This year, state lawmakers have introduced over a dozen bills to regulate “surveillance,” “personalized,” or “dynamic” pricing. Although many of these proposals have failed as 2025 state legislative sessions come to a close, lawmakers in New York, California, and a handful of other states are moving forward with a range of different approaches. These proposals
Continue Reading State Legislatures Advance Surveillance Pricing RegulationsGlobal CBPR and PRP Certifications Launched: A New International Data Transfer Mechanism
On June 2, 2025, the Global Cross-Border Privacy Rules (“CBPR”) Forum officially launched the Global CBPR and Privacy Recognition for Processors (“PRP”) certifications. Building on the existing Asia-Pacific Economic Cooperation (“APEC”) CBPR framework, the Global CBPR and PRP systems aim to extend privacy certifications beyond the APEC region. They will allow controllers and processors to voluntarily undergo certification for their privacy and data governance measures under a framework that is recognized by many data protection authorities around the world. The Global CBPR and PRP certifications are also expected to be recognized in multiple jurisdictions as a legitimizing mechanism for cross-border data transfers.
Continue Reading Global CBPR and PRP Certifications Launched: A New International Data Transfer MechanismICO announces its online tracking strategy for 2025
The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”
Online advertising is one of the ICO’s current areas of strategic focus (others areas of focus include AI and children’s privacy). The ICO has identified four key areas of concern—all of which the ICO states mean that individuals do not have sufficient control over their personal data:
- “deceptive or absent choice” regarding non-essential cookies and tracking technologies;
- “uninformed choice,” which refers to organizations not providing appropriate information to individuals;
- “undermined choice,” where individuals’ choices are not respected and they are surprised about how their data is used; and
- “irrevocable choice,” meaning that individuals cannot effectively change their minds after they have made a choice over how their personal data is processed.
Having identified these areas of concern, the ICO states that it will take the following actions in 2025:
Continue Reading ICO announces its online tracking strategy for 2025EDPB highlights the importance of cooperation between data protection and competition authorities
On 16 January 2025, the European Data Protection Board (“EDPB”) published a position paper, as it had announced last year, on the “interplay between data protection and competition law” (“Position Paper”).
In this blogpost, we outline the EDPB’s position on cooperation between EU data protection authorities (“DPAs”) and competition authorities (“CAs”) in the context of certain key issues at the intersection of data protection and competition law.
Key takeaways
- In the interest of coherent regulatory outcomes, the EDPB advocates for increased cooperation between DPAs and CAs.
- The Position Paper offers practical suggestions to that end, such as fostering closer personal relationships, mutual understanding, and a shared sense of purpose, as well as more structured mechanisms for regulatory cooperation.
- The EDPB is mindful of the Digital Markets Act’s (“DMA”) significance in addressing data protection and competition law risks.
State Attorneys General Issue Guidance On Privacy & Artificial Intelligence
In a new post on the Inside Privacy blog, our colleagues discuss recent guidance from the attorneys general in Oregon and Connecticut interpreting their authority under their state comprehensive privacy statutes and related authorities. Specifically, the Oregon Attorney General’s guidance focuses on laws relevant for artificial intelligence (“AI”), and the Connecticut Attorney General’s guidance
Continue Reading State Attorneys General Issue Guidance On Privacy & Artificial IntelligenceICO Audit on AI Recruitment Tools
On November 6, 2024, the UK Information Commissioner’s Office (ICO) released its AI Tools in recruitment audit outcomes report (“Report”). This Report documents the ICO’s findings from a series of consensual audit engagements conducted with AI tool developers and providers. The goal of this process was to assess compliance with data protection law, identify any risks or room for improvement, and provide recommendations for AI providers and recruiters. The audits ran across sourcing, screening, and selection processes in recruitment, but did not include AI tools used to process biometric data, or generative AI. This work follows the publication of the Responsible AI in Recruitment guide by the Department for Science, Innovation, and Technology (DSIT) in March 2024.
Continue Reading ICO Audit on AI Recruitment ToolsU.S. Tech Legislative, Regulatory & Litigation Update – Third Quarter 2024
This quarterly update highlights key legislative, regulatory, and litigation developments in the third quarter of 2024 related to artificial intelligence (“AI”) and connected and automated vehicles (“CAVs”). As noted below, some of these developments provide industry with the opportunity for participation and comment.
