The EU e-evidence Regulation and Directive, which establish a regime for law enforcement authorities (“LEAs”) in one Member State to issue legally-binding demands for data from certain types of providers established in other Member States, will come into effect on 18 August 2026 (our post on the specific requirements of the Regulation and Directive is available here). On 28 July 2025, the European Commission adopted an Implementing Regulation (“IR”) setting out the technical specifications for the decentralized communications system that LEAs and covered service providers must use when, among other things, issuing and responding to European Production Orders (“EPOs”) and European Preservation Orders (“EPrOs”) under the e-evidence Regulation.
Continue Reading European Commission adopts technical standards for the decentralized communication system to be used under the forthcoming e-evidence RegulationData Protection
FTC Takes Aim at Online Lead Generator
By Inside Global Tech on
In a new post on the Covington Inside Privacy blog, our colleagues provide an overview of the Federal Trade Commission’s (“FTC”) $45 million settlement with online lead generator MediaAlpha, Inc. and its subsidiary QuoteLab, LLC (collectively, “MediaAlpha”), resolving allegations that the companies, among other things, tricked consumers into sharing sensitive…
Continue Reading FTC Takes Aim at Online Lead GeneratorEU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third Parties
By Dan Cooper, Kristof Van Quathem & Laura Somaini on
Posted in Data Protection, EU Law and Regulatory
On September 4, 2025, the Court of Justice of the EU (“Court”) handed down its judgment in case EDPS v SRB C-413/23 P, setting aside the General Court of the European Union’s (“General Court”) judgment of April 26, 2023 in case SRB v EDPS T‑557/20. In particular, the Court clarified that whether pseudonymized data can be considered as personal data depends on the specific circumstances of the case, such as whether a third party to whom data is transferred by a data controller can reasonably identify the data subject.
We provide below an overview of the Court’s key findings.
Continue Reading EU Court of Justice Clarifies the Concept of Personal Data in the Context of a Transfer of Pseudonymized Data to Third PartiesCourt Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”
By Austin Riddick & Matthew Verdin on
Posted in Class Actions, Data Protection
After last year’s landmark ruling holding that the Massachusetts Wiretap Act does not prohibit businesses’ use of pixels to capture website browsing data, Massachusetts plaintiffs have shifted their focus to the federal Wiretap Act. The problem: unlike the Massachusetts Wiretap Act, its federal counterpart is a “one-party consent” law, meaning that a business’s consent to the use of the pixels is enough to preclude liability. Last month, a federal court held that a “crime-tort exception” to this consent exemption does not apply when website browsing data is collected for “commercial purposes or advantages.” Goulart v. Cape Cod Healthcare, Inc., 2025 WL 1745732 (D. Mass. June 24, 2025).
Continue Reading Court Clarifies Federal Wiretap Act’s Crime-Tort Exception: “Commercial Purposes” Are “Not the Stuff of Which a Crime-Tort Is Made”Italian Garante Adopts Statement on Health Data and AI
By Kristof Van Quathem on
On July 30, 2025, the Italian Data Protection Authority (“Garante”) released a statement addressing the risks of using AI to interpret medical data. In this statement, the Garante recognizes the growing trend of individuals uploading medical analyses, X-rays, and other reports onto generative artificial intelligence platforms to obtain interpretations and diagnoses. It warns users of these AI services to carefully evaluate the implications of sharing health-related data with AI providers and relying on automatically generated responses.
Continue Reading Italian Garante Adopts Statement on Health Data and AIEuropean Commission Makes New Announcements on the Protection of Minors Under the Digital Services Act
On 14 July 2025, the European Commission published its final guidelines on the protection of minors under the Digital Services Act (“DSA”) (the “Guidelines”). The Guidelines are intended to provide guidance to providers of online platforms that are “accessible to minors” on meeting their obligations to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service” (DSA, Art. 28(1)).
The European Commission published a draft version of the guidelines for consultation on 13 May 2025 (“Draft Guidelines”) (see our blog post here). The final Guidelines include some amendments to the Draft Guidelines on the basis of the feedback received during consultation, clarifying and building out further the recommended measures.
Although the Guidelines are non-binding, the Commission has made clear that it intends to use the Guidelines as a “significant and meaningful” benchmark when assessing in-scope providers’ compliance with Article 28(1) DSA.
Continue Reading European Commission Makes New Announcements on the Protection of Minors Under the Digital Services ActDenmark Proposes GDPR and ePrivacy Directive Revision
By Kristof Van Quathem & David Brazil on
Posted in Data Protection, EU Law and Regulatory
On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness. Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position to shape EU policymaking for the next six months. Amending the GDPR forms part of the Danish presidency program. During this period, the European Commission is also expected to publish a fitness check on EU digital legislation, along with a digital omnibus package (see our previous blog here).
Continue Reading Denmark Proposes GDPR and ePrivacy Directive RevisionTexas Enacts AI Consumer Protection Law
On June 22, Texas Governor Greg Abbott (R) signed the Texas Responsible AI Governance Act (“TRAIGA”) (HB 149) into law. The law, which takes effect on January 1, 2026, makes Texas the second state to enact comprehensive AI consumer protection legislation, following the 2024 enactment of the Colorado…
Continue Reading Texas Enacts AI Consumer Protection LawEuropean Commission publishes its plan to enable more effective law enforcement access to data
By Paul Maynard on
On 24 June 2025, the European Commission published its “roadmap” for ensuring lawful and effective access to data by law enforcement (“Roadmap”). The Roadmap forms a key part of the Commission’s internal security strategy, which was announced in April, and follows on from the November…
Continue Reading European Commission publishes its plan to enable more effective law enforcement access to dataCourt Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA
By Kathryn Cahoy & Matthew Verdin on
“Session replay” software is one of many website analytics tools targeted in wiretapping suits under the California Invasion of Privacy Act (“CIPA”). Last month, a California federal court confirmed one of the many reasons why the use of this software does not violate CIPA section 631: A defendant cannot “read”…
Continue Reading Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA