On April 22, 2025, the EU Commission’s AI Office published draft guidelines to clarify the obligations in the EU AI Act for providers of general-purpose AI models (guidelines). These obligations will be applicable to AI

Continue Reading EU AI Office Clarifies Key Obligations for AI Models Becoming Applicable in August

On April 21, 2025, the Federal Trade Commission (FTC) announced that it had filed a complaint against Uber Technologies, Inc. and Uber USA LLC (collectively, Uber), a rideshare and delivery company. Among other things, the FTC alleges in its complaint that Uber violated Section 5 of the FTC Act and the Restore Online Shoppers’ Confidence Act (ROSCA) by charging consumers for its Uber One subscription service without their consent and making it difficult for users to cancel the service despite its “cancel anytime” promises.Continue Reading FTC Files Consumer Protection Complaint Against Uber for Deceptive Billing and Cancellation Practices

On April 24, 2025, the UK’s Office of Communications, commonly known as Ofcom—the regulator responsible for enforcing the UK’s Online Safety Act (OSA)—issued its Protecting Children from Harm Online Statement. The statement requires online services to conduct and document a children’s risk assessment in accordance with the OSA by July 24, 2025. Services will be required to implement measures to protect children from content that is harmful to them by July 25, 2025.Continue Reading The UK’s Online Child Safety Duties Are Coming into Force: Steps to Take Now

On April 4, 2025, the California Privacy Protection Agency (CPPA) Board met to discuss the latest draft California Consumer Privacy Act (CCPA) regulations related to cybersecurity audits, risk assessments, automated decision-making technology (ADMT), and an assortment of other updates to existing regulations. These revisions come after the CPPA first released draft regulations on these topics in July 2024 and initiated the formal rulemaking in November 2024, as analyzed in a prior alert. The board meeting turned out to be quite contentious, with board member Alastair Mactaggart emphasizing some of the serious concerns raised in the unusually large volume of public comments—totaling 630 comments and 1,664 pages of feedback—expressing his own concerns that those comments lay out “the very explicit blueprints” for others to challenge the constitutionality of the draft regulations. Ultimately, the Board provided extensive feedback on the draft regulations to CPPA staff, going beyond the issues that staff had prepared for discussion.Continue Reading CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations

On March 25, 2025, Utah Governor Spencer Cox signed HB 452, which establishes new rules for the use of artificial intelligence (AI) mental health chatbots accessible to any “Utah user,” defined as, “an individual located in the state at the time the individual accesses or uses a mental health chatbot.” Digital health companies and AI chatbot providers should take note of this new law to ensure compliance with its requirements.Continue Reading Utah Enacts Mental Health Chatbot Law

On March 27, 2025, the Information Commissioner’s Office (ICO) announced a fine of 3 million GBP (3.9 million USD) against a software provider (the company) for security deficiencies following a ransomware incident (e.g., lack of multi-factor authentication (MFA)). This is the first time the ICO has fined a processor under the UK’s General Data Protection Regulation (GDPR). This post provides an overview of the decision and outlines the key points companies should consider, including the security measures the ICO expects them to implement.Continue Reading UK Regulator Issues Three Million GBP Monetary Penalty in Connection with Ransomware Attack