negatively impact the typical activities of numerous agencies, including the nation’s consumer protection watchdog, the Federal Trade Commission (FTC). As discussed below, we expect the impact on the FTC to be significant given the rapid and aggressive moves by the new administration. And we expect state Attorneys General (AGs) to step in to fill the gap.Continue Reading Consumer Protection Update: With Disruption at the Federal Level, State Attorneys General Are Likely to Loom Large