Veeam Completes Acquisition of Securiti AI to Create the Industry’s First Trusted Data Platform for Accelerating Safe AI at Scale
ViewA quick overview of global privacy headlines you cannot afford to miss.
September 26, 2025
California, United States
On September 26, 2025, California’s Governor signed AB 45 into law, making it unlawful to collect, use, disclose, sell, share, or retain personal information of anyone physically located within the precise geolocation of a family planning center. The law, effective January 1, 2026, creates a private right of action for individuals and family planning centers, with claims allowed up to three years after discovery of a violation.
This measure strengthens privacy protections in the wake of heightened concerns around reproductive health data post-Dobbs. It will significantly impact adtech firms, mobile apps, and data brokers that rely on location data, as even retention of such data is now prohibited. By going beyond the CCPA’s consent and opt-out model, AB 45 sets a new precedent in treating sensitive geolocation data as off-limits. Organizations handling location data should prepare for litigation risk and adopt stricter minimization and suppression practices.
September 23, 2025
California, United States
The California Office of Administrative Law (OAL) has approved the California Privacy Protection Agency’s (CPPA) latest amendments to the CCPA regulations, originally adopted on July 24, 2025. The rules will take effect on January 1, 2026, introducing new obligations around automated decision-making technology (ADMT), risk assessments, and independent cybersecurity audits.
Organizations using ADMT for consumer decisions must provide clear notices, enable opt-outs, and honor access rights, while covered entities must conduct regular risk assessments and prepare for annual audits. These requirements will increase governance costs and accountability, with enforcement risks for companies that delay preparations.
September 17, 2025
Brazil
Brazil has enacted Law No. 15.211/2025, the Statute for the Protection of Children and Adolescents Online, its first law dedicated to safeguarding children’s rights in the digital environment. Effective March 2026, the law compels technology companies to design services with children’s best interests in mind, ensuring strong privacy and safety by default. Key provisions ban the use of children’s personal data in ways that violate their rights, prohibit profiling and behavioral advertising, and reinstate a ban on “loot boxes” in video games.
Enforcement will fall to Brazil’s data protection authority, with penalties of up to 10% of local revenue or 50 million reais (US$9.4 million) for non-compliance. This positions Brazil as the first country in Latin America with a dedicated children’s online privacy law, setting a precedent for the region.
September 15, 2025
New York, United States
New York Attorney General Letitia James released proposed rules for the SAFE for Kids Act, the first U.S. law restricting addictive social media features for minors. The law, signed in 2024, limits algorithmically personalized feeds and nighttime notifications for users under 18 unless parents provide consent.
The proposed rules clarify which companies must comply, set standards for age verification and parental consent, and outline privacy safeguards for minors’ data. A 60-day public comment period is open until December 1, 2025, after which the Attorney General’s office will finalize the rules. Violations may result in civil penalties of up to $5,000 per violation.
Social media companies in New York must follow the status of these proposed rules in order to ensure timely compliance.
September 11, 2025
California, United States
The California Legislature has passed the California Opt Me Out Act (AB 566), which will require all major browsers to support opt-out preference signals (OOPS). This “set it once, protect everywhere” approach allows consumers to limit the sale and sharing of their personal data across websites in a single step, reducing the burden of opting out site by site.
If signed by the Governor, California will become the first state to mandate browser support for OOPS, ensuring that universal opt-out is no longer a premium feature limited to privacy-focused browsers. The bill strengthens enforcement of CCPA rights and sets a precedent likely to influence broader national adoption.
September 9, 2025
United States
The California Privacy Protection Agency (CPPA), together with the Attorneys General of California, Colorado, and Connecticut, has announced a joint investigative sweep targeting businesses that fail to honor Global Privacy Control (GPC) signals. GPC is a browser setting that automatically communicates a consumer’s opt-out request under state privacy laws.
The coordinated action highlights growing state collaboration on privacy enforcement. Regulators are contacting businesses suspected of ignoring GPC signals and warning them to comply with opt-out obligations. With enforcement momentum building across multiple jurisdictions, companies should expect increased scrutiny of their compliance with automated opt-out mechanisms.
