The developments described below reflect a consistent regulatory philosophy: Automated systems that affect workers must include meaningful human oversight, workers must be informed when AI is involved in decisions about them, and employers cannot hide behind algorithmic outputs when those decisions are challenged.

1. California Senate Bill 947: Human Review Before Adverse Action
   SB 947 would directly restrict how employers use automated decision systems (ADS) in disciplinary and termination decisions. Under the bill, an employer could not rely solely on ADS outputs to discipline, terminate or deactivate a worker. Where an ADS plays a primary role in the process, a human reviewer would need to independently investigate and develop corroborating evidence before any adverse action is finalized. If that review cannot substantiate the system’s output, the employer would be prohibited from proceeding.

SB 947 also includes a required notice of rights for affected workers and access rights to the data the system used. Because it is designed to operate alongside California’s existing privacy framework, employers could face layered obligations under both employment and privacy law simultaneously.

When AI plays a role in a disciplinary or termination decision, employers should ask themselves whether the process generates documentation that could independently support that decision if the algorithmic output were removed from the record entirely. If the answer is no, or even uncertain, the bill’s requirements would expose a gap.

2. California Senate Bill 951: A WARN Act for AI-Driven Workforce Changes
   SB 951 would create an advance-notice requirement modeled on traditional federal and California WARN Act concepts, but applied specifically to AI- and automation-driven workforce reductions. The trigger threshold is relatively low: 25 workers or 25 percent of the workforce affected within a 30-day period. This is a significantly lower threshold than under the current California WARN Act, which generally requires a covered employer to provide advance notice if it orders a qualifying mass layoff (when 50 or more employees suffer a separation from employment during any 30-day period due to a lack of funds or lack of work), a relocation (when all or substantially all of the employer’s operations at a covered establishment are moved 100 miles or more away), or a termination at a covered establishment (when there is the cessation or substantial cessation of industrial or commercial operations at a covered establishment).

Consistent with the California WARN Act, covered employers would need to provide 60 days’ notice to affected employees, relevant workforce agencies and local officials, along with disclosure about the automated technologies involved and available retraining resources.

The more significant feature of the bill may be its scope beyond traditional layoffs. SB 951 would also require employers to notify state authorities when they permanently stop hiring for an occupation because of AI or automation, even if no workers are actually laid off. An employer that deploys an AI system to replace future hiring in a job category, without reducing its existing headcount, could still face a notification obligation. There is no equivalent requirement under the California WARN Act.

Employers considering AI-driven operational changes should bring legal and employment counsel into the planning process before deployment decisions are made, not after. The bill, if enacted, would treat certain automation strategies as workforce actions subject to regulatory notice requirements.

3. Governor Newsom’s Executive Order N-6-26: A Preview of What Is Coming
   Executive Order N-6-26 does not create immediate employer obligations, but it is worth reading as a policy signal. The Order directs state agencies to study AI’s labor-market effects, assess potential disproportionate impacts on particular demographic groups, and develop an employment-impact dashboard. It also instructs agencies to recommend potential revisions to California’s WARN Act in light of AI-driven workforce changes and to examine mechanisms that would ensure workers share in productivity gains generated by automation, including severance practices and worker equity arrangements.

For employers, the Order suggests that California’s regulatory posture on workplace AI is still in its early stages. The measures under study now are likely to appear as legislation or agency guidance in the next few years. Organizations that build strong AI governance frameworks today will be better positioned when those requirements materialize.

4. Connecticut Senate Bill 5: Notice Before You Deploy
   Connecticut SB 5 has been enacted as Public Act 26-15, the Connecticut Artificial Intelligence Responsibility and Transparency Act (CART Act). The law imposes disclosure obligations for employers using automated employment-related decision processes, clarifies that AI use is not a defense to employment discrimination claims, and adds AI-related disclosure requirements to certain workforce reduction notices. Most provisions take effect beginning in October 2026, with key employment-AI requirements applying to covered systems deployed on or after October 1, 2027.

Organizations expanding their use of AI tools in hiring, performance management or workforce planning in Connecticut should determine whether those tools fall within the statute’s scope and whether current notice practices meet the legal standard. This is not a one-time review because as AI tools are updated or replaced, disclosure obligations should be revisited.

5. EU AI Act: High-Risk Rules for Workplace AI
   The EU AI Act is the most direct European analogue to the state-level developments described above. It classifies many AI systems used in employment, worker management and access to self-employment as high-risk, including systems used for recruitment or selection, promotion, termination, task allocation, monitoring, and evaluation of workers. For employers, that means workplace AI is not merely a general governance issue; in many cases, it will be a regulated deployment that requires risk management, transparency, appropriate documentation and effective human oversight. The EU AI Act also requires deployers of high-risk AI systems to inform workers’ representatives and affected workers before putting such systems into service or using them in the workplace.

Further, certain practices are prohibited under the EU AI Act, including AI systems used to infer emotions in the workplace. Employers using video-interview analytics, biometric tools, productivity monitoring or other systems that infer worker traits should therefore review whether the tool is permitted at all and, if permitted, whether it can be explained, overseen and challenged in practice.

The EU AI Act entered into force on August 1, 2024, and applies in phases. Prohibited practices and AI literacy obligations have applied since February 2, 2025. Following the Digital Omnibus on AI, the high-risk AI system obligations for employment-related AI (Annex III systems) will now apply from December 2, 2027. Employers should not wait for these dates to begin compliance planning; the underlying framework is now settled and early preparation is advisable.

