What Are Email-Tracking Technologies—and Why Do They Matter?
Most modern email platforms automatically embed tracking technologies, most commonly in the form of “pixels”: tiny, often invisible images embedded in emails. When the email is opened, the image is loaded from a server and transmits data to the sender about whether and when the email was opened and often which links were clicked. This can generate useful metrics on engagement, audience interest and campaign performance.

The difficulty is that this technology usually involves storing or accessing information on the recipient’s device which can be used to identify individuals. As a result, regulators in several jurisdictions are starting to treat these email-based tracking technologies in much the same way as website cookies or other web-based tracking technologies: something that in principle requires notice and, in many cases, prior, specific consent unless a narrow exemption applies.

Whereas compliance for web- and mobile application-based tracking technologies can often be achieved through visible website popups and preference centers, organizations utilizing email-based tracking face greater practical and operational difficulties in meeting the same standard. This is complicated by the fact that some email service providers do not allow customers to disable these tracking technologies, either at all or on a per-recipient basis. Legal requirements, technical constraints and commercial reality do not always line up neatly.

The Emerging Regulatory Picture
Across key markets, a few themes are emerging even as detailed rules and enforcement practice are still evolving.

• United Kingdom
  The Information Commissioner’s Office (ICO) has confirmed that email-based tracking technologies, including pixels, fall within the scope of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and are therefore treated in the same way as cookies and other web-based tracking technologies. In principle, that means prior consent is required unless the tracking technology is strictly necessary for providing a service requested by the user.

At the same time, the ICO has repeatedly emphasized a risk-based enforcement approach, taking into account how intrusive the tracking is, how clear and prominent the information and consent mechanisms are, and whether there is evidence of consumer harm or concern. To date, the ICO’s enforcement activity has been confined to web-based tracking, and there has been no enforcement action specifically in relation to email-based tracking. That said, recent public guidance and statements by regulators indicate a shift in emphasis, with email tracking now firmly on the ICO’s regulatory radar.

• EU
  Within the EU, the use of email-tracking technologies is generally governed by the ePrivacy Directive (2002/58/EC) in particular Article 5(3), as implemented into national law across EU Member States and enforced by local supervisory authorities. Because these tracking technologies typically involve the storing of, or access to, information on a recipient’s device, many EU regulators take a strict view of their use. This position has been reinforced by guidance from the European Data Protection Board (EDPB) (Guidelines 2/2023, adopted on 7 October 2024), which has made clear that URL and pixel-based tracking falls within the scope of Article 5(3) on a technology-neutral basis, irrespective of whether personal data is ultimately processed. As a result, opt-in consent is generally expected for any use of tracking technologies that is not strictly necessary to deliver a service expressly requested by the recipient, with even basic open-rate tracking commonly treated as in scope.

To date, there has been no enforcement action by EU Member State supervisory authorities that specifically targets the use of email-based tracking technologies. However, the legal position on paper remains demanding and leaves relatively little room for flexibility.

France provides a useful illustration of the direction of travel. In June 2025, the French data protection authority (CNIL) issued draft recommendations that would require a more granular approach to pixel-based email tracking. In particular, the draft proposed treating consent to receive marketing and consent to the use of tracking pixels as separate decisions, with a possible carve-out where only anonymized, high-level open-rate statistics are collected or where the pixel is used strictly for technical authentication/security functions. Controversially, the CNIL’s draft recommendations require that consent withdrawal must be retroactively honored. (I.e., pixels must be deactivated once consent has been withdrawn, even for emails which have already been sent.) In practice, this would generate significant operational and technical complexity and has been flagged as a key point of debate in responses to the consultation. The draft also contemplates an in-email mechanism allowing recipients to opt out of tracking. While the consultation process has now ended and no final recommendations have yet been published, the draft points toward a stricter and more structured regime in the medium term.

• United States
  There is no federal statute that specifically regulates the use of email-tracking technologies. In challenging the practice, plaintiffs most often rely on the Electronic Communications Privacy Act (ECPA). They typically assert claims under Title I of ECPA (commonly known as the Wiretap Act), which prohibits the intentional interception of electronic communications, a term frequently litigated to require acquisition contemporaneous with transmission and without consent or other statutory authorization. Plaintiffs also invoke Title II of ECPA, the Stored Communications Act (SCA), which addresses unauthorized access to communications held in electronic storage on a covered facility. In many email-tracking technology fact patterns, however, the technology is characterized as triggering an image request that returns open or engagement data, making it difficult to establish the type of contemporaneous interception or unauthorized access required under these federal statutes.

California’s Invasion of Privacy Act (CIPA), particularly Section 631(a), has also been invoked in challenges to the use of email-tracking technologies. Although CIPA claims initially proliferated in the web-tracking context, plaintiffs have increasingly attempted to extend those theories to marketing emails containing tracking technologies. Under this approach, plaintiffs characterize the act of opening an email or clicking a hyperlink as a “communication,” and allege that a third-party email marketing vendor “intercepts” that communication by receiving engagement data in real time. Some complaints further contend that trackable URLs or embedded code reveal the “contents” of the communication, rather than merely routing or record information.

