The Garante has launched a public consultation to assess the legality of the “pay or consent” model. The consultation will assess whether consent under this model can be considered free, while avoiding any drastic measures that could disrupt the current market. Stakeholders can submit feedback until June 28, 2025. Learn more here (in Italian) →
The Spanish AEPD has launched its virtual assistant – Ayuda – that answers the most frequently asked questions regarding data protection and privacy. Access it here (in Spanish) →
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have endorsed the European Commission’s proposal to simplify record-keeping obligations. The proposal extends exceptions to small and mid-sized companies, as well as non-profits with fewer than 500 employees. Learn more here →
The European Data Protection Board issued an opinion on the European Commission’s proposal to extend the validity of the UK’s adequacy decisions under the GDPR and the Law Enforcement Directive (LED), which are set to expire on June 27, 2025. The opinion focuses only on the proposed 6-month extension and does not assess the level of protection for personal data in the UK. Access it here →
2) Notable Case Law
The California Privacy Protection Agency fined Todd Snyder, Inc. $345,178 for violating the California Consumer Privacy Act by mishandling consumer opt-out requests and requiring excessive verification. The company used third-party tracking software and sold personal data without allowing consumers to opt out properly. Access the press release here →
Italy’s Garante fined Acea Energia S.p.A. together with other companies €3.85 million for GDPR violations linked to illegal telemarketing practices. The investigation uncovered the use of illegally obtained contact lists leading to unauthorized promotional calls and insufficient data protection measures. Learn more here (in Italian) →
3) New and Upcoming Legislation
United Kingdom: The Data (Use and Access) Bill passed its third reading in the House of Commons, outlining legitimate reasons for data processing, such as national security and crime prevention. Follow the progress of the Bill here →
Montana: Montana’s recently signed Senate Bill 297, revises privacy laws by adding definitions for ‘adult’ and ‘minor’ and introducing the concept of ‘heightened risk of harm to minors.’ The bill requires controllers to disclose data processing for targeted advertising and provide opt-out options. Follow the Bill here →
Virginia: Virginia’s recently signed Senate Bill 854, regulates minors’ use of social media by banning addictive feeds and limiting usage to one hour per day, starting January 1, 2026. The bill defines a minor as anyone under 16 and outlines requirements for controllers and processors, including age verification and parental control over time limits. Access the Bill here →
4) Strong Impact Tech
The National Cyber Security Centre and the Department for Science, Innovation and Technology of the UK have published the Software Security Code of Practice to reduce software supply chain attacks and improve software resilience. Access it here →
The Verbraucherzentrale North Rhine-Westphalia (Consumer Advice Centre) has formally requested that Meta halt its plans to use personal data for AI training in the EU and is considering legal action if the company does not comply. Learn more here (in German) →
Other key information from the past weeks
The European Commission fined Apple €500 million and Meta €200 million for breaching the Digital Markets Act. Learn more →
Following an inquiry into transfers of EEA user data to China, the Irish Data Protection Commission fined TikTok €530 million and ordered corrective measures within 6 months. More details →
Meta plans to restart AI training using publicly available data from EEA Facebook and Instagram users, including historical and future posts, photos, and comments from users over 18 years old. Learn more →