6. EU GDPR and Platform Work Rules: Human Intervention and Algorithmic Management
   The EU’s existing data protection framework is also highly relevant. Under the GDPR, individuals have rights in relation to decisions based solely on automated processing that produce legal or similarly significant effects, including rights to obtain human review, express their point of view, and contest the decision in certain circumstances. That framework can be engaged by AI tools used to reject candidates, rank applicants, allocate work, score performance, determine pay opportunities, or support disciplinary or termination decisions.

The EU Platform Work Directive adds a more sector-specific model for algorithmic management. It applies to digital labor platforms (businesses that use algorithms or automated systems to organize work performed by individuals). This includes app-based services such as ride-hailing, food and grocery delivery, courier and logistics platforms, and on-demand task or freelance marketplaces. The Directive requires these platforms to be transparent about automated monitoring and decision-making systems and includes human oversight and review obligations for decisions such as account restriction, suspension, termination, refusal of payment and decisions affecting contractual status. It also introduces a rebuttable presumption of employment for platform workers in certain circumstances. Member States must transpose the Directive into national law by December 2, 2026. Although directed at platform work, the Directive reflects the same regulatory trend seen in the EU AI Act: Employers and platforms must be able to explain, supervise and justify algorithmic decisions that affect access to work and working conditions.

7. United Kingdom: A Fragmented but Active Regulatory Landscape
   The UK does not currently have a single AI-specific employment statute equivalent to the EU AI Act or the California and Connecticut measures discussed above. The UK position is instead developing through overlapping obligations under data protection law, equality law, employment law, health and safety duties, and regulator guidance. The Information Commissioner’s Office has made automated decision-making in recruitment and workplace monitoring a clear priority, including by scrutinizing AI-powered sourcing, screening and selection tools and emphasizing transparency, bias monitoring, meaningful safeguards and genuine human involvement.

UK data protection law is particularly important where AI tools make or meaningfully support significant decisions about workers or candidates. The Data (Use and Access) Act 2025 updates the UK automated decision-making framework and requires safeguards for significant decisions based solely on automated processing, including information for affected individuals, the ability to make representations or contest the decision, and human review. Employers should also consider whether AI-enabled monitoring, biometric attendance systems, productivity analytics or similar tools are fair, proportionate, transparent and supported by an appropriate lawful basis.

There is also no UK equivalent to an AI-specific WARN-style notice obligation for stopping hiring because of automation. However, if AI or automation leads to redundancies, existing collective consultation rules may apply where an employer proposes 20 or more redundancies at one establishment within 90 days. Equality Act risks should also be front of mind: An apparently neutral AI tool used in hiring, promotion, performance management, absence management or redundancy selection could create indirect discrimination exposure if it disadvantages people with protected characteristics and cannot be objectively justified.

How Employers Should Respond
These developments share a common thread: Regulators are no longer focused only on high-level AI governance principles. They are writing rules aimed specifically at workplace applications, and the compliance obligations they create require coordination across legal, HR, privacy and operations teams.

For most employers, the immediate priority is conducting an inventory of AI and automated decision-making tools used in employment-related contexts. Organizations should identify where AI or automated decision tools are currently used in employment contexts, assess whether adequate human oversight and documentation exist for decisions driven by those tools, and determine whether existing notice and disclosure practices would satisfy emerging statutory and regulatory requirements in the jurisdictions where they operate.

Employers evaluating new AI tools or automation-driven operational changes should treat labor, employment, privacy, and equality review as a threshold requirement, not an afterthought. The regulatory direction is clear across the United States, the UK and the EU, and the pace of legislative and regulatory activity suggests that waiting for final rules before beginning compliance work is a diminishing option.

The post AI Workforce Regulation: What Employers Need to Do Now appeared first on Consumer Protection Dispatch.

In “House Homeland Security Hearing Highlights Growing Cybersecurity and Critical Infrastructure Risks of AI,” colleagues Shruti Bhutani Arora, Brian Finch and Nathan Banks identify the key takeaways from the hearing, potential policy and rulemaking signals, and the main issue areas for clients developing, deploying or relying on AI-enabled cybersecurity, coding or infrastructure tools.

The post Unpacking the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection Hearing on AI Security appeared first on Consumer Protection Dispatch.

The AG called it the largest CCPA penalty in California history—and the state’s first public enforcement action focused on the CCPA’s data minimization requirement.

Although the settlement involves connected vehicles, it signals how California regulators may evaluate data practices involving precise geolocation, behavioral data, connected devices, secondary data uses, retention and third-party disclosures more broadly.

Key terms of the proposed judgment include:

• Consent for driving data. Consent is required before collecting, using or disclosing covered driving data to a third party, subject to specified exceptions for emergency response, consumer-initiated communications, vehicle safety, legal compliance, diagnostics, warranty administration, cybersecurity, research, product improvement and related purposes.
• Enhanced consumer notices. The proposed judgment requires clear and conspicuous privacy notices during connected-services enrollment and requires dealer-facing materials to instruct personnel to provide consumers an opportunity to review applicably privacy notices and provide any required consent before enrollment.
• Additional consumer controls. California consumers can disable precise geolocation collection where the vehicle supports it and must be given a mechanism to disable remote data collection if they decline or unenroll from connected services, subject to limited exceptions.
• Maintain a privacy compliance program. The mandated privacy program requires the company to conduct privacy assessments and submit annual reports to California regulators which must be reviewed and approved by the company’s chief privacy officer.

The settlement is a notable indicator of how California will apply CCPA’s data minimization rule, a requirement that has drawn far less enforcement attention than the CCPA’s sale and sharing opt-out provisions.

Data Minimization as an Enforcement Theory
As AG Bonta stated, the action “underscores the importance of the data minimization in California’s privacy law,” including that “companies can’t just hold on to data and use it later for another purpose.” The CCPA requires that “A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” Civil Code § 1798.100(c).