September 9, 2025
United States
President Trump has signed into law the bipartisan Homebuyers Privacy Protection Act, which bans the sale of “trigger leads” - a practice where credit bureaus sell mortgage applicants’ data without consent, leading to a flood of unsolicited calls, texts, and emails.
The law amends the Fair Credit Reporting Act (FCRA) to prohibit credit bureaus from selling trigger leads unless the lender already has a pre-existing relationship with the consumer or the consumer opts in. Taking effect in March 2026, the law aims to curb predatory marketing and protect homebuyers’ personal information during the mortgage application process.
September 4, 2025
United States
Around 100 million users are affected in Rodriguez v. Google LLC, a class action filed in July 2020 that claimed Google continued collecting data from third-party apps even after users disabled the “Web & App Activity” setting. A jury found Google liable for Invasion of Privacy under the California Constitution and Intrusion Upon Seclusion under common law, though it did not find malice.
The verdict highlights that privacy settings must function as promised, not create gaps between user expectations and technical practices. Even without malice, the $425M ruling signals serious financial and reputational risks. For businesses, it serves as a warning that dark patterns, vague disclosures, or hidden data collection can lead to costly litigation, as courts increasingly uphold the principle of reasonable expectation of privacy over technical justifications.
September 3, 2025
United States
The FTC announced two settlements for violations of the Children’s Online Privacy Protection Act (COPPA). Robot toy maker Apitor Technology allegedly allowed a third-party SDK to collect children’s location data without parental consent and will be required to comply with COPPA and delete unlawfully collected data, with a $500,000 penalty suspended due to inability to pay. Disney will pay $10 million after mislabeling child-directed YouTube videos as “Not Made for Kids,” which enabled data collection for targeted advertising..
Both settlements highlight FTC’s focus on children’s privacy and signal stricter enforcement around age assurance, parental consent, and third-party data sharing. Read more on Apitor Settlement, Walt Disney's Settlement
September 2, 2025
Canada
The Ontario Information and Privacy Commissioner has issued the first-ever administrative monetary penalties under the Personal Health Information Protection Act (PHIPA). A doctor was fined $5,000 for unauthorized access to patient hospital records for personal financial gain, while a private clinic was fined $7,500 for failing to meet basic PHIPA obligations.
This precedent marks a new era of enforcement in Canada’s health privacy landscape. The case emphasizes that custodians must implement and demonstrate effective privacy management programs, as unauthorized access to health data not only causes harm but also undermines trust in the healthcare system.
September 1, 2025
Texas. United States
On September 1, amendments to the Texas Data Broker Act- SB 2121 and SB 1343 took effect. SB 2121 broadens the definition of a “data broker” to include any business that collects, processes, or transfers personal data not obtained directly from the individual, extending obligations to entities that were previously excluded. SB 1343 requires data brokers to post clear website notices and registration details explaining how consumers can exercise their privacy rights under the Texas Data Privacy and Security Act (TDPSA).
These changes significantly expand the number of companies required to register as data brokers in Texas and heighten disclosure obligations. With daily penalties for noncompliance and the Texas AG already citing data broker registration failures in enforcement actions, entities should reassess their data collection practices and update compliance programs immediately. Read More on SB 1343 SB 2121
September 23, 2025
France
The CNIL has fined Samaritaine €100,000 for multiple GDPR violations related to the use of hidden The French data protection authority (CNIL) has fined Samaritaine SAS €100,000 after the retailer installed cameras disguised as smoke detectors in its storage areas. The devices, which also recorded audio, were deployed in August 2023 to address theft concerns but were discovered by employees and removed a month later.
CNIL found violations of GDPR principles, including unlawful data processing, lack of proportionality, and failure to involve the Data Protection Officer. The case rules that hidden surveillance is permissible only in exceptional circumstances, must be temporary, and requires prior GDPR compliance analysis. Recording employee conversations was deemed excessive and disproportionate.
