On March 25, 2026, the UK’s Office of Communications (“Ofcom”) and the Information Commissioner’s Office (“ICO”) published a joint statement setting out their common expectations for age assurance on online services (“Joint Statement”). The Joint Statement is aimed at services likely to be accessed by children that fall within the scope of the Online Safety Act 2023 (“OSA”) and UK data protection legislation, and is designed to help providers comply with both their online safety and data protection obligations when deploying age assurance.

The Joint Statement arrives alongside a broader push from both regulators—including Ofcom’s recent call to action directed at major tech firms, an open letter from the ICO urging platforms to strengthen their age checks, and several enforcement actions by both regulators. Continue Reading Ofcom and ICO Issue Joint Statement on Age Assurance

U.S. state lawmakers have introduced more than 40 bills across at least 24 states to regulate personalized algorithmic pricing in 2026 thus far, already outpacing the number of personalized algorithmic pricing bills introduced in all of 2025.  While their definitions and scope vary, the 2026 bills broadly refer to “personalized

Continue Reading State Lawmakers Introduce New Wave of Personalized Algorithmic Pricing Bills
On 19 March 2026, Advocate-General Capeta issued an opinion in the case of Elisa Eesti AS v Estonian Government Security Committee (C-354/24). This case concerned, among other things, whether a 2022 order from the Estonian Government for Elisa Eesti AS—a 5G network operator—to remove Huawei components from its network for national security reasons was subject to EU law, constituted a lawful restriction on the right to offer an electronic communications network, and amounted to a “deprivation of property” requiring compensation. AG Capeta concluded that the relevant Estonian regime was within scope of EU law—specifically the European Electronic Communications Code (“EECC”)—even though that regime allowed for the imposition of orders on electronic communications network (“ECN”) providers for national security reasons. She also concluded that the requirement to obtain prior authorization from the Estonian government for use of network equipment constituted a restriction on the freedom to provide an ECN, but that this could be justified on national security grounds if the decision was based on a genuine risk assessment that meets the requirements for proportionality under EU law. She stated that this determination should be left to the referring court. Finally, she concluded that the Estonian Government’s order did not amount to a “deprivation” of property for which compensation would be required, as it was instead a mere “restriction” on the use of property. Below, we describe these non-binding conclusions in more detail. The Court’s final ruling in this case will have significant implications for the European Commission’s proposed revisions to the EU Cybersecurity Act, which as drafted would—among other things—allow the Commission to require ECN providers to remove and cease using components from designated high-risk jurisdictions in their networks. See our prior blog post on the proposal for a revised Cybersecurity Act here. Continue Reading CJEU Advocate-General indicates that communications network operators can lawfully be required to remove Chinese components, and that compensation is not required

The Washington Supreme Court’s decision in Brown v. Old Navy LLC, 4 Wash.3d 580 (2025) has sparked a wave of putative class actions under Washington’s Commercial Electronic Mail Act (“CEMA”), targeting allegedly misleading email subject lines used by national retailers. In the months since, defendants have increasingly turned to constitutional and federal preemption defenses in an effort to stem this growing tide of litigation. To date, however, those arguments have gained little traction. Several district court decisions have denied defendants’ motions to dismiss on these grounds.Continue Reading District Courts Appear Skeptical of CAN‑SPAM Preemption and Constitutional Challenges to CEMA

On March 19, 2026, the CJEU issued its judgment in the Brillen Rottler case (C‑526/24).  The case concerns the GDPR right of access and the conditions for claiming damages.  In the underlying facts, an Austrian individual subscribed to Brillen Rottler’s newsletter and, two weeks later, exercised his right of access.

Continue Reading EU Court Defines Limits to the GDPR Right of Access

On 18 March 2026, the European Parliament’s Committee on the Internal Market and Consumer Protection (“IMCO”) and the Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) adopted their joint negotiating position on the European Commission’s proposed Digital Omnibus on AI (which we previously analysed here). The position will

Continue Reading MEPs Adopt Joint Position on Proposed Digital Omnibus on AI

On March 12, 2026, the Italian Data Protection (“Garante”) adopted a decision concerning the transfer of personal data of banking customers from Intesa Sanpaolo S.p.A. (the “Bank”) to Isybank S.p.A., a newly established digital bank within the same corporate group.  The Garante found that the Bank’s processing in connection with the transfer of approximately 2.4 million customers to Isybank was unlawful.

We set out the decision’s key findings below.Continue Reading Italian DPA Fines Bank over the Transfer of Customer Data in the Context of a Corporate Transaction

On March 12, 2026, the Federal Trade Commission (“FTC”) announced an Advanced Notice of Proposed Rulemaking (“ANPRM”) seeking public comment on a proposed rulemaking focusing on potential unfair or deceptive acts or practices in the rental housing market. This ANPRM contemplates requiring landlords and property managers to provide full, upfront

Continue Reading FTC Seeks Public Comment on Proposed Rulemaking for Unfair or Deceptive Rental Housing Fee Practices