Identifying a reason to collect data is not enough. Businesses must also evaluate whether the volume and sensitivity of data collected, the retention period, and any subsequent use or disclosure remain reasonably necessary and proportionate to a disclosed, compatible purpose. In practice, businesses should be able to answer: Why is each data element collected? Why is it retained for a given period? Could a less sensitive, aggregated or de-identified dataset achieve the same goal?

Purpose Limitation and Secondary Uses of Data
The settlement illustrates how data minimization and purpose limitations work together. Section 1798.100(c) allows personal information to be processed for its original purpose or another disclosed, compatible purpose but prohibits processing incompatible with those purposes.

That doesn’t mean data collected through a consumer product can never be used for analytics, advertising, monetization or third-party purposes. But businesses must evaluate whether the secondary use is reasonably necessary and proportionate, and whether it triggers additional notice, consent or opt-out obligations. Before repurposing data, businesses should assess the original collection context, the disclosures made at the time of collection, consumers’ reasonable expectations and any CCPA rights the new use may trigger.

Precise Geolocation Remains a High-Risk Category
The matter also underscores the sensitivity of precise geolocation data. Connected products, mobile applications, wearables, vehicles, smart devices and other sensor-enabled services may collect location information that reveals highly personal details about where individual’s live, work, receive medical care, worship, attend school or spend time.

Businesses collecting precise geolocation data should evaluate whether precise location is needed for each stated purpose, whether less granular data would suffice, and whether the data can be deleted, aggregated or deidentified once the purpose is fulfilled.

Notices, Consent and Consumer Controls Should Match Actual Data Flows
The settlement makes clear that consumer disclosures must reflect actual backend data practices, particularly in connected-device ecosystems where enrollment may occur through websites, mobile apps, call centers, in-product interfaces, dealerships, retail partners or other intermediaries.

In connected-device environments, data may be collected automatically after enrollment or through embedded technology or related mobile apps. Companies therefore should test whether consumer choices are propagated across systems and honored by third-party integrations, vendors, service providers and other recipients.

Operationalizing Privacy Governance
The proposed judgment also highlights the importance of operationalizing privacy governance. Written policies mean little unless they are embedded in product development, data strategy, vendor management, retention, and business development. Companies should ensure privacy reviews are triggered before new data uses begin, that reviews are documented, and that privacy teams have visibility into data-sharing arrangements.

For secondary data uses, companies should document assessments covering notice, consumer choice, purpose compatibility, data minimization, sensitive data handling, retention, third-party contracts and downstream restrictions

Key Compliance Considerations
The lessons here extend well beyond connected vehicles. Any business collecting or monetizing personal information—through mobile apps, adtech, employee monitoring, wellness tech, AI systems or IoT—should audit whether actual data flows match disclosures, and whether data use and retention align with CCPA’s minimization and purpose limitation requirements.

This is especially pressing for companies using historical consumer data for AI training, personalization, analytics, or other secondary purposes. The key questions: Are those uses reasonably necessary and proportionate to the original collection purpose? Do contracts, consent flows, opt-out mechanisms, deletion practices and vendor controls reflect actual downstream use?

Pillsbury helps clients navigate privacy, AI governance and data-use regulation including compliance, investigations and litigation. Companies with questions about CCPA’s minimization and purpose limitation requirements, or related AI and data governance issues, should contact our Data Privacy & Cybersecurity team.

The post California AG Announces Largest CCPA Penalty to Date in First Data Minimization Case appeared first on Consumer Protection Dispatch.

What Are Email-Tracking Technologies—and Why Do They Matter?
Most modern email platforms automatically embed tracking technologies, most commonly in the form of “pixels”: tiny, often invisible images embedded in emails. When the email is opened, the image is loaded from a server and transmits data to the sender about whether and when the email was opened and often which links were clicked. This can generate useful metrics on engagement, audience interest and campaign performance.

The difficulty is that this technology usually involves storing or accessing information on the recipient’s device which can be used to identify individuals. As a result, regulators in several jurisdictions are starting to treat these email-based tracking technologies in much the same way as website cookies or other web-based tracking technologies: something that in principle requires notice and, in many cases, prior, specific consent unless a narrow exemption applies.

Whereas compliance for web- and mobile application-based tracking technologies can often be achieved through visible website popups and preference centers, organizations utilizing email-based tracking face greater practical and operational difficulties in meeting the same standard. This is complicated by the fact that some email service providers do not allow customers to disable these tracking technologies, either at all or on a per-recipient basis. Legal requirements, technical constraints and commercial reality do not always line up neatly.

The Emerging Regulatory Picture
Across key markets, a few themes are emerging even as detailed rules and enforcement practice are still evolving.

• United Kingdom
  The Information Commissioner’s Office (ICO) has confirmed that email-based tracking technologies, including pixels, fall within the scope of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and are therefore treated in the same way as cookies and other web-based tracking technologies. In principle, that means prior consent is required unless the tracking technology is strictly necessary for providing a service requested by the user.

At the same time, the ICO has repeatedly emphasized a risk-based enforcement approach, taking into account how intrusive the tracking is, how clear and prominent the information and consent mechanisms are, and whether there is evidence of consumer harm or concern. To date, the ICO’s enforcement activity has been confined to web-based tracking, and there has been no enforcement action specifically in relation to email-based tracking. That said, recent public guidance and statements by regulators indicate a shift in emphasis, with email tracking now firmly on the ICO’s regulatory radar.