I. Artificial Intelligence
Federal Legislative Developments
There continued to be strong bipartisan
Continue Reading U.S. Tech Legislative, Regulatory & Litigation Update – Third Quarter 2024
Quantum Computing: Developments in the UK and US
This update focuses on how growing quantum sector investment in the UK and US is leading to the development and commercialization of quantum computing technologies with the potential to revolutionize and disrupt key sectors. This is a fast-growing area that is seeing significant levels of public and private investment activity. We take a look at how approaches differ in the UK and US, and discuss how a concerted, international effort is needed both to realize the full potential of quantum technologies and to mitigate new risks that may arise as the technology matures.
Quantum Computing
Quantum computing uses quantum mechanics principles to solve certain complex mathematical problems faster than classical computers. Whilst classical computers use binary “bits” to perform calculations, quantum computers use quantum bits (“qubits”). The value of a bit can only be zero or one, whereas a qubit can exist as zero, one, or a combination of both states (a phenomenon known as superposition) allowing quantum computers to solve certain problems exponentially faster than classical computers.
The applications of quantum technologies are wide-ranging and quantum computing has the potential to revolutionize many sectors, including life-sciences, climate and weather modelling, financial portfolio management and artificial intelligence (“AI”). However, advances in quantum computing may also lead to some risks, the most significant being to data protection. Hackers could exploit the ability of quantum computing to solve complex mathematical problems at high speeds to break currently used cryptography methods and access personal and sensitive data.
This is a rapidly developing area that governments are only just turning their attention to. Governments are focusing not just on “quantum-readiness” and countering the emerging threats that quantum computing will present in the hands of bad actors (the US, for instance, is planning the migration of sensitive data to post-quantum encryption), but also on ramping up investment and growth in quantum technologies.
Continue Reading Quantum Computing: Developments in the UK and USU.S. Tech Legislative, Regulatory & Litigation Update – Second Quarter 2024
This quarterly update highlights key legislative, regulatory, and litigation developments in the second quarter of 2024 related to artificial intelligence (“AI”), connected and automated vehicles (“CAVs”), and data privacy and cybersecurity.
I. Artificial Intelligence
Federal Legislative Developments
- Impact Assessments: The American Privacy Rights Act of 2024 (H.R. 8818, hereinafter “APRA”) was formally introduced in the House by Representative Cathy McMorris Rodgers (R-WA) on June 25, 2024. Notably, while previous drafts of the APRA, including the May 21 revised draft, would have required algorithm impact assessments, the introduced version no longer has the “Civil Rights and Algorithms” section that contained these requirements.
- Disclosures: In April, Representative Adam Schiff (D-CA) introduced the Generative AI Copyright Disclosure Act of 2024 (H.R. 7913). The Act would require persons that create a training dataset that is used to build a generative AI system to provide notice to the Register of Copyrights containing a “sufficiently detailed summary” of any copyrighted works used in the training dataset and the URL for such training dataset, if the dataset is publicly available. The Act would require the Register to issue regulations to implement the notice requirements and to maintain a publicly available online database that contains each notice filed.
- Public Awareness and Toolkits: Certain legislative proposals focused on increasing public awareness of AI and its benefits and risks. For example, Senator Todd Young (R-IN) introduced the Artificial Intelligence Public Awareness and Education Campaign Act (S. 4596), which would require the Secretary of Commerce, in coordination with other agencies, to carry out a public awareness campaign that provides information regarding the benefits and risks of AI in the daily lives of individuals. Senator Edward Markey (D-MA) introduced the Social Media and AI Resiliency Toolkits in Schools Act (S. 4614), which would require the Department of Education and the federal Department of Health and Human Services to develop toolkits to inform students, educators, parents, and others on how AI and social media may impact student mental health.
Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data
On June 6, the Texas Attorney General published a news release announcing that the Attorney General has opened an investigation into several car manufacturers. The news release states that the investigation was opened “after widespread reporting that [car manufacturers] have secretly been collecting mass amounts of data about drivers directly from their vehicles and then
Continue Reading Texas Attorney General Opens Investigation into Car Manufacturers’ Collection and Sale of Drivers’ Data