In Ramos v. The Gap, Inc. (N.D. Cal.), the court rejected these theories in the email-marketing context. The plaintiff alleged that Gap embedded tracking pixels and uniquely coded URLs in promotional emails and that its marketing vendor unlawfully intercepted communications when recipients opened or clicked those emails. The court dismissed the Section 631(a) claim, reasoning in part that engagement metrics such as open rates and click activity constitute information about a communication rather than protected “contents.” The court was also unpersuaded by arguments that a hyperlink click itself constitutes substantive content or that URL parameters exposed the underlying substance of the email. In addition, the decision underscored structural limits within Section 631(a), including the “party” principle, under which a participant in the communication generally cannot be liable for intercepting it, as well as the statute’s focus on acquisition of contents rather than ordinary analytics data generated in the course of message delivery and interaction.

While Ramos reflects an early, defense-favorable treatment of CIPA claims in the email-pixel setting, plaintiffs continue to test variations on these theories, often drawing analogies to web-tracking decisions addressing whether certain URL strings or user inputs can qualify as “contents.” As a result, CIPA exposure in the email context remains fact-dependent, turning on how courts characterize the data collected, the role of any third-party vendor, and whether the alleged acquisition can plausibly be framed as an interception of protected content rather than the collection of engagement metadata.

A similar dynamic is emerging under Arizona’s Telephone, Utility, and Communication Service Records Act (TUCSRA). TUCSRA restricts the unauthorized acquisition of “communication service records” maintained by a communication service provider, and plaintiffs have argued that email-tracking technologies impermissibly capture such records by collecting data about when, where and how an email is opened—including engagement metrics such as the time an email was accessed, the number of opens, whether it was forwarded or printed, and the type of device or server used. Early decisions have dismissed TUCSRA claims against retailers and other senders, reasoning that these entities are not “communication service providers” within the meaning of the statute and that email engagement data does not constitute protected service records. Some courts have also found a lack of Article III standing where plaintiffs allege only a statutory violation without concrete downstream harm. Nonetheless, plaintiffs continue to test these theories, and outcomes remain highly dependent on statutory interpretation, the characterization of the technology, and the forum in which the case is brought.

Against that litigation backdrop, day-to-day compliance obligations for email-tracking technologies are shaped less by wiretap doctrine and more by state privacy laws. Rather than prohibiting tracking technologies outright, these laws regulate how engagement data is classified, disclosed and operationalized within broader advertising and analytics ecosystems. The principal statutory risk typically arises where email engagement data is disclosed to third parties in a manner that could be characterized as a “sale” or “sharing” of personal information for targeted advertising purposes under state privacy laws (such as the California Consumer Privacy Act (CCPA) and analogous state laws). Under the CCPA, whether a disclosure constitutes a regulated “sale” or “sharing” turns on the role of the recipient and the contractual and technical constraints imposed on downstream use. Where an email service provider uses tracking technology-derived data solely to provide services to the sender without independently retaining, using, or repurposing that data for its own advertising purposes, the arrangement is more likely to qualify as a restricted “service provider” relationship. By contrast, if engagement data is made available to advertising networks or analytics partners for their own or joint advertising purposes, the disclosure may qualify as a “sale” or “sharing,” triggering notice and opt-out obligations. Regulators increasingly look beyond contract language to examine how data actually moves between systems, how it is combined with other identifiers, and how it is used in practice.

Recent enforcement activity in California highlights the regulatory focus. A 2026 CCPA settlement emphasized that opt-out mechanisms must be effective in practice, including across linked accounts, devices and services where personal information is used for cross-context behavioral advertising. The settlement also reinforces expectations around clear and conspicuous “Do Not Sell or Share” mechanisms, recognition of browser-based opt-out signals (such as Global Privacy Control), and user-interface design that does not fragment or undermine consumer choice.

Although that matter did not concern email-tracking pixels specifically, its implications are directly relevant where tracking technology-derived engagement data is combined with other identifiers and disclosed to advertising or analytics partners. If such disclosures qualify as “sharing” for cross-context behavioral advertising, businesses must ensure that opt-out rights are implemented comprehensively—not merely at device level, but across associated profiles and systems.

While regulators have not taken email-based tracking technology-specific action, the Federal Trade Commission has pursued significant cases against companies (particularly in the health sector) for sharing sensitive data via tracking technologies without adequate transparency or consent. This underscores the broader regulatory risk associated with opaque tracking practices, especially where sensitive categories of data are involved.

How One Uses Engagement Data Makes a Difference
Not all uses of email engagement data carry the same risk. Two common patterns are worth distinguishing:

a) Aggregated reporting
Many organizations use tracking technologies simply to generate high-level statistics such as overall open rates for a campaign or the relative popularity of links. Where the data is aggregated or truly anonymized, and not used to make decisions about specific individuals, there is a stronger argument that the intrusion into privacy is limited.

Some regulators have hinted that this kind of use may be treated more leniently, particularly if the metrics cannot reasonably be traced back to identifiable recipients. Nevertheless, transparency remains important, and it would be prudent to describe this kind of analytics in a privacy policy even where separate consent is not collected.

b) Segmentation and follow-up actions
The risk profile changes where engagement data is used to build profiles, segment audiences or drive follow-up communications at individual level. Examples include:

• • resending emails only to those who did not open a previous message;
  • targeting offers based on which links a particular recipient clicked; or
  • combining tracking technology-derived data with other systems to build behavioral profiles.

These activities clearly involve personal data processing and, in many jurisdictions, are more likely to require explicit, prior consent under ePrivacy-type rules, as well as enhanced transparency. They will also attract greater scrutiny if regulators begin to look closely at email-tracking practices.

A practical way to think about this is that transparency alone may be more defensible for limited, aggregated analytics, whereas individual-level targeting based on tracking technology-derived data sits at the higher-expectation, higher-risk end of the spectrum.