• EU
  Within the EU, the use of email-tracking technologies is generally governed by the ePrivacy Directive (2002/58/EC) in particular Article 5(3), as implemented into national law across EU Member States and enforced by local supervisory authorities. Because these tracking technologies typically involve the storing of, or access to, information on a recipient’s device, many EU regulators take a strict view of their use. This position has been reinforced by guidance from the European Data Protection Board (EDPB) (Guidelines 2/2023, adopted on 7 October 2024), which has made clear that URL and pixel-based tracking falls within the scope of Article 5(3) on a technology-neutral basis, irrespective of whether personal data is ultimately processed. As a result, opt-in consent is generally expected for any use of tracking technologies that is not strictly necessary to deliver a service expressly requested by the recipient, with even basic open-rate tracking commonly treated as in scope.

To date, there has been no enforcement action by EU Member State supervisory authorities that specifically targets the use of email-based tracking technologies. However, the legal position on paper remains demanding and leaves relatively little room for flexibility.

France provides a useful illustration of the direction of travel. In June 2025, the French data protection authority (CNIL) issued draft recommendations that would require a more granular approach to pixel-based email tracking. In particular, the draft proposed treating consent to receive marketing and consent to the use of tracking pixels as separate decisions, with a possible carve-out where only anonymized, high-level open-rate statistics are collected or where the pixel is used strictly for technical authentication/security functions. Controversially, the CNIL’s draft recommendations require that consent withdrawal must be retroactively honored. (I.e., pixels must be deactivated once consent has been withdrawn, even for emails which have already been sent.) In practice, this would generate significant operational and technical complexity and has been flagged as a key point of debate in responses to the consultation. The draft also contemplates an in-email mechanism allowing recipients to opt out of tracking. While the consultation process has now ended and no final recommendations have yet been published, the draft points toward a stricter and more structured regime in the medium term.

• United States
  There is no federal statute that specifically regulates the use of email-tracking technologies. In challenging the practice, plaintiffs most often rely on the Electronic Communications Privacy Act (ECPA). They typically assert claims under Title I of ECPA (commonly known as the Wiretap Act), which prohibits the intentional interception of electronic communications, a term frequently litigated to require acquisition contemporaneous with transmission and without consent or other statutory authorization. Plaintiffs also invoke Title II of ECPA, the Stored Communications Act (SCA), which addresses unauthorized access to communications held in electronic storage on a covered facility. In many email-tracking technology fact patterns, however, the technology is characterized as triggering an image request that returns open or engagement data, making it difficult to establish the type of contemporaneous interception or unauthorized access required under these federal statutes.

California’s Invasion of Privacy Act (CIPA), particularly Section 631(a), has also been invoked in challenges to the use of email-tracking technologies. Although CIPA claims initially proliferated in the web-tracking context, plaintiffs have increasingly attempted to extend those theories to marketing emails containing tracking technologies. Under this approach, plaintiffs characterize the act of opening an email or clicking a hyperlink as a “communication,” and allege that a third-party email marketing vendor “intercepts” that communication by receiving engagement data in real time. Some complaints further contend that trackable URLs or embedded code reveal the “contents” of the communication, rather than merely routing or record information.

In Ramos v. The Gap, Inc. (N.D. Cal.), the court rejected these theories in the email-marketing context. The plaintiff alleged that Gap embedded tracking pixels and uniquely coded URLs in promotional emails and that its marketing vendor unlawfully intercepted communications when recipients opened or clicked those emails. The court dismissed the Section 631(a) claim, reasoning in part that engagement metrics such as open rates and click activity constitute information about a communication rather than protected “contents.” The court was also unpersuaded by arguments that a hyperlink click itself constitutes substantive content or that URL parameters exposed the underlying substance of the email. In addition, the decision underscored structural limits within Section 631(a), including the “party” principle, under which a participant in the communication generally cannot be liable for intercepting it, as well as the statute’s focus on acquisition of contents rather than ordinary analytics data generated in the course of message delivery and interaction.

While Ramos reflects an early, defense-favorable treatment of CIPA claims in the email-pixel setting, plaintiffs continue to test variations on these theories, often drawing analogies to web-tracking decisions addressing whether certain URL strings or user inputs can qualify as “contents.” As a result, CIPA exposure in the email context remains fact-dependent, turning on how courts characterize the data collected, the role of any third-party vendor, and whether the alleged acquisition can plausibly be framed as an interception of protected content rather than the collection of engagement metadata.

A similar dynamic is emerging under Arizona’s Telephone, Utility, and Communication Service Records Act (TUCSRA). TUCSRA restricts the unauthorized acquisition of “communication service records” maintained by a communication service provider, and plaintiffs have argued that email-tracking technologies impermissibly capture such records by collecting data about when, where and how an email is opened—including engagement metrics such as the time an email was accessed, the number of opens, whether it was forwarded or printed, and the type of device or server used. Early decisions have dismissed TUCSRA claims against retailers and other senders, reasoning that these entities are not “communication service providers” within the meaning of the statute and that email engagement data does not constitute protected service records. Some courts have also found a lack of Article III standing where plaintiffs allege only a statutory violation without concrete downstream harm. Nonetheless, plaintiffs continue to test these theories, and outcomes remain highly dependent on statutory interpretation, the characterization of the technology, and the forum in which the case is brought.

