UK: New complaints handling rules under DUAA take effect on 19 June 2026 – are you ready?

By Rachel de Souza, Alexa Smith & Jamie Sanderson on June 11, 2026

Posted in Complaints, General Data Protection Regulation, New laws, Privacy Law, UK

The Data (Use and Access) Act 2025 (“DUAA“), introduces a new statutory requirement for all controllers, with no exceptions, to implement a formal process to handle data protection complaints by 19 June 2026.

Key changes

The DUAA received Royal Assent on 19 June 2025 and introduces a number of amendments to the UK’s data…

UK: Protecting Children Online – A Changing Regulatory Landscape

By Rachel de Souza & Laura Dobson on June 9, 2026

Posted in Children's data, Enforcement, EU Digital Decade, EU privacy, General Data Protection Regulation, Privacy Law

The protection of children online, including the safeguarding of their personal data, has emerged as a key regulatory focus in the UK, with the Government facing sustained pressure to address concerns about children’s safety online.[1] Recent developments have added further momentum – in particular, Australia’s recent prohibition on social media use by under-16s has…

Spain: Government approves the draft Organic Law on the proper use and governance of artificial intelligence

By Paula Gonzalez de Castejón & Elisa Lorenzo Sanchez on May 28, 2026

Posted in Artificial Intelligence, EU data governance, EU privacy, New laws

On 26 May 2026, Spain’s Council of Ministers approved a draft Organic Law on the proper use and governance of artificial intelligence, aligning Spain’s national law with Regulation (EU) 2024/1689 (the “EU AI Act”). The legislation aims to create a framework for trustworthy, human‑centric AI, combining regulatory oversight while supporting innovation.

Governance…

Quantum Computing and the Future of Cyber Security

By Ross McKean, Gareth Stokes & Laura Dobson on May 26, 2026

Posted in Artificial Intelligence, Cyber security, Cyber-crime, EU data governance

Quantum computing is poised to profoundly reshape the cybersecurity landscape, with significant legal and regulatory implications. By introducing fundamentally different computational methods, enabling the simultaneous processing of multiple possibilities, quantum computing has the potential to undermine and ultimately render many traditional encryption techniques ineffective. The result is a significant systemic risk across critical infrastructures, including…

UK: The King’s Speech 2026 – Cybersecurity at the Forefront

By Rachel de Souza on May 18, 2026

Posted in Cyber security, Cyber-crime, Data security and breaches, Digital transformation, New laws, Privacy Law, UK

The UK Government’s legislative agenda, set out in the King’s Speech on 13 May 2026, places cybersecurity and digital resilience firmly at the centre of national policy. Against a backdrop of increasing geopolitical instability and rapidly evolving technological risks, the proposed measures continue the shift towards a more interventionist and systemic approach to safeguarding the…

U.S.: California’s GM Settlement: Has Data Minimization Finally Arrived?

By Andrew Serwin & Harrison Park on May 12, 2026

Posted in Automotive, CalPrivacy, CCPA, Class actions

On May 8, 2026, California Attorney General Rob Bonta — joined by the District Attorneys of San Francisco, Los Angeles, Napa, and Sonoma Counties, with support from the California Privacy Protection Agency (CalPrivacy) — announced a $12.75 million settlement with General Motors and OnStar (collectively, “GM”) over the alleged unlawful sale of California drivers’ geolocation…

U.S.: Comprehensive Federal Privacy Legislation Introduced

By Andrew Serwin & Daniel Caprio on April 29, 2026

Posted in FTC, New laws, Privacy Law, SECURE Data Act, Sensitive personal data

The SECURE Data Act 2026 and GUARD Financial Data Act were introduced on April 22, 2026. This legislation would impose major data restrictions and requirements across the U.S. economy. The bill would give the U.S. Department of Commerce and the Federal Trade Commission (FTC) expanded powers to oversee data collection and use.

The SECURE Data…

U.S.: FTC Oversight Hearing

By Andrew Serwin & Daniel Caprio on April 16, 2026

Posted in Enforcement, FTC

The Senate Commerce Committee held an oversight hearing of the Federal Trade Commission (FTC) on April 15, 2026, its first in six years. Chairman Andrew Ferguson testified that the FTC policy focus will be combating hidden fees and misleading pricing practices by avoiding misleading representations about pricing and clearly disclosing total cost up front.

The…

U.S.: Alabama Becomes 21st State to Enact Comprehensive Privacy Law

By Andrew Serwin & Kieran de Terra on April 10, 2026

Posted in Alabama, Privacy Law

On April 7, 2026, the Alabama legislature unanimously passed House Bill 351, the Alabama Personal Data Protection Act. The bill cleared the House 104-0 and the Senate 34-0, making Alabama the 21st state to enact a comprehensive consumer privacy statute. If signed by Governor Kay Ivey, the law will take effect on May 1…

U.S.: Seventh Circuit Holds BIPA’s 2024 Damages Amendment Applies Retroactively

By Andrew Serwin, Raj Shah, Jeff DeGroot & Matt Danaher on April 9, 2026

Posted in BIPA, Class actions

In 2024, the Illinois General Assembly amended the Illinois Biometric Information Privacy Act (“BIPA”) to clarify that an individual cannot seek recovery for multiple alleged violations of BIPA when those violations concern the same person, defendant entity, and method of collection.

On April 1, 2026, the Seventh Circuit issued its decision in Clay v. Union…

Privacy Matters

EU: EDPB common template for breach notifications – welcome alignment or further complexity?