Privacy

On 15 January 2026, the Belgian High Court delivered a judgment in proceedings initiated by the Belgian Supervisory Authority, in which it challenged the scope of judicial review exercised by the Market Court over its enforcement decisions. The authority was unsuccessful on both grounds of appeal.

Continue Reading Belgian High Court Confirms Full Judicial Review of Supervisory Authority Decisions

AI agents have arrived. Although the technology is not new, agents are rapidly becoming more sophisticated—capable of operating with greater autonomy, executing multi-step tasks, and interacting with other agents in ways that were largely theoretical just a few years ago. Organizations are already deploying agentic AI across software development, workflow automation, customer service, and e-commerce, with more ambitious applications on the horizon. As these systems grow in capability and prevalence, a pressing question has emerged: can existing legal frameworks—generally designed with human decision-makers in mind—be applied coherently to machines that operate with significant independence?

In January 2026, as part of its Tech Futures series, the UK Information Commissioner’s Office (“ICO”) published a report setting out its early thinking on the data protection implications of agentic AI. The report explicitly states that it is not intended to constitute “guidance” or “formal regulatory expectations.” Nevertheless, it provides meaningful insight into the ICO’s emerging view of agentic AI and its approach to applying data protection obligations to this context—insight that may foreshadow the regulator’s direction of travel.

The full report is lengthy and worth the read. This blog focuses on the data protection and privacy risks identified by the ICO, with the aim of helping product and legal teams anticipate potential regulatory issues early in the development process.

Continue Reading ICO Shares Early Views on Agentic AI & Data Protection

On his last day in office, January 20, 2026, former New Jersey Governor Phil Murphy signed an amendment to the New Jersey Data Privacy Act, A5017. The bill amends the state’s comprehensive privacy law to add new data- and entity-level exemptions and to expand the definition of de-identified data. The amendment took effect immediately.

Continue Reading New Jersey Enacts Amendment to its Comprehensive Privacy Law

On January 20, 2026, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) (together, the “Authorities”) adopted Joint Opinion 1/2026 on the European Commission’s proposal to amend the EU AI Act (hereafter the “Proposal”, summarized in our previous blog). Overall, the Authorities acknowledge the complexity of the AI Act and agree that targeted simplifications can support legal certainty and efficient administration. However, they warn that simplification should not result in lowering the protection of fundamental rights, including data protection rights. This blog outlines some of the Authorities’ main recommendations as expressed in their Joint Opinion.

Continue Reading European Data Protection Authorities Issue Joint Opinion on the Digital Omnibus on AI

On January 8, 2026, the California Privacy Protection Agency (“CalPrivacy”) announced an enforcement action against Rickenbacher Data LLC (d/b/a “Datamasters”), an information reseller, for failing to register as a data broker under the California Delete Act.  Datamasters agreed to pay a $45,000 administrative fine, among other remedial measures.  In November, CalPrivacy launched a Data Broker Enforcement Strike Force within its enforcement division to investigate violations of the law in the data broker industry, which builds upon a 2024 investigative sweep into data broker compliance.

Continue Reading CalPrivacy Announces $45,000 Fine Against Data Broker for Delete Act Violations

On December 22, the Federal Trade Commission (“FTC”) issued an order setting aside its 2024 final consent order against Rytr, LLC (“Rytr”) on the grounds that the facts alleged in the Rytr complaint did not violate Section 5.  The Commission further found that the Rytr order did not provide any

Continue Reading FTC Sets Aside Rytr Final Order Pursuant to White House AI Action Plan

On December 2, Greystar agreed to a $24 million settlement over allegations it misled renters by omitting mandatory fees from advertised monthly rents.  This settlement underscores the FTC’s continuing scrutiny of “junk fees” and signals that the FTC may pursue rulemaking requiring greater transparency in rental fee advertising. 

Continue Reading Greystar’s $24 Million Settlement Signals FTC Crackdown on Hidden Rental Fee

On November 21, 2025, California Attorney General Rob Bonta announced a $1.4 million settlement with Jam City, Inc. (“Jam City”), a mobile app gaming company, for alleged violations of the California Consumer Privacy Act (“CCPA”) and Unfair Competition Law (“UCL”). The Jam City settlement marks Attorney General Bonta’s sixth settlement obtained under the CCPA and reflects a continued focus on how businesses present opt-out rights mechanisms to California consumers, including minors.

Continue Reading California AG Announces $1.4 Million Settlement with Mobile App Gaming Developer Over CCPA Violations

On December 11, 2025, the CNIL fined an Israeli company €1 million for failing to comply with its GDPR obligations after providing personalized advertising services to an EU music-streaming platform. The service helped the platform to personalize and optimize marketing campaigns to promote its streaming services.

The CNIL held that the GDPR applied to the non-EU processor under Article 3(2), on the basis that it had monitored the behavior of EU users by creating audience segments based on demographics and listening habits, on behalf of the controller.

Continue Reading French CNIL Imposes €1M GDPR Fine on Israeli Ad Tech Firm