Dechert Cyber Bits

FTC Enters into Proposed Settlement with Workado Regarding Claims About its AI Content Detector

The U.S. Federal Trade Commission (“FTC”) has entered into a proposed settlement with Workado LLC (“Workado”)—a marketer of a tool that uses artificial intelligence (“AI”) to detect whether online content has been created with AI—relating to Workado’s claims about the accuracy of its AI Content Detector (“Proposed Settlement”). The FTC alleged that Workado violated Section 5 of the FTC Act by claiming its tool was “98 percent” accurate in identifying AI-generated text, while independent testing revealed only a 53% accuracy rate. The FTC’s administrative complaint notes that Workado marketed its tool to consumers interested in distinguishing between AI-generated and human-written content, but the tool was actually only effective in classifying academic content. Workado did not admit any wrongdoing or liability in connection with the Proposed Settlement.

If finalized as written, the Proposed Settlement would mandate that Workado: (1) refrain from making unsupported claims; (2) retain reliable evidence for any future representations about its products; (3) notify consumers about the settlement, and (4) submit compliance reports to the FTC. The Commission voted unanimously to issue an administrative complaint.

Takeaway: The FTC continues to demonstrate its focus on accuracy when companies make claims about AI products. Companies making claims about their products—AI or otherwise—need to review for accuracy, especially against their internal research and data, and to assess the backup they would present if ever faced with allegations that their claims are overstated. The consequences of not doing so will be a possible enforcement action from the FTC, state attorneys general and other regulators, as well as scrutiny from the plaintiffs’ bar.

New Enforcement and Unfair Commercial Practices Regimes Now in Force in UK

On April 6, 2025, two significant consumer protection regimes under the Digital Markets, Competition and Consumers Act 2024 (“DMCCA”) came into force in the UK. The UK’s Competition and Markets Authority (“CMA”) now has enhanced powers to enforce consumer protection laws directly, bypassing the need for court proceedings. This includes the ability to impose substantial fines of up to a maximum of 10% of revenue for infringements, non-compliance with undertakings and lack of cooperation during investigations. In some circumstances, the CMA can also impose daily penalties of up to the higher of £15,000 or 5% of daily turnover. The CMA can also exercise its fining powers against directors and other officers directly.

The DMCCA also introduces a new regime for unfair commercial practices, replacing the prior Consumer Protection from Unfair Trading Regulations 2008. The updated regime addresses issues such as fake reviews and drip pricing, a marketing practice where a retailer shows consumers an initial, lower price for a product or service, but then adds additional, mandatory fees or charges later in the purchase process. The CMA has provided guidance on fake reviews and other unfair commercial practices and has delayed enforcement of the new rules on fake reviews until July 6, 2025, with further consultation required for the complex aspects of drip pricing.

Further parts of the DMCCA will come into force in due course, including the rules relating to subscription contracts which are not expected to be in effect until at least April 2026, according to the government.

Takeaway: The DMCCA’s new enforcement powers and updated unfair commercial practices regime represent a significant shift in consumer protection law in the UK. Organizations will want to be prepared for the CMA’s increased enforcement capabilities and the specific focus on practices like fake reviews and drip pricing and, in due course, subscription contracts. Direct (and potentially significant) regulator enforcement makes compliance all the more important.

UK Government Publishes Final Cyber Governance Code of Practice

The UK Department for Science, Innovation and Technology, a ministerial department of the government, has released the final version of its Cyber Governance Code of Practice (“Code”). Formulated as a series of sections with high-level action points within each section, the Code is designed for boards and directors of medium and large private organisations, as well as public-sector entities, to clarify their responsibilities in governing cybersecurity risks. Although not specifically intended for small organisations, the UK Government recommends that such companies also adopt its principles and consult the National Cyber Security Centre for further guidance.

The Code is part of the UK government’s free support package on cyber governance, which includes Cyber Governance Training and the Cyber Security Toolkit for Boards. These resources aim to enhance the understanding and implementation of cybersecurity measures among boards and directors. The Code, along with the Cyber Essentials scheme, sets the minimum standard recommended by the UK government for managing cyber risk. Cyber Essentials, and the more extensive Cyber Essentials Plus, are UK government-backed schemes that provide a framework for developing an organization's information security position, helping organizations of all sizes protect against common forms of cyber-attack.

Takeaway: The Code clearly is not targeted at those responsible for managing cyber risk on a day-to-day basis but is instead akin to a high-level checklist or an action plan for executives on approaches to mitigating cyber risk. The Code may therefore be a helpful tool for Chief Information Security Officers to engage with non-specialist board members on cyber issues.

