EU Commission Publishes Guidelines on Online Protection of Minors
On 14 July 2025, the European Commission released guidance under the Digital Services Act ('"DSA"), aiming to improve online safety for children and adolescents across digital platforms.
Key measures include setting minors' accounts to private by default, improving content recommendations to reduce exposure to harmful material, empowering users to block others and avoid unwanted group additions, restricting downloads/screenshots of minors' posts, limiting persuasive design features and AI chatbot risks, and shielding children from manipulative monetisation tactics like loot boxes.
The guidelines highlight the importance of effective age verification tools that are accurate, non-intrusive, and non-discriminatory, while cautioning against disproportionate restrictions on children's rights. Although they are not legally binding, the guidelines provide a key reference point for assessing DSA compliance and may guide national enforcement, having been shaped through consultations, expert input, and youth engagement.
The Guide outlines several key recommendations aimed at enhancing the online safety and well-being of minors, including:
- Defaulting minors' accounts to private to help safeguard their personal information and content from being accessed by individuals outside their network, thereby minimizing the risk of unsolicited contact from strangers.
- Modifying recommendation algorithms to reduce children's exposure to harmful content and prevent them from becoming trapped in narrow content loops, while also encouraging greater autonomy over what appears in their feeds.
- Providing children with clear and accessible tools to block or mute other users, and preventing them from being added to group chats without their explicit consent — all of which are critical to reducing the risk of cyberbullying.
France Updates on Cookie-Free Tracking
France's data protection authority, the Commission Nationale de l'Informatique et des Libertés ("CNIL"), has updated its guidance on compliant audience measurement tools and cookie alternatives under the ePrivacy Directive and GDPR. The updated page outlines criteria for exempting audience measurement tools from consent requirements, provided they meet strict privacy-by-design conditions, including limited data retention, IP anonymisation, and no cross-site tracking.
Dutch DPA Releases Human Oversight Toolkit
The Dutch data protection authority, Autoriteit Persoonsgegevens (''AP''), has issued practical tools and guidance to help organisations ensure meaningful human intervention in algorithmic decisions especially those falling under Article 22 of the GDPR.
The guidance emphasises that oversight must be authentic and not perfunctory, underscoring the significance of human roles, system design, processes, and governance. Following extensive public consultation, these tools have been developed to offer example questions and scenarios to support effective human involvement in automated decision-making. It also aligns with core data protection principles, such as fairness, accountability, and the right to contest decisions, ensuring that algorithmic processes respect fundamental rights and freedoms.
Concerns Raised Over GDPR Simplification Proposal
On 23 July 2025, the European Data Protection Board (''EDPB'') and the European Data Protection Supervisor (''EDPS'') issued a joint opinion on the European Commission's proposal to simplify record-keeping obligations under the GDPR.
While the regulators welcomed efforts to reduce administrative burdens, they warned that the proposed changes risk weakening key safeguards, particularly transparency and accountability obligations and could undermine data subject rights. The opinion further noted that the new wording may create ambiguity about the scope of existing obligations and could lead to inconsistent application across the EU.
EDPB and EDPS called on the Commission to reconsider the proposal and recommended developing alternative solutions that preserve the GDPR's protective framework while streamlining compliance processes.
Ransomware Attack on US Testing Service Impacts 750,000 Individuals
A ransomware attack on the Texas-based company The Alcohol & Drug Testing Service ("TADTS") resulted in the exposure of the personal data of around 750,000 people.
TADTS, which provides alcohol and drug testing for employment and personal use, launched a year-long investigation following the breach with the support of data mining experts. The exposed information includes names, dates of birth, social security numbers, driving licence and passport numbers, financial and biometric data, login credentials and U.S. Citizenship and Immigration Services identifiers collected during the employment process.
The company has since taken remedial steps, including resetting passwords, implementing new detection protocols, and notifying the relevant authorities. Affected individuals have been urged to monitor their financial accounts and report any suspicious activity.
EDPB to Address 'Pay-or-Okay' Consent Model
The EDPB is considering issuing formal guidelines on the so-called "pay-or-okay" model, which requires users to accept tracking or pay for access. The model, first introduced by Austria's Der Standard and later adopted by platforms like Meta, has raised concerns over lack of genuine user choice. The investigation highlights that over 99% of users opt for tracking, often due to the unaffordability of the paid alternative. In a previous non-binding opinion, the EDPB had found such consent frameworks to be incompatible with the GDPR. Meta is currently subject to daily fines of up to 5% of its global revenue, a penalty that will continue until the company adjusts its practices.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
