There’s a new wave of minor protection in the global regulation scene, and I’m here for it. I am looking forward to the day where we can compare all the regulations side-by-side. Still a bit of time for that, though. We’ll continue with the news for now.
🪁 Protection of Children in Cyberspace
A draft amendment to the Turkish Internet Law (Law No. 5651) follows the recent global trend of treating child safety and age assurance as core platform duties rather than optional safeguards. Social networks would be barred from providing services to under-15s, and would have to use age verification to enforce the ban. Minors over the age of 15 would have to be offered a separate child-specific “safer” service, distinct from adult users, and platforms would need to publish the measures they take. The draft also requires parental control tools, including account controls, purchase approvals, and screen-time monitoring and limits. Slight problematic regarding ambiguous age-verification, but still.
A federal judge granted a preliminary injunction blocking the enforcement of a Virginia law on social media limits for under-16s. The law would have required social media platforms to use “commercially reasonable” age checks and to cap under-16s at one hour per day per app, unless a parent gives verifiable consent to change the limit. The court found the law was likely unconstitutional under the First Amendment. It treated the measure as content-based because of its subject-matter and speaker exemptions, and said it was unlikely to survive strict scrutiny. If this is the constitutional standard, the likely result may actually be regulatory paralysis. But hey ho.
California’s privacy regulator has settled with PlayOn Sports regarding alleged privacy breaches tied to its school-linked ticketing and streaming services. The settlement includes a $1.1m fine and extensive compliance obligations. The regulator pointed to tracking-based advertising data flows that were not properly stopped by opt-outs. It also took a dim view of consent design, noting banners that effectively required users to click “Agree” and, on mobile, could even obstruct ticket redemption. The wider lesson is straightforward: where children and families are the obvious audience, regulators expect privacy design to reflect that reality. Good for you, California.
🔏 Data Protection & Privacy
An Austrian court upheld a complaint against a network operator for continuing to use an email address it had previously said was deleted. It found a breach of the complainant’s constitutional right to data confidentiality and of core GDPR duties, including lawfulness, purpose limitation, data minimisation, and accountability, because there was no proper legal basis for using the address and the controller could not show compliant handling. The court rejected the transparency and information claims, on the basis that there was no fresh “collection” of the email address that would have triggered new notice duties. The complaint based on the right to erasure was dismissed as inadmissible, because the complainant had not made a fresh erasure request to the controller before going to the authority. Quite the procedural trap there: no fresh request, no erasure claim.
🛒 E-Commerce & Digital Consumer
The European Commission is reportedly mulling over designating Roblox as a VLOP under the DSA. Roblox has self-reported around 48 million average monthly EU users, above the 45 million threshold, and the Commission is now analysing the figures and the “next steps”. If designated, Roblox would become the first major gaming platform under the DSA’s strongest obligations, including regular systemic risk reporting and enhanced duties around risks to children. For those of us who have spent far too long with the DSA, the Roblox designation may feel like Christmas has come early. Nothing personal, it would just be interesting to see systemic risk reporting in games.
📄 Recommended Readings
Here’s a couple –in no particular order– of recent publications that piqued my interest recently. Remember to grab a cuppa and settle in for some riveting reading.
Strict Liability of Crypto-Asset Service Providers: Turkish Law’s Sui Generis Response to MICA by Furkan Güven Taştan
Comment of the European Copyright Society on the request for preliminary ruling in Case C-250/25 (Like Company) by Péter Mezei, Martin Kretschmer, Thomas Margoni, Alexander Peukert & João Pedro Quintais
You Trust Your Chatbot With Everything. Should You? Part 1: How The Controller Uses Your Chat Data by Theodore Christakis
If you’d like to see more recommended readings, visit the collection here.
That seems to be it for now, hope you enjoyed. Do pop back next week for more. Cheerio!
If you have any thoughts or suggestions on how to make this digest better, feel free to drop a line. Your feedback is always welcome! Contact info here.
*Featured image generated using DALL·E 3