Practical Approaches to Compliance
There is no single model that works for every organization. Technical constraints, risk appetite, audience type and geography all play a role. In broad terms, organizations tend to converge around three approaches when thinking about consent.

a) Separate consent for tracking technologies
Under this approach, subscription or sign-up flows include a distinct consent mechanism for tracking technologies, separate from the consent to receive marketing emails. This is the approach that most closely matches the strict reading of ePrivacy and some of the emerging thinking of European regulators.

In theory, it offers strong legal defensibility and a clear audit trail. In practice, it can be challenging where, for instance, the email service provider’s platform does not allow pixels to be disabled for particular recipients. If a user agrees to marketing but withholds consent to tracking technologies, it may be difficult or impossible to honor that choice without suppressing emails entirely. Withdrawal of consent can also be hard to operationalize unless the technology stack is built with that in mind, particularly where consent is withdrawn only after tracked emails have been sent.

This model tends to suit organizations that are willing to invest in bespoke email infrastructure or that operate in sectors where regulatory expectations and reputational sensitivities are especially high.

b) Bundled consent to online tracking technology that includes website and mobile application and emails
Another option is to obtain a single, combined consent that covers both marketing emails and associated tracking technologies. This can be presented clearly on the sign-up or subscription form, supported by straightforward explanations in privacy notices and the emails themselves.

From a user-experience perspective, this can feel more honest than offering a choice that cannot truly be honored. It may be seen as a pragmatic compromise where the use of tracking technologies is technically unavoidable, provided that the language used is transparent about what is happening and why.

However, this is not perfectly aligned with the strict interpretation of separate, unbundled consent for distinct purposes, and organizations adopting this approach should understand that it sits in a gray area between letter-of-the-law compliance and operational reality.

c) Transparency-led approach without explicit tracking technology consent
A third approach is to rely on transparency without seeking specific consent to tracking technologies. Under this model, organizations:

• • acknowledge the use of tracking pixels in their privacy statement and, where appropriate, in cookie notices;
  • include concise explanations in email footers describing what is collected and how it is used; and
  • may suggest that recipients who prefer not to be tracked can disable images or take other steps in their email client.

This is the easiest option to implement, particularly where email platforms do not support fine-grained control and where the use of tracking technologies is limited to relatively low-risk analytics. It also aligns with what many recipients already experience in the market.

The trade-off is that this approach does not strictly meet ePrivacy and PECR requirements for prior consent to tracking technologies, and it may become more difficult to justify if regulators begin to focus actively on these email-tracking technologies. Organizations pursuing this path should view it as a risk-managed position rather than full compliance, monitor regulatory developments, and be prepared to adjust course.

Key Takeaways
Organizations deploying email marketing should not assume compliance by default, but should proactively verify how tracking technologies are deployed and what data they capture.

Where technical limitations exist within an email service provider’s systems, organizations will need to consider a risk-based approach to consent mechanisms and transparency, while factoring in jurisdiction-specific risks.

While email-tracking technology may indeed be invisible, from a regulatory and litigation standpoint they are anything but.

The post Email-Tracking Technology: Emerging Compliance Expectations in the U.S., EU and Beyond appeared first on Consumer Protection Dispatch.

This development comes as the FTC seeks to balance its mandate to protect children’s privacy online with the growing recognition that age verification technologies are, in the words of FTC Bureau of Consumer Protection Director Christopher Mufarrige, “some of the most child-protective technologies to emerge in decades.”

Background: The COPPA-Age Verification Tension
Since COPPA was enacted in 1998, there has been an explosion in the use of internet-connected technologies by children. In response to growing concerns about children’s online safety, several states have begun requiring websites and online services to use age verification mechanisms to determine the age of users.

However, as noted at the FTC’s recent workshop on age verification technologies held in January 2026, some age verification mechanisms require the collection of personal information from children, prompting questions about whether such activities could violate the COPPA Rule. This created a somewhat paradoxical situation: The very technologies designed to protect children online could themselves trigger COPPA compliance obligations.

The FTC has now sought to resolve this tension through its new policy statement, designed to “incentivize operators to use these innovative tools, empowering parents to protect their children online.”

Key Conditions for Enforcement Discretion
The policy statement applies to operators of general audience sites and services, as well as mixed audience sites and services (those directed to children, but which do not target children as their primary audience). Under the policy, the FTC will exercise enforcement discretion where operators collect personal information for age verification purposes without first obtaining verifiable parental consent, provided they comply with six key conditions:

1. Purpose limitation: The operator does not use or disclose information collected for age verification purposes for any other purpose.
2. Third-party safeguards: The operator discloses information collected for age verification purposes only to third parties that the operator has taken reasonable steps to determine are capable of maintaining the confidentiality, security and integrity of the information, including by obtaining written assurances from those third parties.
3. Retention limitation: The operator does not retain the information longer than necessary to fulfill the age verification purposes, and deletes such information promptly thereafter.
4. Notice: The operator provides clear notice to parents and children of the information collected for age verification purposes in its privacy policy.
5. Security: The operator employs reasonable security safeguards for information collected for age verification purposes.
6. Accuracy: The operator takes reasonable steps to determine that any product, service, method or third party utilized for age verification purposes is likely to provide reasonably accurate results as to the user’s age.

Critically, the FTC will not exercise its enforcement discretion unless the operator is complying with the COPPA Rule’s requirements in every other respect with regard to personal information collected from children.

