Many e-commerce websites still treat “create an account to buy” as a standard pattern. The EDPB’s Recommendations 2/2025 (version for public consultation, adopted 3 December 2025) take a restrictive view: imposing account creation can be justified only for a very limited set of purposes, and in most common online retail scenarios the safer conclusion is that you should offer a guest alternative.

Case study: When an “informational” newsletter becomes marketing: C-654/23 Inteligo Media v. ANSPDCP

At the beginning of September, the CJEU published several important cases, one of which is particularly interesting to discuss, as it concerns the injunction as a legal remedy under GDPR and the evaluation of non-material damage under the GDPR.

It is a short overview of the guideline by the German Federal Office for Information Security (BSI) and French Agence nationale de la sécurité des systèmes d‘information Secrétariat général de la défense et de la sécurité nationale.

On 19 June 2025 new legislation - Data Use and Access Act - received a Royal Assent and brings changes to the DPA Act 2018, UK GDPR and PECR.

Tracking pixels are tiny, invisible images embedded in emails that report when and where messages are opened. Although they deliver useful insights for email campaigns, they also handle personal data and must comply with privacy rules such as the GDPR.

This is the practical guide which will help e-commerce business to follow the rules and protect privacy of its clients.

In March 2025, the California Privacy Protection Agency (CPPA) issued its enforcement decision under the California Consumer Privacy Act (CCPA) against American Honda Motor Co., Inc. The order followed an investigation that identified four major areas where Honda’s practices failed to comply with the CCPA and cost more than $600,000.

In a recent ruling, the Court of Justice of the European Union (CJEU) addressed the right of access to information in cases of automated decision-making and profiling under the GDPR. The case, CK v Magistrat der Stadt Wien and Dun & Bradstreet Austria GmbH (Case C-203/22), examined the extent to which individuals are entitled to receive meaningful information about the logic behind automated decision-making processes, as well as the balance between transparency and the protection of trade secrets.