Dechert Cyber Bits - Issue 83 - October 9, 2025

California Passes Landmark AI Safety Bill

On September 29, 2025, California Governor Gavin Newsom signed Senate Bill 53, styled the "Transparency in Frontier Artificial Intelligence Act" ("SB 53"), into law. The law imposes new obligations on companies whose annual revenues exceed $500 million and that develop large language models. For each model, such entities are required to publish transparency reports detailing how the entity approaches, among other things: (i) incorporating national and international standards and industry best practices into its AI models; (ii) assessing and applying mitigations to address the potential for catastrophic risk; and (iii) identifying and responding to critical safety incidents. SB 53 further establishes whistleblower protections for employees who report safety risks, and perhaps most innovatively, calls for a state-sponsored cloud computing cluster, titled "CalCompute," with the goal of developing and deploying AI that is safe, ethical, equitable, and sustainable.

SB 53 was sponsored by Senator Scott Weiner, but its approach differs dramatically from an earlier version he sponsored (SB1047)—which passed the California legislature last year but was vetoed by Governor Newsom amid concerns that its overly stringent requirements might undermine California's technological leadership. For example, the vetoed bill required independent audits, imposed far steeper penalties, and mandated incident reports within 72 hours. After nixing this far more sweeping bill, Governor Newsom convened a group of researchers to draft a report outlining recommendations for a better regulatory approach. Senator Wiener has stated that he closely monitored the work of this group in sponsoring SB 53. The new law takes effect immediately, though its adaptive design requires the California Department of Technology to provide annual recommendations for updates based on technological developments and evolving international standards.

Takeaway: SB 53 represents a significant evolution in AI regulation and creates immediate but relatively less stringent compliance obligations for major AI developers. Companies with revenues exceeding $500 million face new transparency reporting requirements, ongoing safety disclosures, and potential whistleblower claims—costs that may advantage established players over emerging competitors if the revenue threshold is lowered in future years as expected. In addition, and in contrast to Colorado's AI Act, given California's leading role in technology regulation, other states may follow California's lighter regulatory approach to AI development and deployment.

EDPB Consults on Draft Guidelines on the Interplay Between the DSA and GDPR

Recently, the European Data Protection Board ("EDPB") launched a consultation on its draft Guidelines on the interplay between the recently adopted EU Digital Services Act ("DSA") and the General Data Protection Regulation ("GDPR"). The DSA, which applies to online intermediaries, such as search engines and platforms, came into force on February 17, 2024, with the stated aim of creating a safer online environment. Some of the DSA's key provisions include: (a) bans on targeted profile-based advertising to minors or using special categories of data; (b) a ban on dark patterns; (c) obligations to identify and remove illegal content; and (d) additional transparency requirements. Many of the DSA's provisions intersect with the GDPR because they relate to processing of personal data, for example, "notice-and-action" mechanisms in respect of reporting of illegal content may involve personal data of the notifier. The draft Guidelines seek to clarify how online intermediaries should apply the GDPR when processing personal data in DSA contexts.

At the outset, the Guidelines confirm that the DSA does not override the GDPR. Any personal data processed under the DSA must still be processed in compliance with the GDPR, including the principles of lawfulness, fairness, transparency and data minimization. For example:

• "notice-and-action" and internal complaint procedures should collect only the minimum necessary personal data;
• content personalization using recommender systems is seen as an automated decision meaning that non-profile based alternatives should be considered;
• the Guidelines support the DSA's ban on targeted profile-based advertising to minors, urging age verification methods that minimize data collection. The Guidelines also highlight potential challenges in the timing of transparency information required by the GDPR vs. the DSA; and
• the assessment and management of systemic risks under the DSA is likely to need the support of a data protection impact assessment under the GDPR.

The Guidelines also emphasize cross-regulatory cooperation to avoid regulatory inconsistencies and ensure a coherent and effective digital framework. A public consultation on the draft Guidelines is open until October 31, 2025.

Takeaway: The Guidelines offer a practical framework for businesses operating under both the DSA and GDPR and underscore the need for integrated compliance strategies across teams, balancing the individual compliance requirements of each law as well as their intersections. Online intermediaries who are in scope will want to review all of their DSA-implicated processes through a GDPR lens, and vice versa, to best navigate the overlapping obligations.

