10 April 2026

Innovation Law Insights

10 April 2026

AI Law Journal

Diritto Intelligente – March 2026

The March issue of Diritto Intelligente, the AI Law Journal from DLA Piper’s Italian Intellectual Property and Technology group, is now available here.

Legal Break

EU Cyber Resilience Act explained: New draft guidance and what companies have to do now

The European Commission has released draft guidance on the Cyber Resilience Act (CRA) – and it’s a key moment for companies developing software, connected devices, and digital products. Watch a video on the topic here.

Technology

Platform Design Liability: Why the Meta and Google case changes everything

Platform design liability is no longer a theoretical risk. The recent case involving Meta and Google shows that courts are starting to look beyond content and focus on how platforms are actually built – and that changes everything for tech companies.

For years, the debate has been around content moderation. What should be removed? What should be allowed?

This case flips the perspective entirely. The issue is no longer what users see. It’s how platforms are designed to make them stay. And from a legal standpoint, that’s a much more uncomfortable question.

The case that changed the narrative

At the centre of the dispute is a claim brought on behalf of a minor who allegedly suffered harm linked to prolonged and compulsive use of social media platforms. But what’s striking is how the claim was framed. The argument wasn’t that specific content caused the harm. It was that the design of the platform itself – the way it keeps users engaged – was the real driver.

We’re talking about features that everyone in the industry knows well: infinite scroll, autoplay, personalised recommendations and frictionless user journeys. None of these are accidental; they’re engineered to maximise engagement. And that’s exactly where the legal issue now sits. The jury accepted that these design choices can contribute to harm. That’s the real turning point.

From content moderation to product liability logic

For a long time, platforms have relied on the idea that they’re not responsible for third-party content, which in the EU is governed by the eCommerce Directive and the Digital Services Act. That logic still holds – at least formally. But it becomes irrelevant if the claim isn’t about content. If the issue is design, then we’re in a completely different legal space. This is much closer to product liability, negligence and duty of care.

In simple terms: if you design a system that predictably pushes users towards harmful behaviour, can you still say you are neutral? That’s the question courts are now starting to address. And it’s a question that doesn’t have an easy answer.

Why this opens the door to class actions

One aspect that’s probably underestimated is the litigation risk that follows. If the problem is design, then it’s systemic. And if it is systemic, it affects all users in a similar way. This is exactly the type of scenario that fuels class actions, especially in the US or serial civil claims that are already proliferating in Europe on several matters.

We can expect claims brought on behalf of groups of users, particularly minors; arguments around addiction, mental health and loss of control; and focus on specific features rather than entire platforms. From a risk perspective, this is significant, because scalability works both ways – the same design feature that scales engagement also scales liability.

Platform design liability in Europe: Are we next?

The obvious question is whether this trend will remain a US issue. It won’t. Europe already has the legal tools to move in the same direction. The Digital Services Act requires large platforms to assess and mitigate systemic risks. The GDPR already regulates profiling and behavioural targeting. The AI Act will impose obligations on AI-driven systems that influence behaviour. And, importantly, the EU Representative Actions Directive enables collective claims. Put all this together, and the picture is quite clear. Even without an explicit rule on “addictive design”, the legal framework is already there; it just needs to be used.

The real issue: Design is becoming a compliance topic

This is where companies need to rethink their approach. Platform design has always been seen as a product decision. Something for engineers and UX teams. That’s no longer the case. Design is becoming a compliance issue, and that has very practical consequences.

Companies should start asking:

Are we able to justify our engagement mechanisms from a legal standpoint?
Have we assessed the behavioural impact of our features?
Can we demonstrate that we’ve mitigated foreseeable risks?

This isn’t very different from what we already do with data protection or AI governance. The difference is that now it applies to user experience.

AI and platform design liability: The same conversation

It’s impossible to separate this discussion from AI. The features under scrutiny aren’t static; they’re driven by algorithms that continuously optimise user engagement. That means the real engine behind platform design is AI. So, when we talk about platform design liability, we’re also talking about AI liability.

And this raises more complex questions:

If an algorithm learns to maximise engagement in a harmful way, who’s responsible?
Can compliance be demonstrated when systems evolve dynamically?
Is transparency enough, or do we need design constraints?

