The French CNIL published an updated version of its recommendations for mobile apps. The recommendations aim to help app publishers, developers and providers to comply with the GDPR. Access it here (in French) →
The CNIL also published the results of its sandbox on AI and public services. The results highlight that AI tools are not prohibited under the GDPR, as long as they don’t result in significant legal effects. Read more here (in French) →
The Norwegian Datatilsynetlaunched an audit of a number of selected websites that use tracking tools. These websites were selected based on their activities, such as services for children, health services, associations for disadvantaged groups, and public businesses. The aim of the audit is to determine whether these websites share sensitive personal information with Big Tech companies. Learn more here (in Norwegian) →
A joint letter was submitted to the House Committee on Energy & Commerce’s Privacy Working Group by the California Privacy Protection Agency and the New Jersey Attorney General. In the letter, they advocate for a federal data privacy law that sets the bar and would also allow states to implement stronger individual measures. Access the letter here →
2) Notable Case Law
Aylo Freesites Ltd received a €58,400 fine by the Commissioner for Personal Data Protection in Cyprus following an inspection that revealed GDPR violations. The company was using cookies unlawfully and did not comply with the principles of accountability and transparency. Access the Authority’s decision here (in Greek) →
The Dutch data protection authority investigated five organizations for non-compliant cookie banners. The organizations were hiding the “Reject” button, pre-checking consent options, and placing cookies without consent or despite refusal. Read more here (in Dutch) →
The Dutch Data Protection Authority also sent a letter to 50 organizations, requesting them to fix their cookie banner and to stop the intrusive tracking of visitors. These organizations have 3 months to fix the issue, or they risk a fine. More details here (in Dutch) →
3) New and Upcoming Legislation
Texas: House Bill 5495 has passed its first reading and has since been referred to the House Trade, Workforce, and Economic Development Committee. It mandates the use of global privacy controls to protect consumer data. The Bill requires browsers to comply with these controls, with penalties for violations. Access the Bill here →
Utah: The Utah App Store Accountability Act has been signed. The Act requires app store providers to verify users’ ages and obtain parental consent for minors under 18 before allowing account creation, app downloads, and purchases. Follow the progress of the law here →
Oklahoma: Senate Bill No. 546 has passed its first reading in the House. The Bill aims to establish a comprehensive data privacy framework and, if it goes through, should take effect on January 1, 2026. Access it here →
4) Strong Impact Tech
The European Data Protection Board published a report on AI privacy risks and mitigations for Large Language Models (LLMs). The report provides a risk management methodology for identifying, assessing, and mitigating privacy risks. It also underlines the importance of monitoring the AI life cycle. Access the report here →
The UK Department for Science, Innovation and Technology published the Cyber Governance Code of Practice, to help companies manage cyber risks. The code also includes a training program and toolkit for practical guidance.Read more here →
Other key information from the past weeks
The French Competition Authority fined Apple €150 million for the implementation of App Tracking Transparency (ATT) systems. Read more →
The Italian Garantefined Energia Pulita S.r.l. €300,000 for GDPR violations, after receiving more than 80 complaints related to unwanted marketing calls. More details →
The Norwegian Data Protection Authorityreleased a guide on how businesses can obtain cookie consent in line with the GDPR. Access it here →