Against that litigation backdrop, day-to-day compliance obligations for email-tracking technologies are shaped less by wiretap doctrine and more by state privacy laws. Rather than prohibiting tracking technologies outright, these laws regulate how engagement data is classified, disclosed and operationalized within broader advertising and analytics ecosystems. The principal statutory risk typically arises where email engagement data is disclosed to third parties in a manner that could be characterized as a “sale” or “sharing” of personal information for targeted advertising purposes under state privacy laws (such as the California Consumer Privacy Act (CCPA) and analogous state laws). Under the CCPA, whether a disclosure constitutes a regulated “sale” or “sharing” turns on the role of the recipient and the contractual and technical constraints imposed on downstream use. Where an email service provider uses tracking technology-derived data solely to provide services to the sender without independently retaining, using, or repurposing that data for its own advertising purposes, the arrangement is more likely to qualify as a restricted “service provider” relationship. By contrast, if engagement data is made available to advertising networks or analytics partners for their own or joint advertising purposes, the disclosure may qualify as a “sale” or “sharing,” triggering notice and opt-out obligations. Regulators increasingly look beyond contract language to examine how data actually moves between systems, how it is combined with other identifiers, and how it is used in practice.

Recent enforcement activity in California highlights the regulatory focus. A 2026 CCPA settlement emphasized that opt-out mechanisms must be effective in practice, including across linked accounts, devices and services where personal information is used for cross-context behavioral advertising. The settlement also reinforces expectations around clear and conspicuous “Do Not Sell or Share” mechanisms, recognition of browser-based opt-out signals (such as Global Privacy Control), and user-interface design that does not fragment or undermine consumer choice.

Although that matter did not concern email-tracking pixels specifically, its implications are directly relevant where tracking technology-derived engagement data is combined with other identifiers and disclosed to advertising or analytics partners. If such disclosures qualify as “sharing” for cross-context behavioral advertising, businesses must ensure that opt-out rights are implemented comprehensively—not merely at device level, but across associated profiles and systems.

While regulators have not taken email-based tracking technology-specific action, the Federal Trade Commission has pursued significant cases against companies (particularly in the health sector) for sharing sensitive data via tracking technologies without adequate transparency or consent. This underscores the broader regulatory risk associated with opaque tracking practices, especially where sensitive categories of data are involved.

How One Uses Engagement Data Makes a Difference
Not all uses of email engagement data carry the same risk. Two common patterns are worth distinguishing:

a) Aggregated reporting
Many organizations use tracking technologies simply to generate high-level statistics such as overall open rates for a campaign or the relative popularity of links. Where the data is aggregated or truly anonymized, and not used to make decisions about specific individuals, there is a stronger argument that the intrusion into privacy is limited.

Some regulators have hinted that this kind of use may be treated more leniently, particularly if the metrics cannot reasonably be traced back to identifiable recipients. Nevertheless, transparency remains important, and it would be prudent to describe this kind of analytics in a privacy policy even where separate consent is not collected.

b) Segmentation and follow-up actions
The risk profile changes where engagement data is used to build profiles, segment audiences or drive follow-up communications at individual level. Examples include:

• • resending emails only to those who did not open a previous message;
  • targeting offers based on which links a particular recipient clicked; or
  • combining tracking technology-derived data with other systems to build behavioral profiles.

These activities clearly involve personal data processing and, in many jurisdictions, are more likely to require explicit, prior consent under ePrivacy-type rules, as well as enhanced transparency. They will also attract greater scrutiny if regulators begin to look closely at email-tracking practices.

A practical way to think about this is that transparency alone may be more defensible for limited, aggregated analytics, whereas individual-level targeting based on tracking technology-derived data sits at the higher-expectation, higher-risk end of the spectrum.

Practical Approaches to Compliance
There is no single model that works for every organization. Technical constraints, risk appetite, audience type and geography all play a role. In broad terms, organizations tend to converge around three approaches when thinking about consent.

a) Separate consent for tracking technologies
Under this approach, subscription or sign-up flows include a distinct consent mechanism for tracking technologies, separate from the consent to receive marketing emails. This is the approach that most closely matches the strict reading of ePrivacy and some of the emerging thinking of European regulators.

In theory, it offers strong legal defensibility and a clear audit trail. In practice, it can be challenging where, for instance, the email service provider’s platform does not allow pixels to be disabled for particular recipients. If a user agrees to marketing but withholds consent to tracking technologies, it may be difficult or impossible to honor that choice without suppressing emails entirely. Withdrawal of consent can also be hard to operationalize unless the technology stack is built with that in mind, particularly where consent is withdrawn only after tracked emails have been sent.

This model tends to suit organizations that are willing to invest in bespoke email infrastructure or that operate in sectors where regulatory expectations and reputational sensitivities are especially high.

b) Bundled consent to online tracking technology that includes website and mobile application and emails
Another option is to obtain a single, combined consent that covers both marketing emails and associated tracking technologies. This can be presented clearly on the sign-up or subscription form, supported by straightforward explanations in privacy notices and the emails themselves.

From a user-experience perspective, this can feel more honest than offering a choice that cannot truly be honored. It may be seen as a pragmatic compromise where the use of tracking technologies is technically unavoidable, provided that the language used is transparent about what is happening and why.

However, this is not perfectly aligned with the strict interpretation of separate, unbundled consent for distinct purposes, and organizations adopting this approach should understand that it sits in a gray area between letter-of-the-law compliance and operational reality.

c) Transparency-led approach without explicit tracking technology consent
A third approach is to rely on transparency without seeking specific consent to tracking technologies. Under this model, organizations:

• • acknowledge the use of tracking pixels in their privacy statement and, where appropriate, in cookie notices;
  • include concise explanations in email footers describing what is collected and how it is used; and
  • may suggest that recipients who prefer not to be tracked can disable images or take other steps in their email client.

This is the easiest option to implement, particularly where email platforms do not support fine-grained control and where the use of tracking technologies is limited to relatively low-risk analytics. It also aligns with what many recipients already experience in the market.

The trade-off is that this approach does not strictly meet ePrivacy and PECR requirements for prior consent to tracking technologies, and it may become more difficult to justify if regulators begin to focus actively on these email-tracking technologies. Organizations pursuing this path should view it as a risk-managed position rather than full compliance, monitor regulatory developments, and be prepared to adjust course.

Key Takeaways
Organizations deploying email marketing should not assume compliance by default, but should proactively verify how tracking technologies are deployed and what data they capture.

Where technical limitations exist within an email service provider’s systems, organizations will need to consider a risk-based approach to consent mechanisms and transparency, while factoring in jurisdiction-specific risks.

While email-tracking technology may indeed be invisible, from a regulatory and litigation standpoint they are anything but.

The post Email-Tracking Technology: Emerging Compliance Expectations in the U.S., EU and Beyond appeared first on Consumer Protection Dispatch.

This development comes as the FTC seeks to balance its mandate to protect children’s privacy online with the growing recognition that age verification technologies are, in the words of FTC Bureau of Consumer Protection Director Christopher Mufarrige, “some of the most child-protective technologies to emerge in decades.”

Background: The COPPA-Age Verification Tension
Since COPPA was enacted in 1998, there has been an explosion in the use of internet-connected technologies by children. In response to growing concerns about children’s online safety, several states have begun requiring websites and online services to use age verification mechanisms to determine the age of users.

However, as noted at the FTC’s recent workshop on age verification technologies held in January 2026, some age verification mechanisms require the collection of personal information from children, prompting questions about whether such activities could violate the COPPA Rule. This created a somewhat paradoxical situation: The very technologies designed to protect children online could themselves trigger COPPA compliance obligations.

The FTC has now sought to resolve this tension through its new policy statement, designed to “incentivize operators to use these innovative tools, empowering parents to protect their children online.”

Key Conditions for Enforcement Discretion
The policy statement applies to operators of general audience sites and services, as well as mixed audience sites and services (those directed to children, but which do not target children as their primary audience). Under the policy, the FTC will exercise enforcement discretion where operators collect personal information for age verification purposes without first obtaining verifiable parental consent, provided they comply with six key conditions:

1. Purpose limitation: The operator does not use or disclose information collected for age verification purposes for any other purpose.
2. Third-party safeguards: The operator discloses information collected for age verification purposes only to third parties that the operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security and integrity of the information, including by obtaining written assurances from those third parties.
3. Retention limitation: The operator does not retain the information longer than necessary to fulfill the age verification purposes, and deletes such information promptly thereafter.
4. Notice: The operator provides clear notice to parents and children of the information collected for age verification purposes in its privacy policy.
5. Security: The operator employs reasonable security safeguards for information collected for age verification purposes.
6. Accuracy: The operator takes reasonable steps to determine that any product, service, method or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age.

Critically, the FTC will not exercise its enforcement discretion unless the operator is complying with the COPPA Rule’s requirements in every other respect with regard to personal information collected from children.

Context: The January 2026 Workshop
This policy statement follows the FTC’s workshop on age verification technologies held on January 28, 2026. The workshop examined the interplay between COPPA enforcement and developments in age verification technology, with FTC Chairman Andrew Ferguson emphasizing that “COPPA enforcement is and will remain a top priority of the Trump-Vance FTC.”

The workshop featured extensive discussion of various age verification methods, from facial age estimation and government ID verification to emerging approaches such as behavioral analysis and reusable age credentials. Panelists highlighted both the promise and challenges of these technologies, including privacy concerns, accuracy limitations, and the need for robust data protection safeguards.

A key theme emerging from the workshop was the importance of “double-blind” architectures, where an external service verifies age without knowing which website the data is intended for, and the website confirms age status without learning the user’s identity. Such approaches help ensure that neither party obtains a complete picture of the user’s identity and activities.

Broader Regulatory Context
The policy statement arrives amid a rapidly evolving regulatory landscape. Multiple U.S. states have enacted laws requiring age verification for access to certain online content, with requirements varying significantly in their scope, threshold ages and acceptable verification methods. Similar requirements exist internationally, including the UK’s Age Appropriate Design Code and Online Safety Act, and Australia’s recent social media age verification requirements.

The FTC has indicated that it intends to initiate a review of the COPPA Rule to address age verification mechanisms more formally. The policy statement will remain effective until the FTC publishes final rule amendments on this issue in the Federal Register, or until otherwise withdrawn.

Practical Implications
For operators of general audience and mixed-audience sites and services, this policy statement provides welcome clarity and reduces the legal risk associated with deploying age verification technologies. Operators can now implement these technologies with greater confidence, provided they adhere to the six conditions set out in the statement.

However, several practical considerations remain. Operators should carefully document their compliance with each condition, particularly around third-party due diligence, data retention policies, and accuracy assessments. Privacy policies should be updated to clearly disclose the information collected for age verification purposes.

It is also worth noting that this policy statement does not modify the FTC’s position regarding child-directed sites and services that are primarily directed to children, which must continue to treat all users as children and provide COPPA Rule protections to all users.

Conclusion
The FTC’s policy statement represents a pragmatic response to a genuine regulatory challenge. By providing enforcement discretion for operators using age verification technologies in good faith, the FTC has sought to remove a potential barrier to the adoption of technologies that can enhance children’s online safety.

As Chairman Ferguson observed at the January workshop, “COPPA, a statute designed to empower parents and protect children online, should not be an impediment to the most child protective technology to emerge in decades.” This policy statement reflects that principle whilst maintaining the fundamental protections that COPPA provides.

The FTC voted 2-0 to issue the policy statement.

The post FTC Issues COPPA Policy Statement to Encourage Age Verification Technologies appeared first on Consumer Protection Dispatch.

