Privacy

On April 17, 2026, the Italian data protection authority (the “Garante”) published Provision No. 284 setting out guidelines on the use of “tracking pixels” in emails (the “Guidelines”). This publication closely follows the recommendation issued by the French data protection authority on the same topic, which is discussed in a separate blog post available here.

Tracking pixels are commonly used to measure email open rates and to enable marketing automation tools. Under Italian law, the use of tracking pixels generally requires the recipient’s prior consent, unless a specific exemption applies. In its Guidelines, the Garante provides practical examples to help organizations assess when consent is (and is not) required and clarifies the compliance obligations applicable to businesses relying on these technologies in email communications. This post summarizes the key takeaways.

Continue Reading Italian DPA Publishes Guidelines on Email Tracking Pixels

On April 14, 2026, the FTC announced three settlements and issued closing letters to two additional companies concerning “Made in America,” “Made in the USA,” and similar U.S.‑origin claims (collectively, “MUSA claims”).  These actions reflect the FTC’s continued focus on MUSA claims and, more broadly, the Trump administration’s focus on

Continue Reading FTC Sweep on “Made in the USA” Claims

On 31 March 2026, the UK’s Information Commissioner’s Office (“ICO”) launched a public consultation on draft updated guidance on automated decision-making (“ADM”), including profiling (“Draft Guidance”) and simultaneously published a report on the use of ADM in recruitment (“Recruitment Report”).

The Draft Guidance is the ICO’s first detailed interpretation of the Data (Use and Access) Act’s (“DUAA”) changes to the UK GDPR’s ADM provisions, and the accompanying Recruitment Report is a sector-specific signal of how the ICO expects those rules to operate in practice.

Continue Reading UK ICO Consults on Draft Automated Decision-Making Guidance and Sets Expectations for ADM in Recruitment

On April 15, 2026, the European Data Protection Board (EDPB) published draft Guidelines 1/2026 on the processing of personal data for scientific research purposes (Guidelines). The Guidelines are open for public consultation until 25 June 2026. They aim to clarify how the GDPR applies to academic, public‑sector, and commercial research, including research that relies on AI, large data sets, and the reuse of personal data. The Guidelines do not cover the application of other EU or Member State law regulating scientific research or the processing of genetic, biometric, or health data specifically.

Continue Reading New EDPB Guidelines on the Use of Personal Data in Scientific Research

On April 14, 2026, the Federal Trade Commission (“FTC” or “Commission”) announced an Advanced Notice of Proposed Rulemaking (“ANPRM”) seeking public comment on whether a new rule is needed to address fee practices by online food and grocery delivery platforms that may obscure total pricing or impede consumers’ ability to

Continue Reading FTC Seeks Comment by May 18 on Food Delivery Pricing and Fees

On April 1, 2026, the Seventh Circuit in Clay v. Union Pacific Railroad Company held that an amendment to the Illinois Biometric Information Privacy Act (BIPA), limiting damages to a per-person basis, applies retroactively to cases pending when the amendment was enacted in 2024. This decision limits the potential statutory damages plaintiffs may obtain for pending BIPA cases.

Continue Reading Seventh Circuit Holds that BIPA Amendment Applies Retroactively

(“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators.

Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

On 18 March 2026, the European Parliament’s Committee on the Internal Market and Consumer Protection (“IMCO”) and the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) adopted their joint negotiating position on the European Commission’s proposed Digital Omnibus on AI (which we previously analysed here). The position will now proceed to a plenary vote, expected on 26 March 2026. The Council of the EU had previously adopted its negotiating position on 13 March 2026. This sets up trilogue negotiations between the Parliament, Council, and Commission.

Continue Reading MEPs Adopt Joint Position on Proposed Digital Omnibus on AI

On March 12, 2026, the Italian Data Protection (“Garante”) adopted a decision concerning the transfer of personal data of banking customers from Intesa Sanpaolo S.p.A. (the “Bank”) to Isybank S.p.A., a newly established digital bank within the same corporate group.  The Garante found that the Bank’s processing in connection with the transfer of approximately 2.4 million customers to Isybank was unlawful.

We set out the decision’s key findings below.

Continue Reading Italian DPA Fines Bank over the Transfer of Customer Data in the Context of a Corporate Transaction