
Dechert Cyber Bits
Issue 70 - February 13, 2025

UK Data Regulator Expands Cookie Compliance Review Across the UK’s Top 1,000 Websites
The UK Information Commissioner's Office (“ICO”) has announced an expanded review of advertising cookie practices to encompass the UK’s top 1,000 websites – as well as apps and connected TVs. This initiative is part of the ICO’s 2025 online tracking strategy, which aims to provide users with “meaningful control” over how they are tracked online and promote privacy-preserving advertising practices. The strategy also indicates that the ICO will use automated monitoring to assess compliance.
In November 2023, the ICO renewed its focus on cookie compliance, issuing initial warnings to 53 of the UK’s top 100 websites (see Issue 46 and Issue 49 of Cyber Bits). Since then, the ICO has maintained its heightened scrutiny of websites’ cookie practices, expanding its review to include additional websites.
As part of the ICO’s 2025 online tracking strategy, new guidance was issued for organizations operating, or considering, a “consent or pay” business model. This model requires users to either consent to their personal information being used for personalized advertising or pay a fee to access products or services without such tracking. While the concept gets the green light from the ICO, the guidance emphasizes that user consent must be freely given and outlines factors organizations should consider to ensure compliance with data protection law.
Takeaway: The ICO's expanded review of cookies compliance and new guidance on “consent or pay” models demonstrate a strong commitment to investigating compliance with online tracking regulations. Given also the ICO’s intention to also use automated tools to assist with its review of websites’ use of cookies, organizations with UK-targeted websites attracting substantial numbers of UK visitors will want to check their compliance with cookie rules to avoid coming under the scrutiny of the ICO.

FTC Settles COPPA Allegations with Genshin Impact Developer for $20M
On January 17, 2025, the Federal Trade Commission (“FTC”) announced a proposed settlement with Singapore-based Cognosphere Pte. Ltd and its California-based subsidiary Cognosphere LLC (commercially known as “HoYoverse”) to resolve allegations that HoYoverse’s information collection practices violated the Children’s Online Privacy Protection Act (“COPPA”) and that its representations about its products and services relied on unfair and deceptive trade practices and violated the FTC Act. In its complaint, the FTC alleged that HoYoverse actively marketed its video game—Genshin Impact—to children and collected personal information from them in violation of COPPA, and deceived players about the odds of winning valuable “loot box” prizes. Specifically, the FTC alleged that HoYoverse used cartoon graphics, animated characters, and other features directed to children under the age of 13 and failed to provide adequate notice about the information they collected from children. The FTC also alleged that HoYoverse failed to provide notice about its information collection practices to parents and failed to obtain parental consent. With respect to the FTC Act, the FTC alleged that HoYoverse used unfair and deceptive tactics to market and promote the game; employing a gambling-like device to entice users to spend money on “loot boxes” that, when used in conjunction with HoYoverse’s complicated and confusing transaction procedures and exchange rates, increased the amount users paid; and overstated the odds of winning sought-after virtual items in “loot boxes” to further drive user spending.
Under the FTC’s proposed order, among other things, the company would be: (1) prohibited from allowing children (under 13) or early teen (under 16) users to make in-game purchases without a parent’s affirmative and express consent; (2) prohibited from selling loot boxes using virtual currency without providing an option to purchase them directly with real money; (3) banned from misrepresenting loot box odds; (4) required to disclose loot box odds and the exchange rates; (5) obligated to delete any personal information previously collected from children under 13 absent parental consent; (6) required to comply with COPPA and its notice and consent requirements; and (7) pay a $20 million penalty. In its press release, HoYoverse did not admit any wrongdoing in connection with the matter.
Commissioner Andrew N. Ferguson issued a separate concurrence with allegations that the HoYoverse violated COPPA and deceived customers about the odds of winning loot box prizes, but dissenting from the rest of the complaint, arguing, among other things, that the FTC’s distrust of loot-box schemes does not authorize the Commission to pursue “novel theories of liability advanced in the final hours of the Biden-Harris Administration.”
Takeaway: The proposed Order and the COPPA rules that come into effect this year (which we covered here) signal that COPPA compliance continues to be an area of focus and that game developers and companies with “online services directed to children” should take note. Companies will want to review COPPA compliance and take steps to comply with the new COPPA rules and will also want to be cognizant that their disclosures are full and accurate, and that opportunities for prizes, especially those directed to children, involve straightforward and clear rules.