Amazon Agrees to $2.5 Billion Settlement with FTC for Prime Subscription Practices

Amazon has agreed to pay a total of $2.5 billion in a court-approved settlement to resolve allegations by the Federal Trade Commission ("FTC") that it engaged in deceptive subscription practices. The settlement includes a $1 billion civil penalty and $1.5 billion in consumer refunds, representing the largest civil penalty in a case involving an FTC rule violation and the second-highest restitution award obtained by the FTC, respectively.

Filed on June 21, 2023, the complaint alleged that Amazon used manipulative, coercive, or deceptive user-interface designs allegedly to trick consumers into signing up for and automatically renewing Prime subscriptions. The FTC alleged that certain practices were in violation of the FTC Act and the Restore Online Shoppers' Confidence Act. These included: (i) making the option to purchase items on Amazon without subscribing to Prime difficult to locate; (ii) buttons that did not clearly indicate to consumers that they were agreeing to subscribe to Prime; and (iii) implementing a cancellation process designed to prevent consumers from successfully unsubscribing from Prime. The complaint also alleged that Amazon's executives: (i) were aware of consumers being enrolled without consent and the complex process to cancel Prime; but (ii) failed to take any meaningful steps to address the issues until the FTC began investigating.

The settlement, which contains no admission of wrongdoing by Amazon, requires Amazon to issue automatic refunds to some Prime subscribers and set up a claims process for others, among other things. In addition, Amazon must make changes to its Prime enrollment and cancellation process to: (i) include a clear and conspicuous button for customers to decline Prime and disclose all material terms of Prime during the enrollment process; (ii) create an easy way for consumers to cancel Prime, using the same method that they used to sign up; and (iii) pay for an independent, third-party supervisor to monitor its compliance with the consumer redress distribution process. In a separate press release, Amazon stated that it has always followed the law and entered the settlement in order to "move forward and focus on innovating for customers."

Takeaway: Companies cannot necessarily rely on changing political winds to alter core agency priorities, such as targeting allegedly deceptive practices. Amazon's $2.5 billion settlement provides one example of the continuity of FTC consumer protection enforcement across political administrations, with the case initiated under the Biden administration in June 2023 and resolved under the Trump administration in September 2025. In addition, the complaint's focus on individual executives also signals a heightened FTC scrutiny of internal communications regarding consumer manipulation and the adequacy of oversight when consumer complaints arise.

One Hand in the 'Cookie' Jar: UK Data Regulator Publishes Clarification on Storage and Access Technologies

In January 2025, the UK Information Commissioner's Office ("ICO") published its online tracking strategy designed to support individuals' control over online tracking. Nine months later, the ICO has addressed common misconceptions in a recent publication.

The ICO explains that the Privacy and Electronic Communications Regulations ("PECR"), which regulate the use of cookies and similar technologies, create distinct obligations covering all information stored on or accessed from a user's device (and not just personal data). It therefore includes cookies, but also other technologies, such as pixels, tags or device fingerprinting where they involve storage or access. The ICO addresses the relationship between PECR consent requirements and lawful bases for processing under the GDPR, clarifying that where PECR requires consent for storage or access, the appropriate GDPR lawful basis is also consent; organisations cannot rely on "legitimate interests" under the UK GDPR to dispense with consent, nor can they switch to relying on "legitimate interests" once data has already been obtained via consent.

The ICO also has reiterated that the "strictly necessary" exception must be considered from the user's perspective (and not the service provider). The organization must demonstrate that it is essential to deliver a service that the user has requested. The recently introduced UK Data (Use and Access) Act 2025 provides helpful examples of what such necessity entails and includes use cases such as authentication, security or the prevention of technical faults. In due course, that Act will also provide for additional exceptions to the requirement to obtain consent. For further information, see our OnPoint. Relatedly, the European Commission is also considering a simplification of cookie and tracking technology rules, seeking views in a consultation, open until October 14, 2025.

Takeaway: It is a common misconception that "cookie rules" apply only to cookies and that simply using an alternative technology can assuage the related compliance requirements. The ICO's clarifications aim to dispel this myth and underscore that the key point is storage of or access to device data, regardless of the actual type of technology. Whilst the rules have differing focuses, in practice many activities in scope of PECR will also be subject to the GDPR because technologies regulated by PECR are used to collect and process personal data. In such circumstances, organizations will want to consider not only the distinct obligations that apply under each piece of legislation, but also how those requirements interact.