September 19, 2025
Nigeria
Nigeria’s General Application and Implementation Directive (GAID) officially took effect, replacing the NDPR 2019 and providing detailed guidance for implementing the Nigeria Data Protection Act (NDPA) 2023. GAID expands obligations for data controllers and processors of major importance (DCPMIs), requiring registration, compliance audits, certified DPO appointments, and structured grievance-handling mechanisms. It also strengthens rules on cross-border transfers, DPIAs, and children’s data protection.
GAID is now the primary operational framework for data protection in Nigeria, marking a major compliance shift for both local and foreign entities that target Nigerian data subjects. Organizations must act quickly to align policies, audit processes, and transfer mechanisms to avoid steep penalties and enforcement action by the NDPC.
September 18, 2025
France
The French CNIL has reminded companies in the audiovisual and video game sectors of their obligations under the GDPR regarding inactive user accounts. While accounts generally should not be retained beyond two years of inactivity, an exception applies where accounts are necessary to guarantee consumer access to purchased films, series, or games. In such cases, only data strictly needed to maintain access, such as identifiers or game saves, may be retained beyond the two-year limit, while commercial and statistical data must still be deleted within defined retention periods.
The guidance emphasizes the importance of balancing GDPR’s storage limitation principle with consumer protection rights. Companies should clearly communicate retention policies, implement phased archiving, and ensure strong safeguards when holding account data long-term to preserve access to purchased digital content.
September 18, 2025
Ireland
The Irish Data Protection Commission (DPC) issued a statement following revelations from RTÉ’s Prime Time about the sale of sensitive location data by a data broker. The DPC stressed that location data can reveal personal habits, characteristics, and identities, posing serious risks to individuals’ security and well-being. It is working to identify the broker and will take enforcement action if headquartered in Ireland, or coordinate with other EU regulators if located elsewhere.
This case highlights regulators’ growing scrutiny of the data broker ecosystem and reinforces the heightened sensitivity of location data under EU privacy law.
September 16, 2025
United Kingdom
The UK Information Commissioner’s Office (ICO) has released its exit report on Meta’s participation in its Regulatory Sandbox, which examined the company’s use of Privacy Preserving Attribution (PPA) for ad measurement. PPA is designed to gauge ad effectiveness without directly tracking individuals, but the ICO concluded that personal data is still processed at four stages of the system and that Regulation 6 of PECR applies, requiring user consent.
This finding confirms that even “privacy-preserving” ad technologies remain subject to strict data protection obligations when personal data is involved.
September 12, 2025
The EU Data Act has officially come into effect, granting users of connected devices such as cars, smart TVs, and industrial equipment greater control over the data their devices generate. The law ensures that products are designed to allow data sharing, enables consumers to choose independent repair or maintenance services, and gives businesses access to operational data to boost efficiency. It also strengthens cloud portability by prohibiting unfair contract terms and making it easier to switch providers.
The Commission will support implementation with a Data Act Legal Helpdesk, guidance on trade secrets, and model contract terms for data sharing. Together with the earlier Data Governance Act, the Data Act forms a core pillar of Europe’s evolving data framework.
September 10, 2025
Latvia
The Latvian Data State Inspectorate (DVI) has clarified that recordings made strictly for personal use, such as privately recording a lecture or meeting to listen to later, generally fall outside the scope of data protection law. However, if those recordings are later shared or repurposed (for example, used in a dispute or as evidence), further processing must comply with the GDPR.
This means individuals must identify a valid legal basis, respect the principles of data processing, and ensure transparency for those recorded. The DVI emphasized that while personal use may be exempt, any secondary use of such recordings engages full data protection obligations.
September 9, 2025
City State: Hamburg, Germany
Hamburg’s data protection authority has announced new enforcement powers ahead of the EU’s Data Act taking effect on September 12, 2025. The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) will be responsible for overseeing compliance with the Data Act in cases involving personal data as well as supporting individuals' rights to access data from manufacturers and switch cloud providers. They will be able to issue orders and impose fines for violations. Citizens will be able to file complaints informally via email at dataact@datenschutz.hamburg.de or through traditional channels. The authority has already published a comprehensive guide explaining rights and obligations under the new law.
