Data Privacy

California Attorney General Announces $530,000 CCPA Settlement with Sling TV

By Inside Global Tech on November 14, 2025

In a new post on Inside Privacy, our colleagues discuss the California Attorney General’s announcement of a $530,000 settlement with Sling TV over alleged violations of the California Consumer Privacy Act (CCPA) and Unfair Competition Law. This is the first enforcement action arising from the California Department of Justice’s (“DOJ”) investigative sweep of streaming…

ICO Fines Capita £14 Million Over 2023 Data Breach

By Inside Global Tech on October 17, 2025

Posted in Cybersecurity, Data Privacy, United Kingdom

In a new post on the Inside Privacy blog, our colleagues discuss a recent £14 million fine imposed by the UK Information Commissioner’s Office against Capita following a data breach caused by a cyber attack.

Navigating California’s New and Emerging AI Employment Regulations

By Lindsey Tonsager, Carolyn Rashby, Michelle York & Bryan Ramirez on October 1, 2025

Posted in Artificial Intelligence (AI), Data Privacy, Emerging Technologies, Employment, Privacy & Data Security, Technology

The California Civil Rights Council and the California Privacy Protection Agency have recently passed regulations that impose requirements on employers who use “automated-decision systems” or “automated decisionmaking technology,” respectively, in employment decisions or certain HR processes. On the legislative side, the California Legislature passed SB 7, which would impose additional obligations on employers who…

FTC Takes Aim at Online Lead Generator

By Inside Global Tech on September 1, 2025

Posted in Data Privacy, FTC, Privacy & Data Security

In a new post on the Covington Inside Privacy blog, our colleagues provide an overview of the Federal Trade Commission’s (“FTC”) $45 million settlement with online lead generator MediaAlpha, Inc. and its subsidiary QuoteLab, LLC (collectively, “MediaAlpha”), resolving allegations that the companies, among other things, tricked consumers into sharing sensitive personal information under the guise…

The ICO’s AI and biometrics strategy

By Madelaine Harrington & Stacy Young on July 11, 2025

Posted in Artificial Intelligence (AI), Data Privacy, United Kingdom

On June 5, 2025, the UK’s Information Commissioner’s Office (“ICO”) launched its new AI and biometrics strategy. The strategy aims to increase its scrutiny of AI and biometric technologies focusing on three priority situations, namely where: stakes are high; there is clear public concern for the technology; and regulatory clarity can provide immediate impact.

The ICO identified three areas of focus in its strategy:

Transparency and explainability, i.e., when and how the technologies affect people;
Bias and discrimination, particularly where the technologies have been trained on “flawed, incomplete or unrepresentative information”; and
Rights and redress, i.e., making sure that systems are accurate, appropriate safeguards are in place to protect people’s rights, and that there are ways to challenge and correct outcomes that result in harm.

Continue Reading The ICO’s AI and biometrics strategy

Texas Enacts AI Consumer Protection Law

By Lindsey Tonsager, Jayne Ponder & August Gweon on July 1, 2025

Posted in Artificial Intelligence (AI), Biometric Information, Consumer Law, Data Privacy, Privacy & Data Security, Technology

On June 22, Texas Governor Greg Abbott (R) signed the Texas Responsible AI Governance Act (“TRAIGA”) (HB 149) into law. The law, which takes effect on January 1, 2026, makes Texas the second state to enact comprehensive AI consumer protection legislation, following the 2024 enactment of the Colorado AI Act. Unlike the…

State Legislatures Advance Surveillance Pricing Regulations

By Lindsey Tonsager, Nicholas Shepherd & August Gweon on June 23, 2025

Posted in Artificial Intelligence (AI), Consumer Law, Data, Data Privacy

This year, state lawmakers have introduced over a dozen bills to regulate “surveillance,” “personalized,” or “dynamic” pricing. Although many of these proposals have failed as 2025 state legislative sessions come to a close, lawmakers in New York, California, and a handful of other states are moving forward with a range of different approaches. These proposals…

Global CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism

By Sam Jungyun Choi, Matsumoto Ryoko & Stacy Young on June 4, 2025

Posted in Cross-Border Data Transfers, Data Privacy, Privacy & Data Security

On June 2, 2025, the Global Cross-Border Privacy Rules (“CBPR”) Forum officially launched the Global CBPR and Privacy Recognition for Processors (“PRP”) certifications. Building on the existing Asia-Pacific Economic Cooperation (“APEC”) CBPR framework, the Global CBPR and PRP systems aim to extend privacy certifications beyond the APEC region. They will allow controllers and processors to voluntarily undergo certification for their privacy and data governance measures under a framework that is recognized by many data protection authorities around the world. The Global CBPR and PRP certifications are also expected to be recognized in multiple jurisdictions as a legitimizing mechanism for cross-border data transfers.Continue Reading Global CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism

ICO announces its online tracking strategy for 2025

By Mark Young, Paul Maynard & Shona O'Donovan on February 12, 2025

Posted in Data Privacy, Online Targeting, United Kingdom

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus (others areas of focus include AI and children’s privacy). The ICO has identified four key areas of concern—all of which the ICO states mean that individuals do not have sufficient control over their personal data:

“deceptive or absent choice” regarding non-essential cookies and tracking technologies;
“uninformed choice,” which refers to organizations not providing appropriate information to individuals;
“undermined choice,” where individuals’ choices are not respected and they are surprised about how their data is used; and
“irrevocable choice,” meaning that individuals cannot effectively change their minds after they have made a choice over how their personal data is processed.

Having identified these areas of concern, the ICO states that it will take the following actions in 2025:Continue Reading ICO announces its online tracking strategy for 2025

EDPB highlights the importance of cooperation between data protection and competition authorities

By Claudia Berg, Kristof Van Quathem, Dan Cooper & Tomos Griffiths on January 31, 2025

Posted in Competition Law, Competition Law in Europe, Data Privacy, European Data Protection Board, European Union, Privacy & Data Security

On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).

In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.

Key takeaways

In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.

Continue Reading EDPB highlights the importance of cooperation between data protection and competition authorities