EU-U.S. Data Privacy Framework for Transfers Faces Political Challenges
The Privacy and Civil Liberties Oversight Board (“PCLOB“) is a bipartisan five-member Board appointed by the President and confirmed by the Senate which plays an important role in ensuring privacy and civil liberties are protected, in particular in relation to the activities of U.S. security agencies. President Trump recently fired all three Democratic-selected members of the PCLOB. These firings threaten the EU-U.S. Data Privacy Framework (“DPF”), which relies on the PCLOB’s oversight to permit data flows between the EU and the U.S. The DPF is a mechanism approved by the European Commission that is designed to facilitate the transfer of personal data to certified organizations in compliance with the GDPR (see our Dechert OnPoint here).
The PCLOB was already one member down with an open Republican seat; it is now sub-quorum with only one active member. The PCLOB’s compromised independence, and operational capacity could undermine the DPF although the European Commission’s approval of the DPF remains in force for now.
Takeaway: The European Commission is required to continuously monitor the effectiveness of the DPF and can suspend, amend or repeal the validity of the DPF. In addition, privacy activists can challenge the validity of the DPF through litigation (which sealed the fate of the DPF’s predecessor frameworks, in particular the fall of the Privacy Shield). Here we go again? For the time being, the DPF remains valid, but organizations should be aware that they may need to implement alternative data transfer mechanisms should the European Commission or the courts decide that the DPF cannot operate effectively in light of the issues affecting the PCLOB. Organizations relying on alternatives such as standard contractual clauses for their transfers of personal data to the U.S. may also want to consider the current ineffectiveness of the PCLOB in their transfer impact assessments.

CPPA Keeps Up Pressure on Data Brokers with Key Marketing Advantage LLC Settlement
The California Privacy Protection Agency (“Agency”) announced its latest settlement in connection with a data broker’s failure to register as required by California’s Delete Act. Specifically, Key Marketing Advantage LLC (“Key Marketing”), a Connecticut-based data broker, has agreed to pay a $55,800 penalty and comply with certain injunctive terms to resolve allegations that it failed to: (i) register with the Agency; and (ii) pay an annual fee as required by California’s Delete Act.
The Delete Act requires data brokers—i.e., businesses that collect and sell personal information belonging to consumers with whom they don't have a direct relationship—to register with the Agency by January 31 of each year and to pay an annual fee of $6,600. The fees fund the Data Broker Requests and Opt-Out Platform (“DROP”), a novel deletion mechanism that will allow a consumer to direct all data brokers to delete their personal information in a single request. Data brokers who fail to comply with registration and fee requirements face fines of $200 a day.
The settlement agreement with Key Marketing was announced days before this year’s January 31 registration deadline. The deal marks the resolution of the Agency’s fifth enforcement action since it first began enforcing the Delete Act in November 2024 and is the largest monetary penalty to date. (Our coverage of the first set of enforcement actions is available here).
Takeaway: The Agency’s latest enforcement action against Key Marketing is its most aggressive to date, signaling that the Agency has no intention of scaling back its efforts to enforce the Delete Act. As the Agency continues to pursue enforcement actions, companies that purchase and license or sell in-scope data will want to make sure they have conducted an applicability analysis and, where needed, appropriately comply with the Agency’s requirements.

English High Court Decision Clarifies Scope of "Personal Data" and Access Requests
The English High Court ruled against the UK’s tax authority, HMRC, in a case involving a subject access request (“SAR”) by the well-known British retail tycoon, Mike Ashley. The Court found that HMRC had adopted an overly narrow definition of “personal data” when evaluating Mr. Ashley’s request for data processed by HMRC in the context of a tax dispute. HMRC had also improperly applied an exemption relating to tax investigations.
The judge ruled that data related to HMRC’s tax investigation into Mr. Ashley was not his personal data simply because the investigation concerned him, rejecting Mr. Ashley’s argument to that effect. The key question was not whether the purpose of the processing activities related to him, but rather whether any given piece of information related to him. The Court considered that the “related to” requirement would be satisfied where information is linked to a particular person by reason of its “content, purpose, or effect.”
The Court required HMRC to re-assess the information it held adopting the correct approach as set out by the Court. In particular, the Court advised that valuation figures of Mr. Ashley’s properties would be his personal data, as they were directly relevant to HMRC’s assessment of his tax liability, but that valuations of comparable third-party properties were very unlikely to be his personal data even though they were used to benchmark the valuation of his own properties.
Takeaway: The decision clarifies that “personal data” is not limited to information that is “biographical in a significant sense” or has the data subject as its “focus” – notions which had been suggested by previous UK case law. The Court adopted an approach aligned with EU guidance, that information could be sufficiently linked to an individual because of (i) its content, (ii) the purposes for which it is likely to be processed, or (iii) the impact of the data processing on the individual. While the purpose is a relevant factor, the assessment depends on the particular information under consideration rather than the overall purpose of the processing activities. Organizations dealing with access requests will want to be mindful of the Court’s guidance in assessing the data to be provided in response to a request.

