Data Protection

On 14 July 2025, the European Commission published its final guidelines on the protection of minors under the Digital Services Act (“DSA”) (the “Guidelines”). The Guidelines are intended to provide guidance to providers of online platforms that are “accessible to minors” on meeting their obligations to “put in place appropriate and proportionate measures to ensure a high level of privacy, safety, and security of minors, on their service” (DSA, Art. 28(1)).

The European Commission published a draft version of the guidelines for consultation on 13 May 2025 (“Draft Guidelines”) (see our blog post here). The final Guidelines include some amendments to the Draft Guidelines on the basis of the feedback received during consultation, clarifying and building out further the recommended measures.

Although the Guidelines are non-binding, the Commission has made clear that it intends to use the Guidelines as a “significant and meaningful” benchmark when assessing in-scope providers’ compliance with Article 28(1) DSA.Continue Reading European Commission Makes New Announcements on the Protection of Minors Under the Digital Services Act

On July 4, 2025, a non-paper from the Danish government signaled an intention to propose a targeted revision of the GDPR and the ePrivacy Directive to reduce the compliance burden on companies and ensure their competitiveness.  Denmark recently assumed the Presidency of the Council of the European Union and will be in a privileged position to shape EU policymaking for the next six months.  Amending the GDPR forms part of the Danish presidency program.  During this period, the European Commission is also expected to publish a fitness check on EU digital legislation, along with a digital omnibus package (see our previous blog here).Continue Reading Denmark Proposes GDPR and ePrivacy Directive Revision

On June 22, Texas Governor Greg Abbott (R) signed the Texas Responsible AI Governance Act (“TRAIGA”) (HB 149) into law.  The law, which takes effect on January 1, 2026, makes Texas the second state to enact comprehensive AI consumer protection legislation, following the 2024 enactment of the Colorado

Continue Reading Texas Enacts AI Consumer Protection Law

On 24 June 2025, the European Commission published its “roadmap” for ensuring lawful and effective access to data by law enforcement (“Roadmap”). The Roadmap forms a key part of the Commission’s internal security strategy, which was announced in April, and follows on from the November

Continue Reading European Commission publishes its plan to enable more effective law enforcement access to data

“Session replay” software is one of many website analytics tools targeted in wiretapping suits under the California Invasion of Privacy Act (“CIPA”).  Last month, a California federal court confirmed one of the many reasons why the use of this software does not violate CIPA section 631: A defendant cannot “read”

Continue Reading Court Grants Summary Judgment: Website Vendor Cannot Read “Session Replay” Data “In Transit” Under CIPA

Does a plaintiff’s use of a website constitute consent to a privacy policy linked in the website’s footer?  A Pennsylvania federal court answered yes in Popa v. Harriet Carter Gifts, Inc., 2025 WL 896938 (W.D. Pa. Mar. 24, 2025), granting summary judgment in favor of an online retailer (Harriet

Continue Reading Implied Consent to Privacy Policy in Webpage Footer Forecloses Website Wiretapping Claim

Many businesses use customer support software that may include call recording features to help ensure a better customer service experience.  A California federal court dismissed a wiretapping lawsuit filed against a software company offering this software tool (TalkDesk), holding that TalkDesk’s alleged recording of customers’ conversations with clothing retailers “is

Continue Reading Recording of Customer Service Call “Not Private or Personal Enough” to Confer Article III Standing

Executive Summary

  • Artificial intelligence (AI), social media, and instant messaging regulation will be a hot topic in Brazil in 2025, with substantial activity in Congress and the Supreme Court.
  • Cloud, cybersecurity, data centers, and data privacy are topics that could also see legislative or regulatory action throughout the year at different policymaking stages.
  • Technology companies will also be affected by horizontal and sector-specific tax policy-related measures, and Brazil’s digital policy might be impacted by U.S.-Brazil relations under the new Trump administration.

Analysis

2025 is shaping up to be a key year for digital policymaking in Brazil.  It is the last year for President Luiz Inácio Lula da Silva’s administration to pursue substantial policy change before the 2026 general elections.  It is also the first year for the new congressional leadership, in particular the new Speaker of the House and President of the Senate, to put their stamp on key legislation before their own reelection campaigns next year.

Existing Legal Framework: LGT, MCI and LGPD

Brazil’s current approach to digital policy is based on three key federal statutes.  The first one is the General Telecommunications Act of 1997 (“LGT”).  LGT established the rules for the country’s transition from a state-owned monopoly to a competitive, private sector-led telecommunications market.  It is the bedrock of Brazil’s digital economy infrastructure regulation as, among other aspects, it sets rules for radio spectrum and orbit uses.

The second key statute is the Civil Rights Framework for the Internet Act of 2014 (“MCI”).  MCI sets the principles, rights and obligations for internet use, including the net neutrality principle and a safe harbor clause protecting internet service providers from liability for user-generated content absent a court order to remove the content.  The statute also established the first layer of data privacy provisions as well as rules for the federal, state, and local governments internet-related policies and actions.

The third key federal statute is the General Personal Data Protection Act of 2018 (“LGPD”).  LGPD sets rules for the treatment of personal data by individuals, companies, state-owned and state-supported enterprises, and governments.  It slightly amends MCI and adds a more robust layer of data privacy protection.

Each statute has its own regulator, respectively the National Telecommunications Agency (“ANATEL”), Brazil’s Internet Management Committee (“CGI.br”), and the National Data Protection Authority (“ANPD”).

Hot Topics in 2025: AI, Social Media, and Instant Messaging

Two agenda items will likely dominate the policy debate in Brazil in 2025.  The first one is the creation of a new legal framework for AI.  After years of intense debate, the Senate approved its AI bill in December 2024.  The bill sets rights and obligations for developers, deployers, and distributors of AI systems, and takes a human rights, risk management, and transparency approach to regulating AI-related activity.  It also contains contentious provisions establishing AI-related copyright obligations.  In 2025, the House will likely debate and try to approve the bill, which is also a priority for the Lula administration.Continue Reading Brazil’s Digital Policy in 2025: AI, Cloud, Cyber, Data Centers, and Social Media

The UK Information Commissioner’s Office (“ICO”) recently announced a new online tracking strategy, which aims to ensure a “fair and transparent online world where people are given meaningful control over how they are tracked online.”

Online advertising is one of the ICO’s current areas of strategic focus

Continue Reading ICO announces its online tracking strategy for 2025

A California federal judge has largely granted summary judgment in a data privacy lawsuit against Yodlee, Inc., finding that two of the five plaintiffs lacked Article III standing for all remaining claims and that the three other plaintiffs lacked Article III standing for—and failed to create genuine disputes of fact

Continue Reading California Federal Court Grants Summary Judgment on Most Claims in Data Privacy Case