Who Are Data Brokers
Data brokers are companies that collect and sell personal information without directly interacting with consumers, and they must register with the CPPA and integrate with the DROP system. Data brokers often obtain your email, phone number, browsing history, or location data, and make inferences about your interests or characteristics from this data.

How the System Works for Consumers
The DROP System aims to make it much easier for Californians to exercise their right to delete their personal information. Through a secure online portal, users will be able to verify their California residency, choose which data brokers to contact, and track their requests using a unique DROP ID. The system will ask California residents to provide information about themselves such as their name, date of birth, phone number, and email address, in addition to device identifiers such as Mobile Advertising IDs (MAIDs). The more identifiers you provide, the more likely a data broker will be able to match your information to data in their system and delete your data. To protect user information, the DROP System will use multi-factor authentication and encrypted (hashed) data transmission.

Implementation Timeline

• January 1, 2026 – DROP System opens to California residents.
• August 1, 2026 – Data brokers begin processing deletion requests every 45 days.

Data Broker Response Requirements
When a broker receives a request, they must delete the consumer’s entire record if any identifier matches their records. When processing a deletion request, data brokers must assign one of four standardized response statuses. A request marked “Deleted” means the consumer’s non-exempt personal information has been fully removed. “Exempt” indicates that certain data cannot legally be deleted, and the broker must explain why. “Opted Out” applies when full deletion isn’t possible, but the consumer information is blocked from being sold or shared in the future. Finally, “Record Not Found” means the broker couldn’t locate any data matching the identifiers submitted in the request.

Data Broker Obligations
Data brokers will face several new compliance requirements, including:

• Annual registration with the CPPA, including a $6,000 fee.
• Completion of deletion requests within 45 days of receipt.
• Maintenance of suppression lists to prevent re-collection or resale of deleted data.
• Audit trail creation documenting each deletion response.
• Reporting of data sales to specified entities, including foreign actors, AI developers and federal government agencies.

Enforcement and Penalties
To ensure compliance, the CPPA will impose penalties of $200 per day per consumer for noncompliance. Beginning in 2028, data brokers will also undergo independent audits, and consumers will have access to a formal complaint process for unresolved or disputed deletion requests.

The post A New Era of Data Deletion: Inside California’s DROP System appeared first on Consumer Protection Dispatch.

In “DOJ Releases Its Data Security Program Compliance Guide,” colleagues Tony Phillips, Shruti Bhutani Arora, Sahar J. Hafeez, Christine Mastromonaco and Sheetal Misra discuss the key components of the DSP and offer thoughts about compliance.

The post The Data Security Program Compliance Guide Is Released by the DOJ appeared first on Consumer Protection Dispatch.

On Monday, Apple announced its largest-ever spend commitment: $500 billion in the U.S. over the next four years, covering investments in manufacturing, education, and training for technologies like artificial intelligence and chip making. This includes:

• Launching a state-of-the-art, 250,000-square-foot AI facility in Houston, focused on building servers—previously manufactured outside of the U.S.—that that can handle AI compute.
• Servers that are expected to reduce the energy demands of Apple’s data centers (which Apple notes already run on 100 percent renewable energy).
• Expanding existing data center capacity in North Carolina, Iowa, Oregon, Arizona and Nevada.
• Doubling its U.S. Advanced Manufacturing Fund from $5 billion to $10 billion to boost high-skilled manufacturing jobs in the United States. This includes a multibillion-dollar commitment to produce advanced silicon at TSMC’s Fab 21 in Arizona—where Apple, as the largest customer, recently began mass chip production. With its suppliers operating in 24 factories across 12 states, Apple expects this initiative to create thousands of jobs while driving cutting-edge manufacturing for Apple devices.
• Hiring approximately 20,000 people focused on R&D, silicon engineering, software development, and AI and machine learning.
• Opening an “Apple Manufacturing Academy” in Detroit, Mich., where Apple engineers and other experts will consult with businesses on AI and smart manufacturing techniques.
• Expanding investments in education and workforce development through grants to organizations like 4‑H and Boys & Girls Clubs of America and the launch of new initiatives, such as the New Silicon Initiative—collaborating with leading universities like Georgia Tech and UCLA—to prepare students for careers in hardware engineering and silicon chip design.

Key Takeaway and Considerations for AI and Data Center Stakeholders
Apple’s $500 billion U.S. spend commitment mirrors similar investments by industry giants like SoftBank, Oracle and OpenAI, highlighting a sweeping push toward domestic production and enhanced U.S. data center capabilities.

These transformative investments continue to raise a host of legal and commercial issues. Companies using, procuring, producing, or powering AI products and data center space will need to carefully navigate those considerations.

RELATED ARTICLES

Data Centers: A Field Guide

Anatomy of a Data Center

The post Apple’s $500B U.S. Manufacturing Push and New AI Server Facility in Houston: What It Means for Data Centers appeared first on Consumer Protection Dispatch.

One key area in which the OSA goes further is in relation to the obligations on service providers to undertake specific assessments in relation to their services. The first of these assessments (the illegal content risk assessment—discussed in more detail below) must be completed by all in-scope services by March 16, 2025.

For more information on the developing regulatory landscape relating to “online safety” in the UK, EU and U.S., please view our earlier webinar.

OSA—Who Is in Scope?

• Services in scope. The OSA applies to providers of user-to-user (U2U) services and search services:
  • U2U services: internet services through which content that is generated, uploaded, or shared by other users may be encountered by other users of the service. This could cover social media platforms, photo or video sharing platforms, chat and instant messaging services, blogs, online games, online dating platforms, online marketplaces, etc., including where such services are available through a web browser or mobile application.
  • Search services: internet services that consist of, or include, the functionality for users to search multiple websites or databases (including services through which a user could in principle search all websites or databases). This could cover conventional search engines, reverse image lookups, content aggregators that allow users to search through multiple databases, AI-powered search engines, etc.