Context: The January 2026 Workshop
This policy statement follows the FTC’s workshop on age verification technologies held on January 28, 2026. The workshop examined the interplay between COPPA enforcement and developments in age verification technology, with FTC Chairman Andrew Ferguson emphasizing that “COPPA enforcement is and will remain a top priority of the Trump-Vance FTC.”

The workshop featured extensive discussion of various age verification methods, from facial age estimation and government ID verification to emerging approaches such as behavioral analysis and reusable age credentials. Panelists highlighted both the promise and challenges of these technologies, including privacy concerns, accuracy limitations, and the need for robust data protection safeguards.

A key theme emerging from the workshop was the importance of “double-blind” architectures, where an external service verifies age without knowing which website the data is intended for, and the website confirms age status without learning the user’s identity. Such approaches help ensure that neither party obtains a complete picture of the user’s identity and activities.

Broader Regulatory Context
The policy statement arrives amid a rapidly evolving regulatory landscape. Multiple U.S. states have enacted laws requiring age verification for access to certain online content, with requirements varying significantly in their scope, threshold ages and acceptable verification methods. Similar requirements exist internationally, including the UK’s Age Appropriate Design Code and Online Safety Act, and Australia’s recent social media age verification requirements.

The FTC has indicated that it intends to initiate a review of the COPPA Rule to address age verification mechanisms more formally. The policy statement will remain effective until the FTC publishes final rule amendments on this issue in the Federal Register, or until otherwise withdrawn.

Practical Implications
For operators of general audience and mixed-audience sites and services, this policy statement provides welcome clarity and reduces the legal risk associated with deploying age verification technologies. Operators can now implement these technologies with greater confidence, provided they adhere to the six conditions set out in the statement.

However, several practical considerations remain. Operators should carefully document their compliance with each condition, particularly around third-party due diligence, data retention policies, and accuracy assessments. Privacy policies should be updated to clearly disclose the information collected for age verification purposes.

It is also worth noting that this policy statement does not modify the FTC’s position regarding child-directed sites and services that are primarily directed to children, which must continue to treat all users as children and provide COPPA Rule protections to all users.

Conclusion
The FTC’s policy statement represents a pragmatic response to a genuine regulatory challenge. By providing enforcement discretion for operators using age verification technologies in good faith, the FTC has sought to remove a potential barrier to the adoption of technologies that can enhance children’s online safety.

As Chairman Ferguson observed at the January workshop, “COPPA, a statute designed to empower parents and protect children online, should not be an impediment to the most child protective technology to emerge in decades.” This policy statement reflects that principle whilst maintaining the fundamental protections that COPPA provides.

The FTC voted 2-0 to issue the policy statement.

The post FTC Issues COPPA Policy Statement to Encourage Age Verification Technologies appeared first on Consumer Protection Dispatch.

Who Are Data Brokers
Data brokers are companies that collect and sell personal information without directly interacting with consumers, and they must register with the CPPA and integrate with the DROP system. Data brokers often obtain your email, phone number, browsing history, or location data, and make inferences about your interests or characteristics from this data.

How the System Works for Consumers
The DROP System aims to make it much easier for Californians to exercise their right to delete their personal information. Through a secure online portal, users will be able to verify their California residency, choose which data brokers to contact, and track their requests using a unique DROP ID. The system will ask California residents to provide information about themselves such as their name, date of birth, phone number, and email address, in addition to device identifiers such as Mobile Advertising IDs (MAIDs). The more identifiers you provide, the more likely a data broker will be able to match your information to data in their system and delete your data. To protect user information, the DROP System will use multi-factor authentication and encrypted (hashed) data transmission.

Implementation Timeline

• January 1, 2026 – DROP System opens to California residents.
• August 1, 2026 – Data brokers begin processing deletion requests every 45 days.

Data Broker Response Requirements
When a broker receives a request, they must delete the consumer’s entire record if any identifier matches their records. When processing a deletion request, data brokers must assign one of four standardized response statuses. A request marked “Deleted” means the consumer’s non-exempt personal information has been fully removed. “Exempt” indicates that certain data cannot legally be deleted, and the broker must explain why. “Opted Out” applies when full deletion isn’t possible, but the consumer information is blocked from being sold or shared in the future. Finally, “Record Not Found” means the broker couldn’t locate any data matching the identifiers submitted in the request.

Data Broker Obligations
Data brokers will face several new compliance requirements, including:

• Annual registration with the CPPA, including a $6,000 fee.
• Completion of deletion requests within 45 days of receipt.
• Maintenance of suppression lists to prevent re-collection or resale of deleted data.
• Audit trail creation documenting each deletion response.
• Reporting of data sales to specified entities, including foreign actors, AI developers and federal government agencies.

Enforcement and Penalties
To ensure compliance, the CPPA will impose penalties of $200 per day per consumer for noncompliance. Beginning in 2028, data brokers will also undergo independent audits, and consumers will have access to a formal complaint process for unresolved or disputed deletion requests.

The post A New Era of Data Deletion: Inside California’s DROP System appeared first on Consumer Protection Dispatch.

In “DOJ Releases Its Data Security Program Compliance Guide,” colleagues Tony Phillips, Shruti Bhutani Arora, Sahar J. Hafeez, Christine Mastromonaco, Leighton Watson and Sheetal Misra discuss the key components of the DSP and offer thoughts about compliance.

The post The Data Security Program Compliance Guide Is Released by the DOJ appeared first on Consumer Protection Dispatch.

