INTERNATIONAL 

3. Complete MiCA Regulation Enforced[3]

The Markets in Crypto-Assets (“MiCA”) Regulation, fully effective from December 30, 2024, is a landmark step toward harmonizing the regulation of crypto-assets across the EU. Some aspects, like transitional licensing for Crypto-Asset Service Providers (CASPs), stablecoin reserve requirements, and consumer transparency obligations, were operational as early as June 2024, giving businesses time to align with the regulation. MiCA provides a unified framework covering utility tokens, asset-referenced tokens (ARTs), and e-money tokens (EMTs) while excluding decentralized finance (DeFi) and non-fungible tokens (NFTs) for now.

Key provisions include mandatory licensing for CASPs, stringent reserve and redemption mechanisms for stablecoins, and measures to ensure consumer protection through detailed whitepaper disclosures. The regulation also tackles insider trading and market manipulation to enhance market integrity. These efforts aim to boost consumer trust, foster innovation, and provide legal clarity for businesses and investors.

Going forward, CASPs and issuers must align operations with MiCA’s standards, focusing on compliance readiness, robust risk management, and transparent practices. Stakeholders should engage with regulators, monitor potential expansions to cover DeFi and NFTs, and build internal capacities to leverage the opportunities presented by a regulated EU crypto market.

4. European Commission held Accountable for GDPR breach[4]

The General Court of the European Union has ordered the European Commission to pay €400 in damages to a German citizen who visited the ‘Conference on the Future of Europe’ website. The Court found that, by providing a ‘Sign in with Facebook’ option on its EU Login page, the Commission facilitated the transfer of the visitor’s IP address—a personal data element—to Meta Platforms, a U.S.-based company. At the time of the transfer, there was no adequacy decision confirming that the United States ensured an adequate level of data protection for EU citizens, nor did the Commission implement appropriate safeguards such as standard data protection clauses. This lack of protection led the Court to conclude that the Commission had committed a sufficiently serious breach of data protection laws, justifying the compensation awarded.

UNITES STATES OF AMERICA

5. Data Privacy Law operational in New Jersey[5]

Keeping in line with other major States, the New Jersey Data Privacy Law, 2023 (“NJDPL”) was made effective January 15, 2025, providing consumers with essential rights over their personal data. These rights include the ability to access, correct, delete, and opt-out of data sales or processing. It targets businesses that either process data for over 100,000 consumers or profit from data sales. NJDPL mandates data protection assessments for high-risk processing, transparency in data practices, and accountability in how consumer data is handled.

6. US introduces Rules restricting ‘Foreign Adversaries’ from accessing Sensitive Personal and Government Data[6]

The Government aims to protect national security by restricting transactions involving biometric, health, financial, and other sensitive data. The rules target “foreign adversaries”, which are countries identified by the U.S. Government as threats due to their involvement in cyber espionage, surveillance, or activities that could potentially compromise sensitive data of U.S. citizens, including Government-related data. Nations like China, Russia, North Korea, and Iran have been flagged as potential sources of risk due to their history of attempting to exploit sensitive data.

The rules establish licensing framework through which businesses will seek approval for certain restricted transactions. Exemptions are provided for specific activities like academic research and telecommunications. As such, businesses are required to conduct due diligence on transactions that involve entities located in such countries identified as ‘foreign adversaries’, ensuring compliance with the reporting and auditing requirements. Businesses must also review their vendor agreements and investment deals to ensure that they do not facilitate unauthorized access to sensitive personal data by such foreign entities. The rules will take effect 90 days after their publication giving businesses a limited time to implement compliance measures to avoid penalties.

7. California Attorney General Issues Guidance on AI Regulation[7]

Attorney General has released two legal advisories that outline how existing state laws apply to AI systems. These advisories aim to help businesses and organizations responsibly integrate AI technologies by emphasizing compliance with legal standards and ensuring ethical practices. One advisory focus on the California Consumer Privacy Act, 2018, requiring entities that use AI to process personal data to uphold privacy standards. This includes transparent disclosures about AI usage in data processing and providing consumers with tools to exercise rights like opting out of automated decisions.

The second advisory addresses the need to prevent bias and discrimination in AI applications. Organizations must ensure that their AI systems comply with California’s anti-discrimination laws, to avoid generating unfair or biased outcomes. The guidance highlights that companies deploying AI remain accountable for the technology’s decisions and cannot delegate their legal responsibilities to the systems they use.

These advisories reinforce California’s leadership in setting clear expectations for the ethical use of AI. Businesses are encouraged to regularly assess their AI systems, verify compliance with privacy and anti-discrimination laws, and adopt transparent and fair practices. By aligning their AI initiatives with these principles, organizations can reduce risks while building trust with stakeholders.

8. Texas: Legal Action for Unlawful Collection of Driving Data[8]

In a legal battle with Allstate Corporation (“Allstate”) and its subsidiary Arity LLC (“Arity”), Texas Attorney General, filed a lawsuit over the unlawful collection, use, and sale of consumer driving data. The companies allegedly acquired location and movement data from over 45 million Americans by secretly embedding tracking software in apps such as Life360, without consumers’ knowledge or consent. This data was then used to justify increasing car insurance premiums and was sold to other insurers.

9. FTC prohibits Sale of Sensitive Location Data[9]

FTC has finalized an order prohibiting Gravy Analytics Inc. and Venntel Inc. from selling sensitive geolocation data collected from consumers without proper consent. The companies were found to have obtained precise location data tied to unique identifiers, which allowed them to track individuals’ visits to private and sensitive locations such as healthcare facilities and places of worship.

The FTC’s investigation revealed that the companies failed to provide transparency or proper disclosures about how this sensitive data was being collected, used, and shared. This lack of consent and oversight violated consumer privacy rights, exposing individuals to potential tracking and profiling without their awareness. As a result, the FTC’s order mandates the deletion of any improperly collected information, bans the future sale or use of such data, and requires the companies to implement stricter data protection measures to ensure compliance with privacy laws in the future.

This case highlights the FTC’s commitment to protecting consumer privacy and holding companies accountable for irresponsible data practices. By enforcing restrictions on the sale of sensitive location data, the agency emphasizes the need for companies to uphold transparency, consent, and respect for privacy. This order ensures that consumer data is handled responsibly and safeguards individuals from unauthorized tracking, reinforcing the importance of maintaining ethical standards in data practices to prevent harm and uphold public trust.

10. Detroit becomes Largest U.S. City to Accept Cryptocurrency for Taxes and Fees[10]

The City of Detroit has announced a groundbreaking decision to accept cryptocurrency payments for taxes and other municipal fees, making it the largest city in the United States to embrace this innovative payment method. This initiative aims to provide residents and businesses with greater flexibility in managing their financial transactions while positioning Detroit as a leader in adopting cutting-edge financial technologies.

Detroit will accept a range of popular cryptocurrencies, including Bitcoin and Ethereum, for property taxes, utility bills, parking fines, and other municipal fees. Payments will be processed through a secure third-party platform to convert the cryptocurrency into U.S. dollars, ensuring the city receives funds without being exposed to market volatility.

With technological advancements reshaping financial landscapes, Governments are gradually adopting cryptocurrencies to modernize their payment systems. Detroit’s forward-thinking approach showcases how digital currencies can coexist with traditional methods, fostering innovation while catering to evolving consumer preferences. This milestone not only marks progress for Detroit but also signals a shift in how municipalities nationwide might integrate blockchain technologies into public services.