These regulations also lay down the framework for transfers of personal data outside the EU and the United Kingdom to ensure that individuals enjoy a sufficient and appropriate level of protection. European supervisory authorities are evidencing increased vigilance and imposing fines that are increasingly significant. In addition to the regulations, the recommendations of the national organizations responsible for monitoring compliance with these rules as well as case law can have a significant influence on the level of protection required and the organization to be put in place.
Since implementation of the GDPR, more and more countries around the world are adopting personal data protection regulations. In the United States, in the absence of regulations at the federal level, many states, including California, Virginia, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oklahoma, Oregon, Florida, Rhode Island, Texas and Utah, have enacted personal data protection laws to strengthen requirements on how companies are allowed to use consumers’ personal data. These laws incorporate some of the concepts of the GDPR and introduce new confidentiality protections for consumers and restrictions on the use of their personal data. Other US states are in the process of proposing their own draft laws on personal data protection which, if adopted, will continue to complicate the situation with the fragmentation of the legislative landscape.
Under US state data protection laws, the use of personal data for advertising and marketing purposes generally requires informing consumers and offering them the opportunity to object to such processing (opt-out). In addition, several US states have enacted laws requiring express consent for the processing of sensitive personal data, such as information relating to health status or ethnic origin. In addition, US law restricts the disclosure of certain categories of data.
Many other countries have enacted data protection laws, including Brazil, the People’s Republic of China, India, Australia, the United Arab Emirates and Saudi Arabia.
The European Union also introduced new regulations which affect the advertising and marketing industry, with the ambition of turning the European Union into a single digital market and “creating a safer digital environment which protects consumers’ fundamental rights and establishes fair competition conditions for companies”. These are centered around the Digital Market Act (DMA), the Digital Services Act (DSA), the Data Act (DA) and the Data Governance Act (DGA). The DMA aims to regulate the behavior of platforms that have a significant impact on the European market, particularly with regard to competition law.
This text contemplates obligations relating to the use of personal data for targeted advertising. The DSA aims to regulate the operation of platforms, regardless of their size, and in particular the content published on the Internet. The DGA aims to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical barriers to data reuse. The DMA and DSA entered into force in November 2022 and the DGA entered into force in June 2022. The Data Act, which took effect in 2024, affects companies providing SaaS services by granting users an expanded right to data portability, which can be exercised with two months’ notice.
Many countries are concerned about the impact that social media can have on vulnerable individuals, particularly minors, as well as about any form of addiction or negative influence that may result from the misuse or excessive use of these communication platforms. Some countries, such as Australia, now prohibit minors under the age of 16 from accessing social media—the Online Safety Amendment (Social Media Minimum Age) Act 2024 took effect in December 2025; other countries or regions, such as Europe, are preparing similar regulations aimed at strengthening the protection of individuals on these platforms. The UK has also already implemented the Online Safety Act 2023 to address some of these issues. US state laws require age verification mechanisms to be in place when creating an account to protect children from harmful content.
Artificial Intelligence (AI) is rapidly developing and is commonly used in advertising and other Group activities. This development comes with increased attention from regulators. Many countries are implementing AI-specific laws and regulations. At European Union level, the EU Artificial Intelligence Act entered into force in June 2024, with provisions which take effect in stages until 2027. Specific AI laws have also been introduced in Latin America, Asia-Pacific and in several US states.
In addition, the European regulatory environment is characterized by the emergence of regulations in terms of Corporate Social Responsibility (CSR), in particular Directive (EU) 2022/2464 known as the CSRD (Corporate Sustainability Reporting Directive). Its purpose is to improve the transparency and reliability of non-financial information provided by companies.