UK and Canadian Data Regulators Call for Protection of Customer Data During Bankruptcy Proceedings of Genetic Testing Company

The UK Information Commissioner’s Office (“ICO”) and the Office of the Privacy Commissioner of Canada (“OPC”) jointly called for the protection of sensitive personal data of 23andMe customers located in the UK and Canada amid the company’s bankruptcy proceedings and potential sale. 23andMe, an American genomics and biotechnology company, is known for its direct-to-consumer genetic testing services. In June 2024, the ICO and the OPC launched a joint investigation into 23andMe’s compliance with their respective data protection laws following a significant data breach that exposed millions of customers’ personal information, including raw genetic data, which was subsequently offered for sale on the dark web. In March 2025, the ICO and OPC issued their provisional findings to 23andMe. According to a statement by the ICO, these findings included a Preliminary Enforcement Notice and a notice of intent to fine the company £4.59 million, subject to the company’s response before the final report is issued in the coming months.

On April 28, 2025, in a letter to the U.S. Trustee, an official appointed to oversee bankruptcy cases, the regulators stressed the need for compliance with UK and Canadian data protection laws by both 23andMe and any potential buyers of the company, or its personal data. The regulators highlighted the importance of safeguarding highly sensitive information, such as genetic data, health reports and self-reported health conditions, and to prevent its unauthorized use or misuse. Against this backdrop, 23andMe released a public statement that any potential buyers would be required to comply with its privacy policy and applicable law. On April 29, 2025, a U.S. bankruptcy judge appointed a Consumer Privacy Ombudsman to oversee the handling of 23andMe’s customer data during the bankruptcy process, a move which was welcomed by the regulators.

Several U.S. state attorneys general and the Federal Trade Commission have also expressed concerns regarding the personal data held by 23andMe and the company’s bankruptcy.

Takeaway: The ICO and OPC’s proactive and vocal approach to dealing with the fallout of the 23andMe data breach highlights the importance of data privacy considerations during corporate insolvency, particularly for companies that process highly sensitive data, such as genetic data. The regulators’ statements also emphasize the risks under data privacy legislation that buyers can face when acquiring businesses out of bankruptcy or otherwise. Insolvency practitioners, in particular, will need to reflect carefully on the added responsibility they have in such cases.

Dechert Tidbits

CPPA Proposes Revised Draft Regulations on ADMT, Cybersecurity Audits and PIAs

The California Privacy Protection Agency (“CPPA”) has revised its proposed regulations on automated decision-making technology (“ADMT”), cybersecurity audits, and privacy risk assessments, pending CPPA Board approval. Specifically: (1) the proposed ADMT rules now focus on ADMT’s use in “significant decisions;” (2) businesses would have more time to conduct cybersecurity audits, with the new deadline being January 1, 2028; and (3) businesses would no longer be required to “immediately” update their risk assessment following a material change in processing activities, but rather would need to update the relevant risk assessments within 45 calendar days from the date of the material change. The public comment period for the proposed changes is open until June 2, 2025.

Uncertainty Over the Future of the EU-US Data Privacy Framework Heats Up

On April 1, 2025, the General Court of the Court of Justice of the European Union (“CJEU”) held its first hearing on the request of a French parliament member, Philippe Latombe, to annul the EU-US Data Privacy Framework (the “DPF”). Latombe’s action is based on Article 263(4) of the Treaty on the Functioning of the European Union and challenges the European Commission’s adequacy decision, arguing that the DPF does not conform to GDPR principles and lacks effective redress mechanisms. For more information about the recent issues facing the DPF see Cyber Bits Issue 70. This uncertainty concerning the DPF is likely to continue for some time, as the CJEU has a very heavy caseload and the resolution of such cases can take considerable time.

22 States Support the Firing of Two FTC Commissioners

A coalition of 21 Republican state attorneys general and leadership of the Republican-controlled Arizona Legislature filed an amicus brief in support President Trump’s firing of two Democratic Federal Trade Commission (“FTC”) Commissioners. The brief argues that the president has absolute authority over the Commission. It also claims that independent agencies like the FTC have amassed too much power, violating the constitutional balance and making them unaccountable to voters, and that the FTC’s current role is significantly different from its quasi-judicial and quasi-legislative duties originally envisioned when it was created in 1935.

CPPA Expands its Global Partnerships to Include UK Data Protection Authority

The California Privacy Protection Agency (“CPPA”) signed a cooperation agreement with the UK Information Commissioner’s Office (“ICO”) to enhance collaborative efforts in data protection, which will include sharing best practices and conducting joint research. The partnership is part of the CPPA’s broader strategy to build global and domestic alliances, which includes agreements with South Korea, France, and Dubai, as well as a consortium with attorneys general from seven U.S. states, to strengthen its regulatory influence and enforcement capabilities.