These are the questions that regulators have not fully answered yet. But courts are starting to.

What companies should be doing now

Waiting for clear regulation isn’t a strategy. The direction of travel is already visible. Companies should start acting now. From a practical standpoint, this means:

Reviewing design choices – Identify features that may create behavioural risks.
Integrating legal into product teams – Legal review cannot come in at the end. It needs to be part of the design phase.
Strengthening AI governance – Recommendation systems should be assessed not only for bias, but also for behavioural impact.
Documenting decisions – If litigation comes, being able to show your reasoning will make the difference.

Conclusion: This is just the beginning

Platform design liability is here and the Meta and Google case is only the beginning.

We’re moving into a phase where platforms are no longer assessed only based on what they host, but on how they influence behaviour. This is a much deeper level of scrutiny and it’s also much harder to manage because it goes to the core of how digital services are built.

A final thought

If platforms are designed to shape behaviour, at what point does optimisation become responsibility? And are we ready for a world where design decisions are judged in court just like any other product feature?

Author: Giulio Coraggio

Privacy and Cybersecurity

Double opt-in as the state of the art for marketing consent: Italian DPA confirms its position

With a recent decision, the Garante per la protezione dei dati personali (Garante) once again reaffirmed a principle that’s becoming increasingly established in its practice: the double opt-in mechanism represents the state of the art for obtaining consent for marketing purposes.

The decision, adopted against a well-known company operating in the energy sector, fits within a broader line of prior enforcement actions and confirms a now clear regulatory stance on consent.

The case concerned a company that had implemented marketing practices not compliant with the General Data Protection Regulation (GDPR). Among the main issues identified was the failure to adopt appropriate technical measures capable of effectively and demonstrably verifying that consent had been validly provided by data subjects.

In particular, the company merely collected consent through methods that weren’t sufficiently reliable from an accountability and proof perspective, without implementing systems capable of verifying authenticity. The Garante deemed this approach inadequate as it doesn’t ensure that the data subject actually provided consent.

The role of double opt-in

In its decision, the Garante emphasizes the need to adopt tools that ensure full traceability of consent and its effective attribution to the data subject.

Within this framework, the double opt-in mechanism plays a key role. It consists of a two-step process: an initial expression of consent (for instance, via an online form) followed by a confirmation step, typically carried out through a link sent by email or a code delivered via SMS. Only after this second action can consent be considered validly obtained.

This system not only allows verification of the accuracy of the contact details provided, but also enables a more robust demonstration that consent was genuinely expressed by the individual concerned.

The Garante notes that, although other technical solutions may also ensure adequate levels of traceability and security, double opt-in currently represents the method that offers the strongest guarantees in terms of proving consent. For this reason, even though it’s not expressly required under the GDPR or the Italian Privacy Code, it is regarded as the state of the art in the collection of consent for marketing and teleselling purposes.

According to the Garante, this mechanism is the most effective way to ascertain the true intention of the user, reducing the risk of uninformed, fraudulent, or otherwise invalid consent.

Conclusions

From the decision, it clearly emerges that the approach of the Garante is increasingly moving toward treating double opt-in as a de facto requirement in marketing-related processing activities.

This decision forms part of an already established line of enforcement and further reinforces the central role of this mechanism within the data protection framework.

For companies, this implies the need to review their consent collection processes and implement technical solutions capable of ensuring validity, traceability, and long-term accountability.

Ultimately, double opt-in is no longer merely a best practice, but an increasingly essential element for operating in compliance with data protection law.

Author: Federico Toscani

Intellectual Property

Counterfeiting and well-known trademarks: When protection extends beyond product markets

With judgment no. 6855 of 19 February 2026, the Italian Supreme Court (Criminal Division) revisited the scope of protection afforded to well-known trademarks, reaffirming the broad extent of protection under the legal framework, even beyond the boundaries of the relevant product market.

The case concerned the marketing of chewing gum whose packaging bore counterfeit signs associated with well-known fashion houses. The Court of Appeal of Venice had upheld the defendants’ conviction for the offences set out in Article 473 of the Italian Criminal Code, as aggravated pursuant to Article 474-ter, finding that trademark counterfeiting had occurred.

