Virginia Enacts New Broad Consent Requirement for Collection of Reproductive and Sexual Health Information
On March 24, 2025, Virginia Gov. Glenn Youngkin signed into law SB 754, amending the state’s Consumer Protection Act to prohibit businesses from “[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.” The amendment, which takes effect on July 1, […]
UK Data Privacy Litigation: What’s New?
In honour of the International Association of Privacy Professionals (IAPP) London 2025 conference , we hosted a webinar on European privacy litigation. This post summarises some of the key UK privacy cases we covered in that webinar. Over the past six months, the UK High Court has handed down a number of decisions with important implications for businesses, data controllers and individuals.
The DOJ’s Bulk Sensitive Personal Data Rule’s Imminent Relevance to Life Sciences Companies
A new US Department of Justice (DOJ) rule on “Preventing Access to US Sensitive Personal Data and Government-Related Data by Countries of Concern (including China) or Covered Persons” (rule) prohibits and restricts certain covered data transactions that result in the transfer or access to bulk US sensitive personal data by […]
Model Contractual Clauses for AI Procurement in the EU: Key Takeaways for AI Companies
The European Commission (EC) has released an updated version of the Model Contractual Clauses for AI Procurement (MCC-AI), providing further guidance for public-sector buyers navigating AI procurement under the European Union Artificial Intelligence Act (EU AI Act). However, these clauses also serve as a practical tool to help any private organisation meet their legal obligations when providing or procuring AI systems, particularly high-risk AI solutions.
ICO Releases ‘Consent or Pay’ Guidance
What happened? The UK Information Commissioner’s Office (ICO) has released updated guidance on ‘consent or pay’ business models. These models present users with a choice to either consent to the processing of their personal data for purposes like personalised advertising in return for access to a product or service, or […]
AI Talks: Understanding the EU AI Act – AI Literacy Obligations and Prohibited Practices
Welcome to our latest blog post, where we present the key insights from our first webinar of the series, “AI Talks: Understanding the EU AI Act.” This virtual series is designed to help businesses navigate the complexities of the European Union’s Artificial Intelligence Act (EU AI Act), which is set […]
ICO Updates Position on Web-Scraping for AI Development
What happened? In an attempt to address ongoing regulatory uncertainty about how the UK General Data Protection Regulation (UK GDPR) and UK Data Protection Act 2018 apply to the development and use of generative artificial intelligence (AI), the UK Information Commissioner’s Office (ICO) has released its initial response to its […]
Guidelines 02/2024 on Article 48 of the GDPR: EDPB Clarifies Rules for Data Sharing With Third-Country Authorities
In the ever-evolving landscape of data protection and privacy, the General Data Protection Regulation (GDPR) stands as the most significant legislative framework for processing personal data. Known for its extraterritorial reach, the GDPR sets out the rules for transferring personal data from private organizations established in the European Economic Area […]
New European Commission: What Data-Driven Tech Companies Need to Know
This blog post summarizes the key points presented by Cooley lawyers Patrick Van Eecke, Enrique Capdevila and Athina Gaki during the Cooley webinar, “New European Commission: What Data-Driven Tech Companies Need to Know”, part of the CooleyREG Talks (EU) series, “New European Commission, New Economic Regulation for the EU and […]
CPPA Adopts Data Broker Registration Regulations, Begins Delete Act Enforcement
On November 9, 2024, the five-person board of the California Privacy Protection Agency (CPPA) voted unanimously to adopt the proposed Data Broker Registration regulations without modifications. The new regulations seek to clarify key provisions of the California Delete Act, which requires data brokers to register with the state of California […]