Dechert Tidbits

California Governor Appoints New Member to Privacy Agency Board

On September 16, 2025, California Governor Gavin Newsom appointed Jill Hamer, a business executive with extensive data privacy experience, to the California Privacy Protection Agency's five-member board. Hamer fills the board spot left vacant by Jeffrey Worthe's departure and brings experience as general manager of data privacy at consulting company, Logic20/20. The appointment comes as the agency collaborates with the California Attorney General as well as Attorneys General from Colorado and Connecticut on an investigative sweep examining whether companies are honoring consumer requests to stop data sales and sharing.

First Down the 'AI'sle – Italy Becomes the First EU Nation to Pass an AI Law

Italy has become the first member state of the EU to pass an AI law that compliments the EU Artificial Intelligence Act. Comprised of 28 articles, the law provides general principles alongside specific provisions addressing the use of AI in key areas such as in the workplace, healthcare and justice, as well as use of AI by minors.

We are honored to have been recognized in The Legal 500, Chambers USA, nominated by The American Lawyer for the Best Client-Law Firm Team award with our client Flo Health, Inc., and named Law360 Cybersecurity & Privacy Practice Group of the year! Thank you to our clients for entrusting us with the types of matters that led to these recognitions.

Recent News and Publications

• Litigator of the Week Runners-Up and Shout-Outs - Law.com (August 8, 2025)
• 2025 Rising Star: Dechert's Benjamin Sadun - Law360 (July 21, 2025)
• 10 Things to Know About UK's Data (Use and Access) Act (Dechert OnPoint published July 8, 2025)
• Disclosing Personal Data to Non-European Union Authorities: General Data Protection Regulation Guidance (Pratt's Privacy & Cybersecurity Law Report by Lexis Nexis May 2025)
• FTC Privacy Enforcement Takeaways From 2024 (Law360 published January 21, 2025)
• Brenda Sharton Q&A (Profiles in Diversity Journal Q4 2024 "All Colors, All Leaders" issue)
• Disclosing Personal Data to Non-EU Authorities - GDPR Guidance Published (Dechert OnPoint published December 18, 2024)
• MVP: Dechert's Brenda Sharton - (Law360 October 10, 2024)
• Brantley et al. v. Prisma Labs, Inc. (Global Legal Chronicle published August 31, 2024)
• Law360's Legal Lions of The Week (Law360 published August 9, 2024)
• Lensa AI App Creator Shakes Ill. Biometric Privacy Suit (Law360 published August 6, 2024)
• Prisma Labs Skirts BIPA Suit Over Training of Its AI Photo App (Bloomberg Law published August 6, 2024)

