France’s CNIL established comprehensive standards for analytics providers seeking consent exemptions under GDPR. The framework mandates exclusive use for anonymous traffic measurement without cross-domain tracking or profile matching. Key requirements include transparent user notifications, 13-month tracking limits, 25-month data retention periods, and regular assessment cycles. Third-party vendors may conduct comparative studies when maintaining isolated data collection systems per publisher client. Read the guidance here (in French) →
The UK’s Information Commissioner’s Office has launched two public consultations on digital privacy. The first covers revised storage and access technology guidance incorporating Data (Use and Access) Act 2025 amendments, specifying five consent exceptions under PECR including transmission facilitation and essential services. Organizations must align activities with specified purposes and obtain consent for expanded usage. Access the storage guidance here → The second consultation reviews online advertising enforcement, examining when low privacy-risk advertising might proceed without consent, though behavioral profiling will still require explicit consent. Consultation periods end August 29 and September 26, 2025 respectively. Learn more about advertising enforcement here →
The European Data Protection Board and European Data Protection Supervisor released a joint opinion on the Commission’s GDPR amendment proposal within the fourth simplification Omnibus package. The proposal extends small-medium enterprise provisions to small mid-cap enterprises while introducing additional administrative burden reductions. Notably, the amendment would modify Article 30(5) GDPR record-keeping obligations, providing expanded derogations for processing documentation requirements. View the opinion here →
Germany’s Federal Network Agency established an AI service desk providing practical implementation guidance for EU Artificial Intelligence Act compliance. The platform features an interactive assessment tool helping organizations determine AI Act applicability, transparency requirements, and risk categorization for their systems. The service includes comprehensive FAQ resources supporting the Agency’s enforcement responsibilities under the new regulation. Check it out (in German) →
2) Notable Case Law
Italy’s Garante imposed a €45,000 penalty on Noi Compriamo Auto.it S.r.l. for unlawful marketing and data processing following a consumer complaint regarding unwanted communications and delayed rights response. The investigation identified several GDPR violations including insufficient technical safeguards, absent legal basis for processing, and inadequate data subject rights facilitation. The Garante also referred to the acquisition of consent in double opt-in mode for direct email marketing, to better confirm the subscriber’s intention of the receipt of same. Get the details (in Italian) →
Connecticut’s Attorney General secured USD 85,000 (approximately €78,000) settlement with TicketNetwork, Inc. for alleged Connecticut Data Privacy Act violations. The enforcement action followed the company’s failure to remedy deficient privacy notices featuring unreadable content and malfunctioning data subject rights mechanisms despite receiving November 2023 cure notice. The settlement mandates CTDPA compliance including data subject request metrics maintenance and regular reporting to the Attorney General.Read the details here →
3) New and Upcoming Legislation
California’s Assembly reintroduced Assembly Bill 566 (formerly AB 3048) mandating mobile operating systems integrate opt-out preference signal settings for consumer privacy protection. The legislation defines browser, mobile operating system, and opt-out preference signal parameters under California Consumer Privacy Act amendments. The bill advanced through Privacy and Consumer Protection, Appropriations, and Judiciary committee stages, receiving Senate Judiciary recommendation for passage.Track the Bill →
Pennsylvania introduced House Bill 1559 requiring employers provide advance written notification for electronic employee monitoring activities, excluding security surveillance in shared spaces. The legislation defines electronic monitoring as information collection through non-direct observation methods, with exceptions for suspected legal violations or hostile workplace situations. Violations carry USD 500-5,000 (approximately €460-4,600) penalties alongside private enforcement options, effective 60 days post-enactment.Follow the Bill here →
4) Strong Impact Tech
Missouri Attorney General Andrew Bailey initiated investigation into AI chatbot bias and misinformation by Google, Microsoft, OpenAI, and Meta platforms. The inquiry examines ChatGPT, Meta AI, Microsoft Copilot, and Gemini for alleged historical inaccuracies and misleading responses under Missouri Merchandising Practices Act provisions. Companies must explain algorithmic bias mechanisms, provide internal input selection records, and clarify founding-era inaccuracies while ensuring accurate, unbiased information delivery. Read more →
European corporate leaders from 40+ companies including ASML, Philips, Siemens, and Mistral petitioned Commission President von der Leyen for two-year AI Act implementation delay. The executives requested postponement of August 2026 high-risk AI system obligations and August 2025 general-purpose AI model requirements, citing implementation complexity and rule simplification needs. However, Commission spokesperson Thomas Regnier confirmed no grace period extensions, maintaining August 2026 deadlines while discussing voluntary code initiatives and administrative burden reductions.View the report here →
Other key information from the past weeks
European privacy advocacy group noyb filed a complaint against dating platform Bumble with Austria’s Data Protection Authority regarding AI-powered conversation features. The challenge targets Bumble’s “Opening Moves” functionality for processing user profiles, photographs, and personal information through artificial intelligence without adequate GDPR legal basis. The complaint alleges transparency violations and inadequate user consent mechanisms for automated decision-making processes. See the full story →
CNIL has opened a public consultation on draft guidelines for email tracking pixels, highlighting that the GDPR requires recipient consent for purposes like marketing and personalization. The draft clarifies that senders act as data controllers, while email service providers function as processors or sub-processors. CNIL recommends the use of clear, purpose-specific consent that can be withdrawn anytime, and stresses the importance of retaining proof of consent. Consultation period ends July 24, 2025. Read the guidance here (in French) →
Denmark implemented facial copyright protections enabling individuals to claim copyright over their likeness as deepfake countermeasure. The legislation grants people legal ownership of their facial features for protection against unauthorized artificial intelligence manipulation and synthetic media creation. The framework establishes precedent for personal biometric data ownership within European privacy law contexts.Explore more →