Certain services are then subject to additional obligations, such as U2U or search services that publish pornographic content or that meet certain threshold conditions, based on the number of UK users and certain features of the service (“Categorised Services”).

• Content in scope. The OSA defines “content” as anything communicated by means of an internet service, whether publicly or privately, including written material or messages, oral communications, photographs, videos, visual images, music and data of any description. The OSA envisages several different categories of content:
  • Illegal content: content that amounts to a relevant offense, i.e., a priority offense (such as offenses related to terrorism or child sexual exploitation or abuse (CSEA)) or another, non-priority, offense (such as cyberflashing, content that encourages or assists with self-harm, or threatening communications).
  • Content that is harmful to children: content that may not amount to illegal content but that should be hidden from children. This is further grouped into primary priority content that is harmful to children (such as pornographic, suicide, self-harm or eating disorder content), priority content that is harmful to children (such as abuse, hate, bullying or violent content, or content which encourages the consumption of harmful substances or the undertaking of dangerous stunts or challenges), and non-designated harmful content which otherwise presents a material risk of significant harm to an appreciable number of children in the UK.

Categorised Services are also subject to obligations relating to additional content categories, such as fraudulent adverts, content of democratic importance, and content that adults may wish to avoid encountering on a service (e.g., abusive content or content that encourages suicide or self-harm).

• Territorial jurisdiction: Given the cross-border nature of the internet, the OSA’s territorial application extends beyond services based in the UK. The OSA applies to any service that “has links with the United Kingdom.” This criteria will be met where: (i) the service has a significant number of UK users; (ii) the UK forms one of the target markets for the service; or (iii) the service is capable of being used in the UK and there are reasonable grounds to believe there is a material risk of significant harm to individuals in the UK presented by content on the service.

What Are the Main Assessment Duties?

1. Illegal Content Risk Assessment. The first assessment that must be undertaken is an illegal content risk assessment. This is designed to improve a service provider’s understanding of how risks of different kinds of illegal harms could arise on the service and what safety measures should be implemented to protect users. Illegal content risk assessments must be of a “suitable and sufficient” standard. Ofcom (the UK regulatory body with responsibility for the OSA) has published guidance on how to carry out an illegal content risk assessment, which sets out a four-step process: (i) understand the kinds of illegal content that needs to be assessed; (ii) assess the risk of harm; (iii) decide measures, implement and record; and (iv) report, review and update. All in-scope services must complete an illegal content risk assessment by March 16, 2025.
2. Children’s Access Assessment. In-scope services must also undertake a children’s access assessment to understand to what extent the service is “likely to be accessed by children” (meaning anyone under the age of 18). Where the assessment determines that a service is likely to be accessed by children, this triggers additional child protection duties (which may not apply if the children’s access assessment determines that the services is not likely to be accessed by children). Importantly, if a children’s access assessment is not completed, the service will be subject to the additional child protection duties in any event. All in-scope service must complete a children’s access assessment by April 16, 2025.
3. Children’s Risk Assessment. If a service is considered “likely to be accessed by children” then service providers must undertake a children’s risk assessment, which is separate and in addition to the overarching illegal content risk assessment. The children’s risk assessment must assess the risks that exist specifically in relation to children on the service, taking into account any measures the service already has in place to protect children. Ofcom is currently consulting on guidance relating to the children’s risk assessment. Once this guidance has been finalized (expected in April 2025) service providers will have three months to complete the requisite assessment.
4. User Empowerment Risk Assessment. Certain Categorised Services may also need to complete an adult user empowerment assessment, to understand its user base, the likelihood of adult users encountering specific content that they may wish to avoid, and the impact that the service (including its design and operation) may have in relation to adults encountering such content and the impact that this may have. Ofcom will publish more details on this once it has finalized the thresholds to determine which services will be Categorised Services under the OSA.

Records must be maintained of all assessments carried out, including the process followed and the findings. Failure to complete an assessment where required under the act is an automatic breach, which could result in enforcement action and a civil penalty of up to 10% of revenue or £18m (whichever is greater).

Additional Obligations
A core focus of the OSA is on “systems and processes”—Ofcom will regulate the measures taken by service providers to mitigate the risks identified in their assessments, ensuring that these measures are proportionate, as opposed to regulating individual pieces of content appearing on the services.

Service providers will also be expected to have in place content reporting and complaints procedures, and clear and accessible terms of service which address specific areas identified in the OSA (e.g., specifying how individuals are to be protected from illegal content).

Next Steps
Companies operating U2U or search services should consider to what extent they may be subject to the OSA (e.g., by analyzing any links they may have to the UK). Where a service is in scope, the priority action item would be to complete the illegal content risk assessment by the March 16, 2025, deadline.

Related  Articles

New EU Rule Requires Easy “Cancel Contract” Button for Online Sales

EU AI Act: First Set of Requirements Go into Effect February 2, 2025

The post UK Online Safety Act: New Obligations for Digital Service Providers Targeting the UK appeared first on Consumer Protection Dispatch.

In California’s AI Laws Are Here—Is Your Business Ready?, Christine Mastromonaco, Shruti Bhutani Arora, Andrew Caplan, Erin Choo, Mia Rendar, Anne M. Voigts, Shani Rivaux, Johnna Purcell and Dayo Feyisayo Ajanaku provide a detailed look at the enacted legislation, addresses compliance timelines and serves as a guide for businesses as they navigate compliance with California’s evolving AI landscape.

The post California’s Significant AI laws Go into Effect appeared first on Consumer Protection Dispatch.