Privacy & Information Security Law Blog

Hunton publishes AI Act Guide for In-House Lawyers, providing a comprehensive yet practical roadmap for businesses to comply with the European Union’s AI Act. This blog entry provides a link to download a copy of the guide and a summary of the key areas covered.

The European Data Protection Board held its latest plenary meeting on February 12, 2025.

On February 11, 2025, the European Commission made available its 2025 work program, which sets out the key strategies, action plans and legislative initiatives to be pursued by the European Commission.

On February 11, 2025, the data protection authorities of the UK, Ireland, France, South Korea and Australia issued a joint statement on building trustworthy data governance frameworks to encourage development of innovative and privacy-protective artificial intelligence.

On February 4, 2025, the Minnesota Attorney General published the second volume of a report outlining the negative impact that AI and social media is having on minors in Minnesota.

On February 10, 2025, the UK Information Commissioner’s Office released an updated response to the draft Data (Use and Access) Bill, providing comments on the amendments made by the House of Lords.

On February 7, 2025, the French Data Protection Authority (“CNIL”) released two recommendations aimed at guiding organizations in the responsible development and deployment of artificial intelligence (“AI”) systems in compliance with the EU General Data Protection Regulation (“GDPR”). The first recommendation is titled “AI: Informing Data Subjects” (the “Recommendation on Informing Individuals”) and the second recommendation is titled “AI: Complying and Facilitating Individuals’ Rights” (the “Recommendation on Individual Rights”). The recommendations build on the CNIL’s four-pillar AI action plan announced in 2023.

The Massachusetts Attorney General released internal TikTok documents last week as part of an unsealed complaint alleging that the company designed its platform to maximize children’s engagement while downplaying associated risks.

On January 1, 2025, an amendment to the Virginia Consumer Data Protection Act (“VCDPA”) went into effect that provides additional protections for children. The amendment imposes additional requirements on the processing of personal data of a known child, which is defined as a consumer who is under 13 years of age. Our earlier blog entry provides additional details regarding these new requirements.

On February 3, 2025, U.S. District Judge B. Lynn Winmill of the District of Idaho denied digital marketing data broker Kochava Inc.’s motion to dismiss a suit brought by the Federal Trade Commission.