A recent decision by Hungary’s Data Protection Authority (NAIH) offers a deceptively modest outcome, a €5,000 fine, but sends a much stronger signal on the evolving expectations around data minimization under the GDPR and ultimately, the US State Privacy laws. The decision reflects a strict, controller-centric approach, making clear that the key question in a... Continue Reading…More

Data processing begins even before the data is received. A recent ruling of the Supreme Court of Spain clarifies the scope of GDPR obligations and the implications extend to the United States as well. In STS 1590/2026 (Judgment No. 390/2026, dated March 26, 2026), the Spanish Supreme Court held that the obligations of a data... Continue Reading…More

An estimated 87% of companies now using AI-driven tools in their recruitment processes, and that figure has nearly doubled in just two years. AI-powered platforms can ingest millions of candidate profiles, enrich them with publicly available data, and deliver algorithmically ranked shortlists to employers far faster than a human recruiter. But, with that capability comes... Continue Reading…More

Among US states, California is the only one that treats employees as full “consumers,” providing them the right to an employee notice and an applicant notice and employee rights. While California enforcement has not yet focused squarely on employer practices, a fresh call for public comments from CalPrivacy on how to strengthen employee privacy notices... Continue Reading…More

The plaintiffs’ bar has been ramping up lawsuits under the California Invasion of Privacy Act (CIPA) and federal and state wiretapping statutes for years, and the wave is not receding. Tens of thousands of claims have been filed since 2022, with CIPA wiretapping continuing to accelerate in recent months. Meanwhile, plaintiffs are branching out beyond... Continue Reading…More

The plaintiffs’ bar has been ramping up lawsuits for alleged violations of state and federal wiretapping laws (e.g., California CIPA, Florida SCA, Federal ECPA) for many months now. Historically, the main issue has been that the defendant did not get the necessary consent because they did not try to do so, meaning there was no... Continue Reading…More

In a recent decision out of the Northern District of California, the court held that a website operator’s privacy policy, even one presented in a passive, browse wrap-style hyperlink, can defeat the delayed discovery doctrine and render claims under the Electronic Communications Privacy Act (ECPA) and the California Invasion of Privacy Act (CIPA) time-barred. Importantly,... Continue Reading…More

By Odia Kagan How far does a platform’s responsibility extend when a user posts someone else’s personal data in a classified ad, especially one involving sensitive subject matter like sex work? The Italian Data Protection Authority (Garante) recently fined online classifieds platform Bakeca S.r.l. after an unknown user published two ads, including an explicit offer... Continue Reading…More

A new federal court decision denied a motion to dismiss in a case alleging Federal Electronic Communications Privacy Act (ECPA) claims arising from the sharing of health information through a website’s online tracking technology. What does this case teach and what should healthcare companies be doing about it? Recap of ECPA Online Tracker Claims Over... Continue Reading…More

The FTC just published its Strategic Plan for FY 2026–2030. What does it actually mean for privacy compliance? Quite a lot, as it turns out. Here’s a breakdown. Telemarketing Still a top priority. The plan doubles down on unlawful robocalls and the Do Not Call Registry. What to do: Button up your TCPA texting consents.... Continue Reading…More