On Monday, Apple announced its largest-ever spend commitment: $500 billion in the U.S. over the next four years, covering investments in manufacturing, education, and training for technologies like artificial intelligence and chip making. This includes:

• Launching a state-of-the-art, 250,000-square-foot AI facility in Houston, focused on building servers—previously manufactured outside of the U.S.—that that can handle AI compute.
• Servers that are expected to reduce the energy demands of Apple’s data centers (which Apple notes already run on 100 percent renewable energy).
• Expanding existing data center capacity in North Carolina, Iowa, Oregon, Arizona and Nevada.
• Doubling its U.S. Advanced Manufacturing Fund from $5 billion to $10 billion to boost high-skilled manufacturing jobs in the United States. This includes a multibillion-dollar commitment to produce advanced silicon at TSMC’s Fab 21 in Arizona—where Apple, as the largest customer, recently began mass chip production. With its suppliers operating in 24 factories across 12 states, Apple expects this initiative to create thousands of jobs while driving cutting-edge manufacturing for Apple devices.
• Hiring approximately 20,000 people focused on R&D, silicon engineering, software development, and AI and machine learning.
• Opening an “Apple Manufacturing Academy” in Detroit, Mich., where Apple engineers and other experts will consult with businesses on AI and smart manufacturing techniques.
• Expanding investments in education and workforce development through grants to organizations like 4‑H and Boys & Girls Clubs of America and the launch of new initiatives, such as the New Silicon Initiative—collaborating with leading universities like Georgia Tech and UCLA—to prepare students for careers in hardware engineering and silicon chip design.

Key Takeaway and Considerations for AI and Data Center Stakeholders
Apple’s $500 billion U.S. spend commitment mirrors similar investments by industry giants like SoftBank, Oracle and OpenAI, highlighting a sweeping push toward domestic production and enhanced U.S. data center capabilities.

These transformative investments continue to raise a host of legal and commercial issues. Companies using, procuring, producing, or powering AI products and data center space will need to carefully navigate those considerations.

RELATED ARTICLES

Data Centers: A Field Guide

Anatomy of a Data Center

The post Apple’s $500B U.S. Manufacturing Push and New AI Server Facility in Houston: What It Means for Data Centers appeared first on Consumer Protection Dispatch.

One key area in which the OSA goes further is in relation to the obligations on service providers to undertake specific assessments in relation to their services. The first of these assessments (the illegal content risk assessment—discussed in more detail below) must be completed by all in-scope services by March 16, 2025.

For more information on the developing regulatory landscape relating to “online safety” in the UK, EU and U.S., please view our earlier webinar.

OSA—Who Is in Scope?

• Services in scope. The OSA applies to providers of user-to-user (U2U) services and search services:
  • U2U services: internet services through which content that is generated, uploaded, or shared by other users may be encountered by other users of the service. This could cover social media platforms, photo or video sharing platforms, chat and instant messaging services, blogs, online games, online dating platforms, online marketplaces, etc., including where such services are available through a web browser or mobile application.
  • Search services: internet services that consist of, or include, the functionality for users to search multiple websites or databases (including services through which a user could in principle search all websites or databases). This could cover conventional search engines, reverse image lookups, content aggregators that allow users to search through multiple databases, AI-powered search engines, etc.

Certain services are then subject to additional obligations, such as U2U or search services that publish pornographic content or that meet certain threshold conditions, based on the number of UK users and certain features of the service (“Categorised Services”).

• Content in scope. The OSA defines “content” as anything communicated by means of an internet service, whether publicly or privately, including written material or messages, oral communications, photographs, videos, visual images, music and data of any description. The OSA envisages several different categories of content:
  • Illegal content: content that amounts to a relevant offense, i.e., a priority offense (such as offenses related to terrorism or child sexual exploitation or abuse (CSEA)) or another, non-priority, offense (such as cyberflashing, content that encourages or assists with self-harm, or threatening communications).
  • Content that is harmful to children: content that may not amount to illegal content but that should be hidden from children. This is further grouped into primary priority content that is harmful to children (such as pornographic, suicide, self-harm or eating disorder content), priority content that is harmful to children (such as abuse, hate, bullying or violent content, or content which encourages the consumption of harmful substances or the undertaking of dangerous stunts or challenges), and non-designated harmful content which otherwise presents a material risk of significant harm to an appreciable number of children in the UK.

Categorised Services are also subject to obligations relating to additional content categories, such as fraudulent adverts, content of democratic importance, and content that adults may wish to avoid encountering on a service (e.g., abusive content or content that encourages suicide or self-harm).

• Territorial jurisdiction: Given the cross-border nature of the internet, the OSA’s territorial application extends beyond services based in the UK. The OSA applies to any service that “has links with the United Kingdom.” This criteria will be met where: (i) the service has a significant number of UK users; (ii) the UK forms one of the target markets for the service; or (iii) the service is capable of being used in the UK and there are reasonable grounds to believe there is a material risk of significant harm to individuals in the UK presented by content on the service.

What Are the Main Assessment Duties?