The appellants argued, in essence, that trademark protection should be limited to the relevant product sector, and that no infringement could arise where the goods at issue were entirely unrelated to those traditionally marketed under the original trademark.

The Supreme Court rejected this argument, recalling the well-established principle that trademarks enjoying a reputation benefit from “cross-sector” (ultra-merchandise) protection, which constitutes a derogation from the traditional principle of specialty.

Pursuant to Article 20(1)(c) of the Italian Industrial Property Code, the proprietor of a reputed trademark is entitled to prohibit third parties, without consent, from using identical or similar signs even in relation to dissimilar goods or services, where such use takes unfair advantage of, or is detrimental to, the distinctive character or reputation of the trademark.

Equivalent provisions are set out in EU law, notably in Article 10(2)(c) of Directive (EU) 2015/2436 and Article 9(2)(c) of Regulation (EU) 2017/1001, confirming the harmonized nature of trademark protection across the EU.

Within this framework, the Supreme Court reiterated that, in cases involving reputed trademarks, it’s not necessary to establish a likelihood of confusion in the strict sense. It’s sufficient that the relevant public is able to establish a link between the earlier mark and the later sign, enabling the third party to unduly benefit from the mark’s distinctive character or its attractive power.

Accordingly, counterfeiting arises whenever the use of the sign results in a form of parasitic association with the earlier trademark, even in the absence of product similarity, by exploiting the prestige and reputation acquired by the trademark owner.

Both civil and criminal case law have consistently endorsed this approach, recognising that reputed trademarks warrant enhanced protection in light of their economic value and communicative function in the marketplace.

From a systematic standpoint, the protection of reputed trademarks is traditionally aimed at preventing three distinct types of harm:

dilution (blurring), consisting in the weakening of the trademark’s distinctive character;
harm to reputation (tarnishment), which adversely affects the image and evocative power of the sign;
free riding, namely the undue advantage obtained through the exploitation of the reputation of another’s trademark.

Against this background, the judgment under review aligns with a now well-established line of authority, confirming that the unauthorised use of well-known trademarks on goods belonging to entirely different product sectors – as in the present case – constitutes trademark counterfeiting where it enables a parasitic exploitation of the sign.

This results in a strengthened level of protection for proprietors of reputed trademarks, aimed at safeguarding not only the distinctive function of the mark, but also its reputational, evocative and commercial value, preventing any form of undue appropriation in the marketplace.

Author: Maria Vittoria Pessina

Gaming and Gambling

Italian responsible gambling advertising rules: Strict obligations, but a strategic opportunity

Italian responsible gambling advertising is entering a new phase where strict regulatory obligations coexist with a real opportunity for operators to communicate their brand.

Italy’s communications regulator, AGCOM, has published new draft guidelines that aim to define how operators can carry out responsible gambling campaigns without breaching the general prohibition on gambling advertising.

The legal framework: A ban with a built-in exception

To understand the significance of these rules, you need to look at the broader legal framework.

Since 2018, Italy has enforced a near-total ban on gambling advertising under the Italian Dignity Decree. The ban covers virtually all forms of promotional communication, both online and offline – even though this has led to the proliferation of news, video, and social media platforms indirectly referring to gambling brands.

A major shift has occurred with the introduction of the new remote licensing regime, which requires operators to run responsible gambling campaigns that explicitly refer to their brand.

This creates a structural tension; advertising is prohibited, but communication on responsible gambling is required.

To address this, AGCOM has now attempted to define a narrow “safe zone” where campaigns can exist without breaching the ban.

The core obligation: Responsible gambling is not advertising

The starting point is clear and uncompromising. AGCOM’s position is that responsible gambling communication is not advertising provided that it contains no promotional element. To remain compliant, operators must ensure that their campaigns:

avoid any direct or indirect incentive to gamble;
exclude commercial or branding objectives; and
focus exclusively on public health and user protection.

The communication rules: A highly restricted perimeter

The Italian responsible gambling advertising framework imposes detailed and stringent limitations.

Operators must avoid:

any call-to-action language;
references to bonuses, odds, jackpots, or winnings;
visual elements linked to the gaming experience (apps, interfaces, betting screens);
emotional or aspirational messaging.