• More News and Publications
  • A New UK Labour Government: A Fresh Approach to AI Regulation (Dechert OnPoint published July 9, 2024)
  • The EU AI Act: An Overview (Dechert OnPoint published May 13, 2024)
  • Tribunal Overturns UK ICO's Enforcement Action Against Clearview AI (Dechert OnPoint published November 8, 2023)
  • 5 Takeaways from ICO's Biometric Recognition Guidance (Published in Law360, October 18, 2023)
  • Bridge Over Troubled Data Flows: UK-US Data Bridge Approved (Dechert OnPoint published September 22, 2023)
  • US-EU Plan On AI Illustrates Differing Opinions On Regulation (Published in Law360, August 2, 2023)
  • SEC Final Rule Exempts ABS Issuers from New Cybersecurity Disclosure and Reporting Requirements (Dechert OnPoint published August 16, 2023)
  • SEC Finalizes Cybersecurity Disclosure Rules for Public Companies (Dechert OnPoint published August 7, 2023)
  • Ready. Set. Flow: Green Light from the Commission for EU-U.S. Data Privacy Framework (Dechert OnPoint published July 11, 2023)
  • EU General Court Examines Data Anonymisation and Pseudonymisation (Dechert OnPoint published May 25, 2023)
  • SEC Proposes New Cybersecurity Risk Management Rule for Various Market Entities (Dechert OnPoint published May 10, 2023)
  • Artificial Intelligence: Legal and Regulatory Issues for Financial Institutions (Dechert OnPoint published April 26, 2023)
  • BioDech | A Global Life Sciences Broadcast Series - What Every Life Sciences Company Needs to Know About Cybersecurity
  • The group was named 2022 Law360 Practice Group of the Year.
  • Winner of the International Association of Privacy Professionals ("IAPP") Legal Innovation Award for the Americas for 2022, for its work with client Flo Health, Inc., the world's leading women's health App on its "Anonymous Mode" feature in the wake of the Dobbs decision by the U.S. Supreme Court.
  • Recognized as a 2022 "Standout" by London's Financial Times in a legal innovation award for the Americas in the category of "Innovation in Enabling Business Resilience."
  • Exploiting Public Health Data for R&D: UK Progresses Secure Data Environments (Dechert OnPoint published July 20, 2023)
  • EU Data and Digital Drive: 10 Things to Know About the Digital Services Act (Dechert OnPoint published February 17, 2023) By: Paul Kavanagh, Dr. Olaf Fasshauer, and Madeleine White.
  • Your Company's Data Is for Sale on the Dark Web. Should you Buy it Back? (Published in the Harvard Business Review January 4, 2023) By: Brenda Sharton.
  • Brenda Sharton and Steven Rabitz quoted in Plan Sponsors Have Myriad Responsibilities to Protect Against Cyberthreats (Published in PLANSPONSOR December 22, 2022).
  • English High Court Maintains Claimant's Anonymity in Cyberattack Case (Dechert OnPoint published December 19, 2022) By: Paul Kavanagh, Brenda Sharton, Dylan Balbirnie, and Anita Hodea.
  • The entry into force of the Digital Markets Act kicks off new era of digital regulation in Europe (Dechert OnPoint published October 25, 2022), by members of the Dechert antitrust practice.
  • Brenda Sharton was named a 2022 Law360 MVP for Cybersecurity & Privacy.
  • Brenda Sharton was recognized as one of Massachusetts Lawyers Weekly's Go To Cybersecurity/Data Privacy Lawyers for 2022 (Published in Mass. Lawyers Weekly October 31st issue)
  • Practice leaders Brenda Sharton and Karen Neuman are discussed in Litigation Leaders: Dechert's Cathy Botticelli and Jonathan Streeter on Counseling Clients With an Eye Toward Avoiding Litigation (Published in Law.com August 15, 2022).
  • Brenda Sharton quoted in Why hackers are able to steal billions of dollars worth of cryptocurrency (Published in the Washington Post August 11, 2022).
  • FDA Medical Device Cyber Guidance Protects Patients, Cos. (Published in Law360 June 9, 2022) By: Brenda Sharton, Emily Van Tuyl, and Kathleen Fay
  • Olaf Fasshauer was ranked in the 2022 publication of German's daily newspaper Handelsblatt (in cooperation with Best Lawyers) as best lawyers in Germany for Data Security and Privacy Law
  • Brenda Sharton presented at the WSJ Pro Cyber Forum (June 1, 2022).
  • Brenda Sharton was a moderator on the panel, "The Digital Transformation of Customer Experience" at the LendIt Fintech Conference (May 25, 2022).
  • Ranked by The Legal 500 US – Media, Technology and Telecoms: Cyber Law (including Data Privacy and Data Protection). Brenda Sharton was named a Leading Lawyer and Hilary Bonaccorsi was named a Rising Star.
  • Brenda Sharton named to Cybersecurity Docket's Incident Response 40 2021 list.
  • Dubai data protection authority plans to launch international privacy risk index and update international data transfer mechanisms (Dechert OnPoint published May 5, 2022) By: Paul Kavanagh and Dylan Balbirnie.
  • Brenda Sharton quoted in Global Data Review article, "SEC proposes 4-day breach reporting rule" (April 26, 2022).
  • CJEU rules on private copying exception to storage in the cloud (Dechert OnPoint published April 11, 2022) By: Paul Kavanagh and Nathan Smith.
  • SEC Proposes New and Amended Cybersecurity Rules for Public Companies (Dechert OnPoint published March 17, 2022) By: Timothy Blank, Kevin Cahill, Brenda Sharton and Daniel Murdock.
  • Brenda Sharton was quoted in the Law360 article, "Congress Seizes On Incident Reports In Fighting Cyberattacks" (March 16, 2022).
  • 4 Takeaways For Asset Managers From SEC's Cyber Rule Plan (Published in Law360 on March 10, 2022) By: Kevin Cahill and Hilary Bonaccorsi.
  • California Privacy Protection Agency Signals Delay for Final CPRA Rules & California AG Conducts CCPA Investigative Sweep (Dechert Newsflash published February 25, 2022) By: Karen Neuman, Hilary Bonaccorsi, Bailey E. Dervishi.
  • SEC Proposes New Cybersecurity Rules for SEC Registered Advisers and Funds (Dechert OnPoint published February 23, 2022) By: Kevin Cahill, Timothy Blank, Brenda Sharton, Hilary Bonaccorsi, Colleen Hespeler and Bailey Dervishi.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.