1. Illegal Content Risk Assessment. The first assessment that must be undertaken is an illegal content risk assessment. This is designed to improve a service provider’s understanding of how risks of different kinds of illegal harms could arise on the service and what safety measures should be implemented to protect users. Illegal content risk assessments must be of a “suitable and sufficient” standard. Ofcom (the UK regulatory body with responsibility for the OSA) has published guidance on how to carry out an illegal content risk assessment, which sets out a four-step process: (i) understand the kinds of illegal content that needs to be assessed; (ii) assess the risk of harm; (iii) decide measures, implement and record; and (iv) report, review and update. All in-scope services must complete an illegal content risk assessment by March 16, 2025.
2. Children’s Access Assessment. In-scope services must also undertake a children’s access assessment to understand to what extent the service is “likely to be accessed by children” (meaning anyone under the age of 18). Where the assessment determines that a service is likely to be accessed by children, this triggers additional child protection duties (which may not apply if the children’s access assessment determines that the services is not likely to be accessed by children). Importantly, if a children’s access assessment is not completed, the service will be subject to the additional child protection duties in any event. All in-scope service must complete a children’s access assessment by April 16, 2025.
3. Children’s Risk Assessment. If a service is considered “likely to be accessed by children” then service providers must undertake a children’s risk assessment, which is separate and in addition to the overarching illegal content risk assessment. The children’s risk assessment must assess the risks that exist specifically in relation to children on the service, taking into account any measures the service already has in place to protect children. Ofcom is currently consulting on guidance relating to the children’s risk assessment. Once this guidance has been finalized (expected in April 2025) service providers will have three months to complete the requisite assessment.
4. User Empowerment Risk Assessment. Certain Categorised Services may also need to complete an adult user empowerment assessment, to understand its user base, the likelihood of adult users encountering specific content that they may wish to avoid, and the impact that the service (including its design and operation) may have in relation to adults encountering such content and the impact that this may have. Ofcom will publish more details on this once it has finalized the thresholds to determine which services will be Categorised Services under the OSA.

Records must be maintained of all assessments carried out, including the process followed and the findings. Failure to complete an assessment where required under the act is an automatic breach, which could result in enforcement action and a civil penalty of up to 10% of revenue or £18m (whichever is greater).

Additional Obligations
A core focus of the OSA is on “systems and processes”—Ofcom will regulate the measures taken by service providers to mitigate the risks identified in their assessments, ensuring that these measures are proportionate, as opposed to regulating individual pieces of content appearing on the services.

Service providers will also be expected to have in place content reporting and complaints procedures, and clear and accessible terms of service which address specific areas identified in the OSA (e.g., specifying how individuals are to be protected from illegal content).

Next Steps
Companies operating U2U or search services should consider to what extent they may be subject to the OSA (e.g., by analyzing any links they may have to the UK). Where a service is in scope, the priority action item would be to complete the illegal content risk assessment by the March 16, 2025, deadline.

Related  Articles

New EU Rule Requires Easy “Cancel Contract” Button for Online Sales

EU AI Act: First Set of Requirements Go into Effect February 2, 2025

The post UK Online Safety Act: New Obligations for Digital Service Providers Targeting the UK appeared first on Consumer Protection Dispatch.

In California’s AI Laws Are Here—Is Your Business Ready?, Christine Mastromonaco, Shruti Bhutani Arora, Andrew Caplan, Erin Choo, Mia Rendar, Leighton Watson, Anne M. Voigts, Shani Rivaux, Johnna Purcell and Dayo Feyisayo Ajanaku provide a detailed look at the enacted legislation, addresses compliance timelines and serves as a guide for businesses as they navigate compliance with California’s evolving AI landscape.

The post California’s Significant AI laws Go into Effect appeared first on Consumer Protection Dispatch.

Prohibited AI Practices from February 2, 2025
Article 5 prohibits the use of specific AI practices deemed harmful or inconsistent with EU values. The restricted practices are:

1. Manipulative AI: AI systems using subliminal or deceptive techniques to distort an individual’s decision-making and causing significant harm.
2. Exploitative AI: Exploitation of vulnerabilities of individuals or groups (e.g., due to age, disability or socio-economic status) to materially distort behavior and causing harm.
3. Social Scoring: AI systems evaluating individuals or groups over time based on social behavior, resulting in discriminatory or detrimental outcomes.
4. Predictive Policing: AI systems assessing individuals’ risks of criminal behavior through profiling or personality traits.
5. Facial Recognition Databases: The creation or expansion of facial recognition databases through untargeted scraping of the internet or CCTV footage.
6. Emotion Inference: AI systems inferring emotions of individuals in workplaces or educational institutions, except for narrowly defined medical or safety purposes. (The scope of this prohibition is subject to particular debate.)
7. Biometric Categorization: Using biometric data to deduce sensitive attributes such as race, political opinion or sexual orientation, except for certain law enforcement purposes.
8. Real-Time Biometric Identification: Public-space deployment of real-time remote biometric identification systems for law enforcement, subject to narrowly defined exceptions (e.g., targeted searches for missing persons).

Violating these prohibitions can result in substantial penalties under Article 99(3): i.e., fines of up to €35 million or 7% of global annual turnover, whichever is higher.

Mandatory AI Literacy
Also taking effect on February 2, 2025, is the obligation under Article 4 for providers and deployers of AI systems to ensure sufficient “AI literacy” among their staff and operators. Key aspects of the AI literacy obligation are as follows:

• “AI literacy” is defined as the ability to make informed decisions regarding the deployment and risks of AI systems, as well as understanding the potential harms AI can cause.
• Providers and deployers of AI systems must ensure individuals involved in the operation or use of AI systems have sufficient skills, knowledge and understanding to handle the systems responsibly.
• Training must be tailored to the technical expertise of the staff, the context of the AI systems’ deployment, and the characteristics of the individuals or groups impacted by the AI systems.

While the Act is silent on specific penalties for non-compliance with Article 4, in all likelihood, regulators may consider insufficient training as an aggravating factor when determining penalties for other violations under the Act.

