From TIDA takedown obligations and FTC disclosure guidelines to South Korea's watermark mandate—three new red lines are turning platform content governance from voluntary best practice into enforceable regulatory obligation.
Vietnam’s Personal Data Protection Law (PDPL), enacted in June 2025 and effective from January 1, 2026, establishes a comprehensive national framework for personal data protection, replacing the 2023 Decree No. 13/2023/NĐ-CP. Applicable to both domestic and foreign entities processing Vietnamese citizens’ or residents’ data, the PDPL introduces strict penalties (up to 10 times illegal proceeds for data trading or 5% of annual revenue for cross-border violations), a narrow “legitimate rights and interests” processing basis, and exemptions for micro-enterprises. It mandates explicit consent, data processing and transfer impact assessments (DPIA and TIA), and robust data subject rights, including access, correction, and deletion. Enterprises must implement consent mechanisms, data security measures, and compliance with data localization under the Cybersecurity Law, with specific rules for sensitive data like children’s or health information, and a 72-hour breach reporting requirement.
The Mirror’s cookie banner, which charges £1.99/month to reject non-essential cookies, violates GDPR’s requirement for freely given consent, risking fines and reputational damage. GDPR mandates transparent, opt-in cookie policies with easy withdrawal, and tools like Kaamel’s Risk Management solution help enterprises ensure compliance through automated audits and developer-friendly workflows. Enterprises must prioritize user-friendly consent mechanisms to avoid legal and trust issues.
H.R. 7757 has passed the House and moved to a Senate committee. This brief covers proposed rules for platforms, gaming, AI chatbots, and COPPA 2.0.
On July 12, 2025, a class action lawsuit was filed against SHEIN for allegedly violating the Telephone Consumer Protection Act (TCPA) by sending marketing text messages to numbers listed on the National Do-Not-Call Registry without prior consent. The plaintiff, whose number was registered in April 2025, continued receiving promotional texts in June, well past the required 31-day buffer. The case emphasizes that TCPA rules apply not only to calls but also to automated SMS marketing, requiring companies to prove consent, honor opt-outs, and now comply within 10 business days following an FCC order in April 2025. This lawsuit highlights stricter enforcement of consumer privacy protections against unsolicited marketing communications.
South Korea's Personal Information Protection Commission fined Meta 21.6232 billion KRW for improperly collecting and processing sensitive user information, denying access requests, and causing a data leak. The Commission ordered Meta to implement stronger data protections and ensure lawful handling of sensitive data.
The FTC's new “Click to Cancel” rule mandates businesses to simplify subscription cancellations, making them as straightforward as the sign-up process.
The U.S. Department of Justice has issued a proposed rule to restrict data access by specific foreign countries, following an executive order by President Biden.
We at Kaamel Technology are pleased to share the news that we have recently completed our System and Organization Controls (SOC) 2 Type II Audit.
H.R. 7757 has passed the House and moved to a Senate committee. This brief covers proposed rules for platforms, gaming, AI chatbots, and COPPA 2.0.
From TIDA takedown obligations and FTC disclosure guidelines to South Korea's watermark mandate—three new red lines are turning platform content governance from voluntary best practice into enforceable regulatory obligation.
Social platform X (formerly Twitter) is facing several complaints in Europe for allegedly using EU users' personal data without consent to train its AI technologies, including Grok. The Irish Data Protection Commission has filed a lawsuit, and the non-profit organization NOYB has submitted complaints in nine countries, accusing X of violating GDPR regulations by collecting and using data without proper transparency or legal basis.
Vietnam’s Personal Data Protection Law (PDPL), enacted in June 2025 and effective from January 1, 2026, establishes a comprehensive national framework for personal data protection, replacing the 2023 Decree No. 13/2023/NĐ-CP. Applicable to both domestic and foreign entities processing Vietnamese citizens’ or residents’ data, the PDPL introduces strict penalties (up to 10 times illegal proceeds for data trading or 5% of annual revenue for cross-border violations), a narrow “legitimate rights and interests” processing basis, and exemptions for micro-enterprises. It mandates explicit consent, data processing and transfer impact assessments (DPIA and TIA), and robust data subject rights, including access, correction, and deletion. Enterprises must implement consent mechanisms, data security measures, and compliance with data localization under the Cybersecurity Law, with specific rules for sensitive data like children’s or health information, and a 72-hour breach reporting requirement.
