DPO Newsletter: Global Data Protection & Privacy News (issue #147)

We’ve compiled the latest in Data Protection and Privacy news for your convenience below.

1) Newly Published Documentation

🇬🇧 United Kingdom – ICO Clarified Storage and Access Technology Rules
The ICO clarified that PECR rules apply to all information, not just personal data, and maintained that storage or access must be essential to provide requested services. Legitimate interest cannot be used for non-exempt technologies and consent is required.

🇮🇹 Italy – Garante Approved IT-Wallet System Draft Decrees
The Italian data protection authority issued a favorable opinion on draft decrees for the Italian Digital Wallet System (in Italian), which incorporates Privacy by Design and by Default principles aligned with GDPR Article 25 requirements.

🇪🇺 European Union – EDPB Published DSA-GDPR Guidelines
The European Data Protection Board adopted guidelines 3/2025 on the interplay between the Digital Services Act and GDPR, covering illegal content detection, advertising transparency, and systemic risk management amongst others. Public consultation runs until October 31, 2025.

🇺🇸 USA (California) – Multi-State Privacy Enforcement Sweep Targets Opt-Out Compliance
The California Privacy Protection Agency and attorneys general from California, Colorado, and Connecticut launched an investigative sweep examining business compliance with consumers’ right to opt out of personal data sales. The enforcement action specifically focuses on adherence to Global Privacy Control signals and proper handling of consumer opt-out requests across participating states.

2) Notable Case Law

🇫🇮 Finland – S-Bank Fined €1.8 Million for Security Breach
S-Bank received a €1.8 million fine for GDPR violations (in Finnish) after a security flaw allowed customers to log into online banking using other customers’ credentials between April and August 2022.

🇫🇷 France – Google and SHEIN Fined
France’s CNIL imposed €325 million total penalties on Google entities for unauthorized advertising practices. Google LLC was fined €200 million while Google Ireland Limited faced €125 million for Gmail advertisement deployment without consent and improper cookie placement affecting over 74 million French users. Compliance requirements include practice cessation within six months or additional sanctions.

CNIL separately sanctioned SHEIN with a €150 million penalty for cookie compliance failures (in French). Violations encompassed unauthorized tracker deployment, incomplete consent banners lacking advertising purpose disclosure, insufficient third-party identification at secondary information levels, and faulty consent withdrawal mechanisms where trackers were not removed, as well as tracker operations that continued despite user refusal.

3) New and Upcoming Legislation

🇵🇱 Poland – Data Act Implementation Framework Advanced
Poland’s Draft Act on Fair Access to and Use of Data (in Polish) progressed, designating the Office of Electronic Communications as the enforcement authority. The Council of Ministers expects adoption in Q4 2025.

🇺🇸 USA (California) – Opt Me Out Act Passed Legislature
Assembly Bill 566 passed, requiring businesses to develop browsers with opt-out preference signal functionality and clearly disclose how these signals work and their intended effects on data processing.

🇺🇸 USA (Colorado) – EPIC Submitted CPA Amendment Comments
The Electronic Privacy Information Center (EPIC) supported expanding sensitive data definitions and recommended opt-in consent for features extending minors’ engagement, while proposing clarifications on content moderation requirements.

🇺🇸 USA (New Jersey) – Privacy Groups Urged Robust NJDPA Rules
EPIC and the Consumer Federation of America recommended that the Division of Consumer Affairs adopt strong privacy rules including data minimization provisions and stricter standards for minors’ data.

4) Strong Impact Tech

🇺🇸 USA – FTC Launched AI Chatbot Inquiry
The Federal Trade Commission initiated an investigation into AI chatbots from seven companies including Alphabet, Meta, and OpenAI, examining COPPA compliance and impacts on children and teens.

🇪🇺 European Union – ASML Invested €1.3 Billion in Mistral AI
Politico reported that Dutch chip tool-maker ASML announced a major investment in French AI company Mistral, supporting Europe’s technological sovereignty goals and helping compete with American AI companies like OpenAI and Anthropic.

Other key information from the past weeks

🇦🇹 Austria – YouTube Data Access Request Decision
Austria’s data protection authority ordered Google’s YouTube to comply with the GDPR following complaint proceedings instituted by noyb (in German). The regulator determined that Google LLC provided inadequate access request responses by withholding processing purposes, retention periods, recipient information, and tracking cookie details. These resulted in the violation of transparency obligations under Articles 12 and 15 GDPR.

🇺🇸 USA – Disney Children’s Privacy Settlement
Disney agreed to a $10 million COPPA settlement for unlawful YouTube data collection from children under 13. The US Federal Trade Commission alleged Disney mislabeled child-directed videos as “Not Made for Kids,” enabling targeted advertising without parental consent, violating federal privacy protections.

🇺🇸 USA – YouTube Children’s Privacy Settlement
Google and YouTube agreed to $30 million COPPA settlement resolving California Federal Court children’s privacy litigation from October 2019. The agreement addresses unauthorized data collection from minors including persistent identifiers, IP addresses, device information, and location data without parental consent, establishing $30-$60 individual payment ranges for affected children.