Tracking pixels are tiny, invisible images embedded in emails that report when and where messages are opened. Although they deliver useful insights for email campaigns, they also handle personal data and must comply with privacy rules such as the GDPR.

This is the practical guide which will help e-commerce business to follow the rules and protect privacy of its clients.

In March 2025, the California Privacy Protection Agency (CPPA) issued its enforcement decision under the California Consumer Privacy Act (CCPA) against American Honda Motor Co., Inc. The order followed an investigation that identified four major areas where Honda’s practices failed to comply with the CCPA and cost more than $600,000.

In a recent ruling, the Court of Justice of the European Union (CJEU) addressed the right of access to information in cases of automated decision-making and profiling under the GDPR. The case, CK v Magistrat der Stadt Wien and Dun & Bradstreet Austria GmbH (Case C-203/22), examined the extent to which individuals are entitled to receive meaningful information about the logic behind automated decision-making processes, as well as the balance between transparency and the protection of trade secrets.

This case study examines ILVA A/S v. Danish Public Prosecutor, a CJEU ruling that clarifies whether GDPR fines should be based on the revenue of an individual company or its entire corporate group. The case is significant because it aligns GDPR enforcement with EU competition law principles and could increase the financial penalties for subsidiaries of multinational groups.

The digitalization of services has led to increasingly complex interactions between data protection law and business practices. At the core of Mousse v. CNIL & SNCF Connect, the Court of Justice of the European Union (CJEU) was asked to determine whether a company can require customers to select a gendered title (“Mr.” or “Ms.”) when purchasing travel tickets.

We continue the exploration of direct marketing around the EU. This article describes the regulatory framework governing direct marketing in Denmark, Sweden and Norway.

The European Data Protection Board (EDPB) recently published the "Guidelines 1/2024 on Processing of Personal Data based on Article 6(1)(f) GDPR" to clarify how organizations can legally process data under the legitimate interest basis of the GDPR.

This case provides crucial insights into GDPR enforcement. It examines the conditions for compensating non-material damage, the adequacy of apologies as remedies, and the irrelevance of a controller’s intent in determining compensation, clarifying key aspects of data protection rights.