The first updates to the COPPA Rule since 2013 impose new obligations for sharing children’s personal information with third parties.
By Jennifer C. Archie, Marissa R. Boynton, Michael H. Rubin, Molly O’Malley Clarke, and Elizabeth Yin
On April 22, 2025, the Federal Trade Commission (FTC or Commission) published the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule)1 in the Federal Register. The published amendments will become effective on June 23, 2025
The draft law proposes a data embassy ecosystem and comprehensive framework in Saudi Arabia, promoting its position as a global AI hub.
By Brian Meenagh, Ksenia Koroleva, and Faisal Imam*
On April 14, 2025, Saudi Arabia’s Communications, Space and Technology Commission (CST) issued a consultation draft of a “Global AI Hub Law.” This draft law marks Saudi Arabia as the first G20 nation to publish a draft of a comprehensive legal framework that embraces the
The CJEU has decided that the maximum thresholds for GDPR fines should be calculated using the global turnover of the broader corporate group, not solely the infringing entity.
By Gail Crawford, Fiona M. Maclean, Myria Saarinen, Tim Wybitul, Isabelle Brams, and Amy Smyth
The penalties provisions of the EU General Data Protection Regulation (GDPR) include a framework for the calculation of the fines that may be imposed on infringing organisations by national supervisory authorities and
Companies subject to India’s new data protection law should assess practical implications.
By Gail Crawford, Fiona Maclean, Danielle van der Merwe, Kate Burrell, Bianca H. Lee, Alex Park, Irina Vasile, and Amy Smyth
The Indian parliament enacted India’s first comprehensive data protection law on 11 August 2023, namely the Digital Personal Data Protection Act 2023 (the DPDPA). The DPDPA will replace India’s existing patchwork of data protection rules[i] and is expected to trigger significant changes in how companies subject to Indian data protection laws process personal data. However, the law is not yet operational; no effective date has been established and there is no official timeline for the overall implementation. Stakeholders expect the law to come into force in a phased manner in the next six to 12 months, after:
The DPDPA is “umbrella” legislation, as it sets out only a high-level framework for India’s new data protection regime, with supplementary rules expected in due course. Though the new law is not yet operational, companies subject to the new law are advised to begin assessing potential practical implications at an early stage.
The final Implementing Regulations are generally business-friendly and bring the law closer to the EU GDPR.
By Brian A. Meenagh and Lucy Tucker
The Saudi Data & AI Authority (SDAIA) recently issued the final Implementing and Transfer Regulations for the upcoming Personal Data Protection Law (PDPL), the first comprehensive data protection law in Saudi Arabia. This follows the publication of consultation drafts of the Implementing and Transfer Regulations in April 2023 (the Consultation Draft). The PDPL was issued under Royal
The new framework provides an additional route for personal data transfers from the EEA to the US.
By Robert Blamires, Gail E. Crawford, James Lloyd, Clayton Northouse, Alice Brunning, Alexander Ford-Cox, and Jennifer Howes
On 10 July 2023, the European Commission (EC) took the final step to enable businesses to start relying on the new EU-US Data Privacy Framework (DPF) for transfers of data from the European Economic Area (EEA) to the US. The EC adopted an adequacy decision following the fulfilment by the US of its implementation commitments under the DPF. The adequacy decision enables organisations to transfer personal data from the EEA to organisations in the US that have self-certified under the DPF with immediate effect. As of 10 July 2023, organisations that were certified under the EU-US Privacy Shield (Privacy Shield) are now certified under the DPF and can begin receiving data from the EEA via the DPF.
The guidance encourages organisations to formulate a data breach response plan, and outlines recommendations for handling an increasing number of data breach incidents.
By Kieran Donovan and Jacqueline Van
On 30 June 2023, the Office of the Privacy Commissioner for Personal Data of Hong Kong (PCPD) issued revised guidance titled “Guidance on Data Breach Handling And Data Breach Notifications” (the Guidance Note). While the Guidance Note broadly aligns with the last update in January 2019 (the 2019 Guidance), it also contains further details and recommendations to organisations on how to respond to data breaches.
The PCPD published the Guidance Note following a surge in reported data breach incidents, which have increased by more than 20% in the first half of this year compared to the second half of 2022.
The California Attorney General’s investigative sweep is a potential harbinger of increased focus on employers’ data privacy compliance with respect to employee data.
By Robert Blamires, Michael H. Rubin, Joseph C. Hansen, and Kathryn Parsons-Reponte
On July 14, 2023, the California Attorney General announced an investigative sweep targeting large California employers, focusing on employers’ compliance with the California Consumer Privacy Act’s (CCPA’s) recently expanded coverage of employees and job candidates. The announcement follows the expiration of a prior exemption for personnel and business to business (B2B) data under the CCPA (for more information, see this Latham blog post).
The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.
By Myria Saarinen and Charlotte Guerin
On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.
Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.
The amended PDPL diverges from international privacy laws in several areas, including personal data transfers, penalties, and breach notification.
By Brian A. Meenagh and Lucy Tucker
An amended version of the Kingdom of Saudi Arabia’s Personal Data Protection Law (PDPL) was published in the Official Gazette of the Kingdom of Saudi Arabia on April 7, 2023. The amended PDPL contains the same wide extra-territorial scope as the original PDPL. It applies to any processing of personal data that takes place in the Kingdom, and applies to the processing of personal data of individuals located in the Kingdom by organizations outside of the Kingdom.
The amended PDPL contains concepts and requirements similar to those in international privacy laws, such as the GDPR, including concepts, such as personal data, controllers and processors, data processing principles, certain data subject rights, and the requirement to maintain a record of processing activities. However, the PDPL diverges from international privacy laws in several important areas, notably in relation to transfers of personal data outside of the Kingdom and penalties for non-compliance.