September 2025

On September 12, 2025, the European Data Protection Board (EDPB) adopted guidelines (Guidelines) on the interplay between the EU Digital Services Act (DSA) and the General Data Protection Regulation (GDPR). The Guidelines seek to clarify the data protection issues that regulated online services should take into account when seeking to comply with their obligations under the GDPR.Continue Reading EDPB Issues First Guidelines on the Interplay Between the Digital Services Act and the GDPR

Effective September 12, 2025, the EU Data Act introduced new rules on access to and sharing of data from certain products and services in business-to-consumer (B2C), business-to-business (B2B), and business-to-government (B2G) contexts. This alert highlights the key obligations. The EU Data Act applies to any business offering products or services in the EU, regardless of its location.Continue Reading EU Data Act Enters into Force

On September 9, 2025, the attorneys general of California, Colorado, and Connecticut and the California Privacy Protection Agency (CPPA) announced a joint investigative sweep of potential failures by businesses to honor consumers’ rights to opt

Continue Reading State AGs Unveil Investigation Sweep Targeting Businesses Ignoring Consumer Opt-Out Signals

On August 11, 2025, the U.S. District Court for the Northern District of California denied a motion to dismiss a California Invasion of Privacy Act (CIPA) class action lawsuit filed against ConverseNow Technologies, Inc. ConverseNow

Continue Reading U.S. Federal Court Allows CIPA Class Action Against AI Customer Service Provider to Proceed

On September 3, 2025, the EU General Court (the General Court) (the second-highest court in the European Union (EU)) upheld the validity of EU-U.S. Data Privacy Framework (DPF) in Philippe Latombe v European Commission (T-553/23).

Continue Reading EU Court Upholds the Validity of the EU-U.S. Data Privacy Framework