Remaining Implementation Timeline
To recap, beyond February 2025, additional obligations under the Act will come into force as follows:

• August 2, 2025: Obligations for providers of general-purpose AI (GPAI) models take effect.
• August 2, 2026: Remaining obligations for providers and deployers of AI systems take effect.
• August 2, 2027: Obligations for AI systems that are safety components of products subject to third-party conformity assessments under existing EU regulations take effect.

Other Recent Developments

General-Purpose AI Code of Practice
The European Commission published the first draft of the General-Purpose AI Code of Practice on November 14, 2024. The Code, once finalized by May 2025, will provide practical guidance to seek to help providers of GPAI models comply with the Act. Compliance with the Code will be mandatory by August 2025. A draft can be accessed here.

Key highlights of the Code include the following:

• It encourages privacy-preserving techniques such as differential privacy and robust data selection.
• It emphasizes the need for strong governance, adversarial testing and transparency in AI model development.
• It stresses the importance of minimizing risks of personal data being revealed through model outputs.

Recent EDPB Guidance on AI and GDPR
On December 18, 2024, the European Data Protection Board (EDPB) issued Opinion 28/2024, which addresses data protection considerations in the context of AI models. The opinion offers practical guidance on determining whether AI models trained on personal data constitute personal data under GDPR and establishing the legal basis for processing personal data during the development and deployment of AI models. It also provides guidance on managing the consequences of unlawful processing during AI model development.

With respect to the first point—whether an AI model trained on personal data can itself be considered personal data under the GDPR—the EDPB states that AI models trained on personal data must be assessed on a case-by-case basis, applying specific criteria.

To argue that a model is anonymous (and therefore not, itself, personal data), providers must demonstrate, using reasonable means, that personal data related to the training data cannot be extracted from the model and that any output produced when querying the model does not relate to a data subject whose personal data was used to train the model.

The EDPB offers some practical guidance for developers seeking to support anonymization in AI models. While achieving full anonymization may often be unattainable, these measures could well set a regulatory benchmark for responsible AI development in accordance with fundamental GDPR principles.

Key recommendations include:

• Careful Data Selection: Limit personal data collection by carefully choosing training data sources.
• Data Preparation: Employ processes such as anonymization, pseudonymization, data minimization, and filtering to reduce personal data processing.
• Robust Training Methods: Use methodologies prioritizing generalization over memorization, while incorporating privacy-preserving techniques like differential privacy where feasible.
• Output Safeguards: Implement measures to minimize the risk of revealing personal data through model outputs.
• Governance and Audits: Ensure strong governance with audits to verify privacy measures’ effectiveness.
• Testing for Resistance: Conduct adversarial testing to evaluate the model’s resilience against attempts to extract personal data, such as membership inference or model inversion.
• Comprehensive Documentation: Maintain GDPR-compliant documentation, including Data Protection Impact Assessments (DPIAs) and advice from Data Protection Officers (DPOs).

Key Takeaways
In light of these latest developments, businesses developing or deploying AI systems or models should:

• Review Prohibited AI Use Cases: Conduct an audit of existing and proposed AI systems and projects to ensure compliance with Article 5 prohibitions.
• Implement AI Literacy Training: Develop and roll out comprehensive training programs to meet Article 4 requirements.
• Prepare for Future Obligations: Stay ahead of upcoming deadlines, including obligations on GPAI models and high-risk AI systems.
• Engage with Providers and Developers: Deployers of AI systems should consider raising questions with providers or developers about the steps they are taking to ensure AI models are anonymized, in light of the EDPB opinion. Additionally, it is important to ensure AI procurement terms address the risks posed by the Act and existing legislation such as the GDPR, particularly where models, systems, or outputs will be used within the EU.
• Monitor Regulatory Updates: Follow developments related to the General-Purpose AI Code of Practice and guidance from EU regulators such as the EDPB.

The Act represents a seismic shift in the regulation of AI systems in Europe, with wide-reaching implications for providers and deployers alike. With the first obligations taking effect in February 2025, organizations should act now to ensure compliance and mitigate risks.

The EU Accessibility Act – Impact on Those Doing Business in the EU

The post EU AI Act: First Set of Requirements Go into Effect February 2, 2025 appeared first on Consumer Protection Dispatch.

Key Takeaways from the Decisions

• Excessive data retention: Both companies stored customer data for six years after the end of the commercial relationship, mainly for marketing purposes. CNIL found this retention period to be excessive, recommending a maximum retention period of three years. Telemaque, in particular, failed to implement any restrictions on access to the data, keeping it in active databases without sorting or limiting access over this six-year period.
• Processing sensitive data without explicit consent: Both companies processed sensitive personal data—such as sexual orientation and health information—during clairvoyance consultations without obtaining explicit consent. CNIL emphasized that merely using the service does not meet the GDPR’s requirement for explicit consent when processing special categories of data.
• Unlawful marketing communications: The companies sent marketing communications via email and SMS without obtaining valid consent. The forms used to collect customer data did not clearly inform users that their data could be shared for marketing purposes by both Cosmospace and Telemaque, resulting in a breach of consent requirements.
• Recording of calls: Cosmospace recorded all customer calls for several purposes: (i) to monitor service quality and for employee training, (ii) to demonstrate that contracts had been concluded and properly executed, (iii) to respond to legal requests, and (iv) for safeguarding purposes. However, the CNIL found that these justifications did not warrant the systematic recording of all calls. Instead, CNIL recommended that a sample of calls could be recorded for quality monitoring and training, and only the portions of calls directly relevant to contract conclusions should be retained. Additionally, recordings could be manually triggered by employees in situations involving distress or safeguarding concerns. CNIL found that recording all calls in this manner breached the GDPR’s data minimization principle.