Dechert Tidbits
Italian Data Protection Authority Investigates DeepSeek
The Garante, the Italian Data Protection Authority, ordered DeepSeek, the Chinese AI challenger, to limit the processing of data of Italian users and requested it to disclose details on how it collects, stores, and uses Italians’ data. The Garante launched an investigation, giving DeepSeek 20 days to provide the requested information. Other European data protection authorities have reportedly also launched, or are considering, investigations into DeepSeek’s compliance with the GDPR.
EDPB Publishes Draft Guidelines on Pseudonymization
Last month, the European Data Protection Board published its Guidelines 01/2025 on Pseudonymization to clarify the use and benefits of pseudonymization—a process designed to control attribution of personal data to specific individuals. To promote the pseudonymization of personal data, the Guidelines require that: (i) it must not be possible for pseudonymized data to be attributed to an identified or identifiable natural person absent the use of additional information; and (ii) such additional information must be kept separately and subject to measures to ensure confidentiality and prevent unauthorized use.
President Trump Rolls Back Biden's AI Executive Order with New One
On January 23, 2025, President Donald Trump signed an executive order directing government agencies to “suspend, revise, or rescind” safeguards on artificial intelligence implemented by the Biden Administration. The executive order states those safeguards hampered private sector innovation and the Trump administration’s efforts to solidify the United States as “the global leader in AI.”
FTC Issues Surveillance Pricing Findings, Issues Request for Information
The Federal Trade Commission ("FTC") released its initial findings from its Surveillance Pricing study. According to the study, companies use personal data not only to target consumers, but also to dictate the products presented to them and the prices they pay. Through its study, the FTC hopes to “remain vigilant and ensure that the rules are not stacked in favor of profit at the expense of consumers and fair competition.” The Commission issued a request for information on surveillance pricing that is open through April 17, 2025.
We are honored to have been recognized in The Legal 500, Chambers USA, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.
Recent News and Publications
- FTC Privacy Enforcement Takeaways From 2024 (Law360 published January 21, 2025)
- Brenda Sharton Q&A (Profiles in Diversity Journal Q4 2024 "All Colors, All Leaders" issue)
- Disclosing Personal Data to Non-EU Authorities - GDPR Guidance Published (Dechert OnPoint published December 18, 2024)
- MVP: Dechert's Brenda Sharton - Law360 (October 10, 2024)
- Brantley et al. v. Prisma Labs, Inc. (Global Legal Chronicle published August 31, 2024)
- Law360's Legal Lions of The Week (Law360 published August 9, 2024)
- Lensa AI App Creator Shakes Ill. Biometric Privacy Suit (Law360 published August 6, 2024)
- Prisma Labs Skirts BIPA Suit Over Training of Its AI Photo App (Bloomberg Law published August 6, 2024)
- A New UK Labour Government: A Fresh Approach to AI Regulation (Dechert OnPoint published July 9, 2024)
- The EU AI Act: An Overview (Dechert OnPoint published May 13, 2024)
- Visit Dechert's California Consumer Privacy Act Resource Center
-
- Tribunal Overturns UK ICO’s Enforcement Action Against Clearview AI (Dechert OnPoint published November 8, 2023)
- 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
- Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
- US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
- SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
- SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
- Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
- EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
- SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
- Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
- BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
- The group was named 2022 Law360 Practice Group of the Year.
- Winner of the International Association of Privacy Professionals (“IAPP”) Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world’s leading women’s health App on its “Anonymous Mode” feature in the wake of the Dobbs decision by the U.S. Supreme Court.
- Recognized as a 2022 “Standout” by London’s Financial Times in a legal innovation award for the Americas in the category of “Innovation in Enabling Business Resilience.”
- Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
- EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
- Your Company’s Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
- Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
- English High Court Maintains Claimant’s Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
- The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
- Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
- Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
- Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert’s Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
- Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
- FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
- Olaf Fasshauer was ranked in the 2022 publication of German’s daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
- Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
- Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
- Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
- Brenda Sharton named to Cybersecurity Docket’s Incident Response 40 2021 list.
- Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
- Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
- CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
- SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
- Brenda Sharton was quoted in the Law360 article, “Congress Seizes On Incident Reports In Fighting Cyberattacks” (March 16, 2022).
- 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
- California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
- SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.
