In March 2025, the California Privacy Protection Agency (CPPA) issued its enforcement decision under the California Consumer Privacy Act (CCPA) against American Honda Motor Co., Inc. The order followed an investigation that identified four major areas where Honda’s practices failed to comply with the CCPA and cost more than $600,000.

In a recent ruling, the Court of Justice of the European Union (CJEU) addressed the right of access to information in cases of automated decision-making and profiling under the GDPR. The case, CK v Magistrat der Stadt Wien and Dun & Bradstreet Austria GmbH (Case C-203/22), examined the extent to which individuals are entitled to receive meaningful information about the logic behind automated decision-making processes, as well as the balance between transparency and the protection of trade secrets.

This case study examines ILVA A/S v. Danish Public Prosecutor, a CJEU ruling that clarifies whether GDPR fines should be based on the revenue of an individual company or its entire corporate group. The case is significant because it aligns GDPR enforcement with EU competition law principles and could increase the financial penalties for subsidiaries of multinational groups.

The digitalization of services has led to increasingly complex interactions between data protection law and business practices. At the core of Mousse v. CNIL & SNCF Connect, the Court of Justice of the European Union (CJEU) was asked to determine whether a company can require customers to select a gendered title (“Mr.” or “Ms.”) when purchasing travel tickets.

We continue the exploration of direct marketing around the EU. This article describes the regulatory framework governing direct marketing in Denmark, Sweden and Norway.

The European Data Protection Board (EDPB) recently published the "Guidelines 1/2024 on Processing of Personal Data based on Article 6(1)(f) GDPR" to clarify how organizations can legally process data under the legitimate interest basis of the GDPR.

This case provides crucial insights into GDPR enforcement. It examines the conditions for compensating non-material damage, the adequacy of apologies as remedies, and the irrelevance of a controller’s intent in determining compensation, clarifying key aspects of data protection rights.

This case is a valuable step forward in data privacy. It looks at how GDPR can be enforced not only by data subjects and authorities but also by competitors. It also expands what’s considered “health data” under GDPR, which could impact many businesses.

This article continues our deep dive into direct marketing regulations across Europe. It is focusing on the frameworks of the Baltic region: Lithuania, Latvia, and Estonia. Each country has its own set of laws governing how businesses can engage with consumers, making it essential to understand these distinctions for compliant and effective marketing strategies.