On September 6, the EU published a FAQ on the Data Act, explaining its relationship with the GDPR and addressing issues related to IoT data access and business-to-business data sharing.
The European Commission announced that TikTok has committed to permanently withdrawing its TikTok Lite rewards program from the EU market after concerns that the program violated the EU's Digital Services Act (DSA). The investigation highlighted TikTok's failure to conduct the required risk assessments before launching new features, marking the first case concluded by the European Commission under the DSA.
On July 12, 2025, a class action lawsuit was filed against SHEIN for allegedly violating the Telephone Consumer Protection Act (TCPA) by sending marketing text messages to numbers listed on the National Do-Not-Call Registry without prior consent. The plaintiff, whose number was registered in April 2025, continued receiving promotional texts in June, well past the required 31-day buffer. The case emphasizes that TCPA rules apply not only to calls but also to automated SMS marketing, requiring companies to prove consent, honor opt-outs, and now comply within 10 business days following an FCC order in April 2025. This lawsuit highlights stricter enforcement of consumer privacy protections against unsolicited marketing communications.
South Korea's Personal Information Protection Commission fined Meta 21.6232 billion KRW for improperly collecting and processing sensitive user information, denying access requests, and causing a data leak. The Commission ordered Meta to implement stronger data protections and ensure lawful handling of sensitive data.
Oracle has proposed a $115 million settlement to resolve a class action lawsuit accusing the company of unlawfully collecting and selling users' data without consent.
The Mirror’s cookie banner, which charges £1.99/month to reject non-essential cookies, violates GDPR’s requirement for freely given consent, risking fines and reputational damage. GDPR mandates transparent, opt-in cookie policies with easy withdrawal, and tools like Kaamel’s Risk Management solution help enterprises ensure compliance through automated audits and developer-friendly workflows. Enterprises must prioritize user-friendly consent mechanisms to avoid legal and trust issues.
This study looked at the cookie consent practices of 64 Fortune 500 companies that directly engage with European customers. By simulating customers interacting with the website, the research scrutinizes how these global companies adhere to regulation. A staggering 70% of the evaluated websites do not comply with GDPR cookie consent requirements, indicating a substantial gap in adherence to privacy laws among even the biggest companies.
Recently, NOYB has filed numerous complaints against companies using questionable consent banners. This report categorizes and critiques eight types of cookie banner designs prevalent in non-compliant practices
The FTC's new “Click to Cancel” rule mandates businesses to simplify subscription cancellations, making them as straightforward as the sign-up process.
The U.S. Department of Justice has issued a proposed rule to restrict data access by specific foreign countries, following an executive order by President Biden.
We at Kaamel Technology are pleased to share the news that we have recently completed our System and Organization Controls (SOC) 2 Type II Audit.
On August 2, Illinois amended the Biometric Information Privacy Act (BIPA), reducing the number of violations counted for repeated biometric data collection from the same individual and allowing electronic signatures as a method for obtaining consent. This amendment significantly lowers potential damages in BIPA lawsuits and offers businesses more flexibility in compliance.
Summary In February 2022, Texas Attorney General Ken Paxton sued Meta formerly known as Facebook , alleging that Meta unlawfully captured the biometric identifi
Zellmer sued Facebook (now Meta) under the Illinois Biometric Information Privacy Act (BIPA) for privacy violations, similar to the "In re Facebook Biometric Information Privacy Litigation" case, which resulted in a $650 million settlement.
The U.S. Federal Trade Commission (FTC) has filed a lawsuit against TikTok and its parent company ByteDance, accusing them of violating the Children’s Online Privacy Protection Act (COPPA) and a 2019 settlement agreement. The lawsuit alleges that TikTok failed to delete underage users' personal data, improperly collected data from minors without parental consent, and created obstacles for parents attempting to delete their children's data.
The Governor of Florida signed Bill HB 3, which regulates minors' use of social media and access to harmful content.
Recently, Pornhub blocked access for users in Texas due to new regulations requiring "reasonable age verification" for accessing sexually harmful materials. The regulations faced opposition and lawsuits but retained the core provision of age verification.