Content Editors
Dylan Balbirnie, Connor Flannery, Anita Hodea, Allie Ozurovich and James Smith
Production Editors
Hilary Bonaccorsi and Madeleine White
Partner Committee Editors
Dechert Cyber Bits Partner Committee
Brenda R. Sharton
Partner, Chair, Cyber, Privacy and AI
Boston
brenda.sharton@dechert.com
Hilary Bonaccorsi
Partner
Charlotte
hilary.bonaccorsi@dechert.com
Timothy C. Blank
Senior Counsel
Boston
timothy.blank@dechert.com
Kevin F. Cahill
Partner
Los Angeles
kevin.cahill@dechert.com
Dr. Olaf Fasshauer
National Partner
Munich
olaf.fasshauer@dechert.com
Paul Kavanagh
Partner
London
paul.kavanagh@dechert.com
Laura Rossi
Partner
Luxembourg
laura.rossi@dechert.com
Benjamin Sadun
Partner
Los Angeles
benjamin.sadun@dechert.com
"Dechert has assembled a truly global team of privacy and data security lawyers. The cross-practice specialization ensures that clients have access to lawyers dedicated to solving a range of client’s legal issues both proactively and reactively during a data security related crisis or a litigation."
"The privacy and security team collaborates seamlessly across the globe when advising clients."
- Quotes from The Legal 500
Dechert’s global Cyber, Privacy and AI practice provides a multidisciplinary, integrated approach to clients’ privacy and cybersecurity needs. Our practice is top ranked by The Legal 500 and our partners are well-known thought leaders and sought after advisors in the space with unparalleled expertise and experience. Our litigation team provides pre-breach counseling and handles all aspects of data breach investigations as well as the defense of government regulatory enforcement actions and class action litigation for clients across a broad spectrum of industries. We have handled over a thousand data breach investigations of all types including nation states, ransom/cyber extortion, vendor/supply chain, DDoS, brought by threat actors of all types, from nation-state threat actors to organized crime to insiders. We also represent clients holistically through the entire life cycle of issues, providing sophisticated, solution oriented advice to clients and counseling on cutting edge data-driven products and services including for trend forecasting, personalized content and targeted advertising across sectors on such key laws as the CCPA, CPRA and state consumer privacy laws, Section 5 of the FTC Act; the EU/UK GDPR, e-Privacy Directive, and cross-border data transfers. We also conduct privacy and cybersecurity diligence for mergers and acquisitions, financings, corporate transactions, and securities offerings.
-
- Issue 69 - January 30, 2025
- Issue 68 - January 16, 2025
-
- Issue 67 - December 12, 2024
- Issue 66 - November 21, 2024
- Issue 65 - November 7, 2024
- Issue 64 - October 24, 2024
- Issue 63 - October 10, 2024
- Issue 62 - September 26, 2024
- Issue 61 - September 12, 2024
- Issue 60 - August 15, 2024
- Issue 59 - August 1, 2024
- Issue 58 - July 18, 2024
- Issue 57 - June 27, 2024
- Issue 56 - June 13, 2024
- Issue 55 - May 23, 2024
- Issue 54 - May 2, 2024
- Issue 53 - April 18, 2024
- Issue 52 - March 28, 2024
- Issue 51 - March 14, 2024
- Issue 50 - February 29, 2024
- Issue 49 - February 19, 2024
- Issue 48 - February 1, 2024
- Issue 47 - January 18, 2024
- 2024 Crystal Ball Edition - January 5, 2024
-
- Issue 46 - December 14, 2023
- Issue 45 - November 16, 2023
- Issue 44 - November 2, 2023
- Issue 43 - October 19, 2023
- Issue 42 - October 5, 2023
- Issue 41 - September 21, 2023
- Issue 40 - August 31, 2023
- Issue 39 - August 17, 2023
- Issue 38 - August 3, 2023
- Issue 37 - July 20, 2023
- Issue 36 - June 29, 2023
- Issue 35 - June 15, 2023
- Issue 34 - May 25, 2023
- Issue 33 - May 11, 2023
- Issue 32 - April 27, 2023
- Issue 31 - March 30, 2023
- Issue 30 - March 16, 2023
- Issue 29 - March 2, 2023
- Issue 28 - February 16, 2023
- Issue 27 - February 2, 2023
- Issue 26 - January 19, 2023
-
- Issue 25 - December 15, 2022
- Issue 24 - November 10, 2022
- Issue 23 - October 27, 2022
- Issue 22 - October 12, 2022
- Issue 21 - September 29, 2022
- Issue 20 - September 15, 2022
- Issue 19 - August 18, 2022
- Issue 18 - August 3, 2022
- Issue 17 - July 21, 2022
- Issue 16 - June 23, 2022
- Issue 15 - June 10, 2022
- Issue 14 - May 26, 2022
- Issue 13 - May 12, 2022
- Issue 12 - April 28, 2022
- Issue 11 - April 7, 2022
- Issue 10 - March 24, 2022
- Issue 9 - March 10, 2022
- Issue 8 - February 24, 2022
- Issue 7 - February 10, 2022
- Issue 6 - January 27, 2022
- Issue 5 - January 13, 2022
-
- Issue 4 - December 9, 2021
- Issue 3 - November 18, 2021
- Issue 2 - November 4, 2021
- Issue 1 - October 21, 2021