Next steps for consumer-facing businesses
These decisions are particularly relevant for any consumer-facing businesses operating in the EU or UK, especially those with operations in France. It’s a timely reminder to review current practices regarding:

• Marketing consents: Ensure that proper consent is obtained before sending marketing communications, and that consumers are fully informed about how their data will be used.
• Processing of sensitive data: Review consent mechanisms for any data collection activities involving special categories of personal data, such as health or sexual orientation, to ensure compliance with GDPR.
• Data retention: Assess your data retention policies, particularly for marketing purposes, to ensure personal data is not held longer than necessary and that appropriate restrictions on access and use are in place.

This is an opportunity to reassess compliance frameworks, particularly in light of guidance from EU supervisory authorities.

The post GDPR Enforcement: Lessons from Recent Data Privacy Penalties appeared first on Consumer Protection Dispatch.

Here’s a breakdown of the substantive agenda:

Discussion and Possible Action on Proposed Regulations, Sections 7600-7605, Implementing Data Broker Registration Requirements, Including Possible Adoption or Modification of the Text
In 2023, Senate Bill 362 (Chapter 709, Statutes of 2023), known as the Delete Act, was signed into law, which transferred the responsibility for the new data broker registry from the Attorney General to the California Privacy Protection Agency, beginning January 1, 2024.

In the memo provided to the CPPA board, the Agency administered the registry for the first time this year and over 500 data brokers have registered.  The proposed regulations largely memorialize the Agency’s existing practices related to the data broker registry, but also clarify key terms, concepts and procedures.

The memo also states that the accessible deletion mechanism will be addressed in a separate rulemaking package.

Further, the memo recaps that during the May 10, 2024, board meeting, the California Privacy Protection Agency Board voted to move the proposed regulations to formal rulemaking. Since that time, the Agency has completed the public comment period—which ran from July 5 to August 20—and held a hearing regarding the proposed regulations on the final day.

The memo states that the Agency received three oral and 18 written comment submissions from a total of 24 distinct entities, including data brokers, consumers, public interest groups, think tanks, law firms, political organizations, and private sector companies. These submissions resulted in 138 unique comments for the Agency to respond to, and the responses to all the comments are in the draft Final Statement of Reasons (FSOR).

Board Update Regarding Development and Implementation of the Delete Request and Opt-Out Platform (DROP) and Associated Fees, Pursuant to SB 362.
The CPPA will present the key takeaways from public engagement regarding DROP, which are included in the meeting materials and are listed below.

• Key identifiers used to identify a consumer record: full name, email, phone, DOB, Mobile Advertising ID (MAID);
• API preferred over SFTP or email;
• Dedicated help center;
• Broad range of identity verification practices, including no verification, email only, government identification, among others.
• Maintain a suppression list

The DROP Privacy Overview in accordance with Cal. Civ. Code§ 1798.99.86(b)(2), includes,

• Separate deletion requests into four lists by identifiers
  • Phone
  • Email
  • Full name, date of birth, address
  • Pseudonymous IDs (such as MAID)
• One-way hash of all data
• Data minimization practices

Next steps for DROP system:

• Finalize Stage 2 artifacts
• Procurement Select vendor
• System construction
• DROP regulations
• System testing
• System launch (2026)
• Public awareness campaign
• User education

Discussion and Possible Action to Advance Draft Regulations to Formal Rulemaking for Updates to Existing Regulations, Insurance, Cybersecurity Audits, Risk Assessments, and Automated Decisionmaking Technology
The Agency has drafted proposed regulations that do the following: (1) update existing CCPA regulations; (2) clarify when insurance companies must comply with the CCPA; (3) operationalize requirements to complete an annual cybersecurity audit; (4) operationalize requirements to conduct a risk assessment; and (5) operationalize consumers’ rights to access and to opt out of businesses’ use of automated decisionmaking technology (ADMT).

As provided in the memo to the CPPA board by the CPPA staff, these proposed regulations are accompanied by an Initial Statement of Reasons (ISOR) that describes the purpose and necessity of the proposed regulations. The proposed regulations and ISOR have been modified since the July 2024 board meeting to do the following:  (1) remove proposed section 7005, which addressed the consumer price index increase, because this was addressed via legislation (AB 3286, statutes of 2024); (2) detail the proposed regulations’ benefits; (3) incorporate the Standardized Regulatory Impact Assessment and address statewide economic impacts; (4) address regulatory alternatives; (5) list the materials relied upon; and (6) make nonsubstantial grammatical changes, such as updating cross-references and updating citations to the CCPA.

As mentioned in the memo, the CPPA staff will recommend the Board advance the proposed regulations to formal rulemaking, which will provide the public with a formal opportunity to provide written and oral comments to the Agency on the proposed regulations. After receiving public comments, the Board will have additional opportunities to discuss, and potentially update, the proposed regulations.  

Future Rulemaking Plans
We also expect the CPPA to address its plans for future rulemaking efforts regarding cybersecurity audits, risk assessments and automated decision-making technology.

You can review the full agenda here. Additional materials for the meeting, including the CPPA’s Initial Statement of Reasons for Data Broker Regulations, can be accessed here.

Stay tuned for further updates following the meeting.

The post CPPA Continues Rulemaking on AI, the New Delete Request and Opt-Out Platform (DROP), Cybersecurity Audits and Privacy Risk Assessments appeared first on Consumer Protection Dispatch.