Testimonials are also heavily restricted, particularly where they could appeal to vulnerable audiences such as minors or the elderly.

Also, the guidelines introduce a strict “no-link” principle: no links to gambling platforms and no links to websites connected to the operator, even indirectly.

In addition, AGCOM discourages short formats such as banners or short videos, as they’re considered insufficient to convey meaningful responsible gambling messages.

Branding is also significantly limited: logos must serve only as a “signature” of the initiative; they must appear in a secondary, non-prominent position; and their size and visibility must be limited.

The financial obligation: A mandatory investment

The framework is reinforced by a binding financial requirement under the new licensing regime.

Licensed operators have to allocate on an annual basis an amount equal to 0.2% of their net revenues to responsible gambling campaigns, up to a maximum of EUR1 million.

This obligation isn’t optional – it’s a condition for holding a license. As a result, operators face a dual constraint: they have to invest a minimum amount; and they have to comply with communication rules.

Where the opportunity lies

Despite these constraints, there’s a dimension that shouldn’t be overlooked.

In a market where traditional advertising is almost entirely prohibited, Italian responsible gambling advertising becomes one of the very few legally viable channels to communicate with the public.

Two elements are particularly relevant: the requirement that campaigns refer to the operator’s brand; and the possibility – within strict limits – to increase public awareness of that brand.

What’s formally a compliance obligation can, in practice, become a strategic communication opportunity, provided that it’s carefully designed.

Operators will need to:

develop campaigns that are fully compliant yet still impactful;
rethink how to convey brand identity without promotional language; and
integrate legal and marketing expertise in campaign design.

Compliance is now a strategic function

The new Italian responsible gambling advertising framework isn’t just another regulatory requirement. It fundamentally changes how operators approach communication. It requires a redesign of communication strategies; close alignment between marketing and legal teams; and robust internal controls to prevent breaches of the advertising ban. Because in a market where advertising is largely prohibited, every compliant communication opportunity becomes strategically valuable.

What comes next

The guidelines are currently subject to a 30-day public consultation. While no major changes are expected, the debate is likely to continue.

Looking ahead, a broader reform of gambling advertising rules cannot be excluded – particularly in light of the financial pressures affecting sectors such as professional football, which have historically relied on gambling sponsorship revenues.

You can read about the different gambling regimes in almost 50 jurisdictions in the DLA Piper Gambling Laws of the World guide.

Author: Giulio Coraggio

Innovation Law Insights is compiled by DLA Piper lawyers, coordinated by Edoardo Bardelli, Carolina Battistella, Noemi Canova, Gabriele Cattaneo, Maria Rita Cormaci, Camila Crisci, Cristina Criscuoli, Tamara D’Angeli, Chiara D’Onofrio, Federico Maria Di Vizio, Enila Elezi, Laura Gastaldi, Vincenzo Giuffré, Nicola Landolfi, Giacomo Lusardi, Josaphat Manzoni, Valentina Mazza, Lara Mastrangelo, Maria Chiara Meneghetti, Giulio Napolitano, Andrea Pantaleo, Deborah Paracchini, Maria Vittoria Pessina, Marianna Riedo, Rebecca Rossi, Roxana Smeria, Massimiliano Tiberio, Federico Toscani, Giulia Zappaterra.

Articles concerning Telecommunications are curated by Massimo D’Andrea, Flaminia Perna, Matilde Losa and Arianna Porretti.

For further information on the topics covered, please contact the partners Giulio Coraggio, Marco de Morpurgo, Gualtiero Dragotti, Alessandro Ferrari, Roberto Valenti, Elena Varese, Alessandro Boso Caretta, Ginevra Righini.

Learn about Prisca AI Compliance, the legal tech tool developed by DLA Piper to assess the maturity of AI systems against key regulations and technical standards here.

You can learn more about “Transfer”, the legal tech tool developed by DLA Piper to support companies in evaluating data transfers out of the EEA (TIA) here, and check out a DLA Piper publication outlining Gambling regulation here, as well as Diritto Intelligente, a monthly magazine dedicated to AI, here.

If you no longer wish to receive Innovation Law Insights or would like to subscribe, please email Silvia Molignani.