Photo of Bartolomé Martín

Bartolomé Martín

2024 was an active year for regulation of customer contracts with “negative option” features. Generally, a “negative option” provision in an offer to sell products or provide services means that a customer’s silence or failure to take action to reject the terms of the offer is deemed by the seller as the customer’s acceptance of the offer terms.

Earlier in 2024, three states updated laws related to negative option provisions in customer contracts (together, the 2024 State Autorenewal Laws)

  1. Utah enacted its Automatic Renewal Contracts Act on March 13, 2024, with an in-force date of January 1, 2025. (Utah ARCA)
  2. Virginia amended its consumer protection law related to automatic renewal and continuous service offers (which was effective on July 1, 2024) (Virginia AR Law).
  3. California amended its Automatic Purchase Renewals law on September 24, 2024 with the amendments in force on July 1, 2025 (California AR Law).

Then, on October 16, 2024, the Federal Trade Commission (FTC) issued the final version of its “Rule Concerning Recurring Subscriptions and Other Negative Option Programs” (FTC Final Rule). (We previously covered the FTC’s notice of proposed rulemaking for negative options on Privacy World here.)  The Federal Register publication date for the FTC Final Rule is November 15, 2024. Whether the FTC Final Rule will survive the change in Administration is an open question, as discussed below.

Both the 2024 State Autorenewal Laws and Final FTC Rule include new or expanded obligations. When effective, the FTC Final Rule will preempt the 2024 State Autorenewal Laws (and the other similar state laws) to the extent they are “inconsistent” with its requirements. State laws that afford greater protection than the FTC Final Rule are not inconsistent with the FTC Final Rule. In other words, the FTC Final Rule sets a national “floor,” and states may add more consumer-protective obligations, as reflected in certain aspects of the 2024 State Autorenewal Laws described below.Continue Reading Cancel Culture: New Requirements for Automatic Renewal and Other Negative Option Offers

Six years after its enactment and four years after it entered into force, on July 17, 2024, the Brazilian Data Protection Agency (Autoridade Nacional de Proteção de Dados (ANPD)) has issued a regulation developing the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais (LGPD)) and clarifying the regulatory framework for Data Protection Officers (DPOs) in Brazil (ANPD Resolution No. 18/2024, the “Resolution”).

Article 41 of the LGPD establishes that data controllers must appoint a data protection officer (DPO), details their main responsibilities, and requires that the DPO’s identity must be made public. It also invites the ANPD to establish complementary rules for the definition and attribution of the person in charge, including cases of exemption from the appointment requirement, depending on the nature and size of the entity or the volume of the data processing operations.Continue Reading New ANPD Resolution on the Statute of Data Protection Officers in Brazil

When expanding/ directing operations into Europe, foreign organizations often have questions about how to deal with the EU’s ever-expanding regulatory framework. From a data protection perspective, it is often assumed that B2B operations do not trigger the extraterritorial applicability of EU data protection laws (mainly, Regulation (EU) 2016/679 or GDPR) and that it is sufficient to enter into data processing agreements with European data controllers. But is it really that simple?

Some context…

As raised above, one of the most salient elements of the GDPR is that it applies not only to processing operations carried out by controllers and processors established in the European Union, but also to certain processing operations carried out by controllers and processors established outside the Union. This is the case of the processing related to the active offering of goods or services to data subjects in the Union and the monitoring of their behavior, as far as it takes place within the Union (Article 3.2 of the GDPR).Continue Reading A data processing agreement is not always enough.

Last week was a busy one for AI regulation. The week started and ended with big news from Colorado: on Monday, Colorado’s legislature passed “Concerning Consumer Protections in Interactions with Artificial Intelligence Systems” (SB 24-205) (Colorado AI Law) and, on Friday, Governor Jared Polis (D) signed the Colorado AI Law “with reservations” according to his letter to Colorado’s legislature. Although the Colorado legislature is the first U.S. lawmaker to pass general AI legislation, Colorado’s Governor has expressly invited Congress to replace the Colorado AI Law with a national regulatory scheme before the Colorado AI Law’s February 1, 2026, effective date.Continue Reading All Eyes on AI: Colorado Governor Throws Down the Gauntlet on AI Regulation After Colorado General Assembly Passes the Nation’s First AI Law

In February 2023, Spain implemented Directive (EU) 2019/1937 (although it did not become fully applicable until December of that year) by means of Law 2/2023, of February 20, 2023, regulating the protection of persons who report regulatory violations and the fight against corruption (the “Law”). The Law, which requires all public and private organizations (with more than 50 employees or simply operating in certain sectors, even if they have fewer employees) to implement a whistleblowing system, has raised some doubts from a data protection perspective.Continue Reading Never Beyond the Law – the Spanish AEPD’s Position on the Processing of Whistleblower Data

The Spanish antitrust regulator, the Comisión Nacional de los Mercados y de la Competencia (CNMC), has joined the proposed “State Pact” for protecting Spanish children from harmful content online and in social media. The CNMC joins the Spanish Data Protection Authority and Attorney General’s Office, as well as civil society and UN bodies, in supporting the proposal to develop long-term approaches to online safety.  Continue Reading The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks

Transparency, from the medieval Latin “transparentia”, is thought to have emerged in the late 16th century as a general term for a transparent object. In essence, it means the property of allowing light to pass through so that objects behind it can be clearly seen. But in the 21st century, transparency has a different and broader meaning.

The Spanish Data Protection Agency (Agencia Española Protección de Datos, or AEPD) published an article in September 2023 on transparency in the context of the proposed Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR), clarifying that different actors, different information and different recipients are involved, depending on the regulation.Continue Reading AEPD’s Position Regarding Transparency (AIA vs. GDPR)

The Spanish Data Protection Authority (AEPD) has issued a set of guidelines on the use of biometric systems for access and employee attendance control defining the criteria for using these systems (and the measures to be considered in the context of these processing activities) in compliance with the General Data Protection Regulation (GDPR).Continue Reading The Spanish DPA’s Restrictive Approach to Processing Biometric Data for Access and Attendance Control

The Spanish data protection and e-commerce legislation has been recently amended in order to, on the one hand, redefine the nature of the process to issue reprimands to data controllers and processors (so that reprimands are removed from the list of sanctions resulting from infringement of the regulations) and, on the other hand, relax the

In a previous blog post, we discussed the European Commission’s criticism of the Dutch data protection authority’s interpretation of legitimate interests as a lawful basis for processing personal data. In that post we noted that the issue would potentially be resolved by the Netherlands’ highest administrative court, the Council of State when it ruled