This marks a significant expansion of DPAs’ oversight powers in Germany, aligning privacy enforcement with the EU’s broader data-sharing agenda.
September 4, 2025
The Court of Justice of the European Union (CJEU) has ruled in IP v. Quirin Privatbank AG (Case C-655/23), clarifying the scope of remedies under the GDPR. The case arose after a job applicant’s salary expectations were unlawfully shared with a third party, prompting claims for both an injunction and compensation.
The Court held that the GDPR does not itself guarantee a right to injunctions without a prior erasure request, though Member States may legislate such remedies nationally. It further confirmed that emotional distress qualifies as non-pecuniary damage under Article 82 GDPR, but the severity of a controller’s violation cannot influence the compensation amount. Injunctions, the Court stressed, are preventive only and cannot replace or reduce damages owed.
This decision strengthens individuals’ ability to claim compensation for emotional harm, while limiting the interplay between preventive measures and financial redress under the GDPR.
September 4, 2025
The CJEU has ruled in EDPS v. Single Resolution Board (Case C-413/23 P), finding that the SRB violated GDPR transparency obligations when it shared pseudonymized shareholder comments with Deloitte during the 2017 Banco Popular resolution without informing affected individuals. The Court overturned a 2023 General Court decision, establishing that pseudonymized data remains personal data if re-identification is “reasonably likely” given the recipient’s means.
The judgment confirms that pseudonymization is not a blanket safeguard: whether data counts as personal depends on the recipient’s technical capabilities and access to auxiliary information. This case clarifies that organizations must assess transparency obligations case by case, especially when sharing data with external consultants or third parties.
The ruling will have wide implications for financial institutions, regulators, and firms that rely on pseudonymization as a compliance strategy.
September 3, 2025
France
The CNIL has fined INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group, €150 million for failing to comply with cookie rules on shein.com. Following a 2023 inspection, the CNIL found that advertising cookies were being placed on users’ devices without consent, banners failed to provide clear and complete information, and refusal or withdrawal of consent did not stop tracking.
The regulator highlighted the large scale of the breaches, with 12 million monthly visitors from France, and noted repeated prior warnings to the industry. While SHEIN has since made changes to its website, the CNIL stressed that consent mechanisms must be transparent, functional, and respect user choice from the outset. This decision reinforces the regulator’s strict stance on unlawful cookie practices in online retail.
September 3, 2025
France
The CNIL fined Google €325 million for inserting ad emails into Gmail inboxes without consent and for invalid cookie practices during account creation. Ads shown in the “Promotions” and “Social” tabs were deemed direct marketing requiring opt-in consent, while cookie choices were designed to push users toward personalized ads, making refusal harder and uninformed.
The breaches affected over 74 million accounts in France, with 53 million users exposed to ads. Noting Google’s dominant role and repeated violations, the CNIL ordered changes within six months or daily penalties of €100,000. The case highlights regulators’ crackdown on dark patterns and deceptive consent mechanisms in advertising.
September 2, 2025
UK
The UK ICO has released its final guidance on encryption under the UK GDPR, following public consultation. The guidance applies broadly to personal data storage, transmission, and backups, but excludes end-to-end encryption, PETs, ransomware, and quantum computing.
Organizations must assess whether encryption is appropriate for their processing activities and ensure strong key management, secure algorithms, robust password policies, and reliable software. The ICO emphasizes encryption as a core safeguard and expects organizations to demonstrate risk-based, accountable implementation.
September 24, 2025
Jordan
Jordan’s Prime Minister has approved the 2025 Regulation on the Organization of Data Subject Rights, introducing clearer rules around informed consent, withdrawal mechanisms, and complaint handling. The regulation requires data controllers to maintain transparent and accessible processes for personal data processing, aligning Jordan more closely with global data protection standards.
The move strengthens individual rights while enhancing trust in digital services and supporting business compliance in international markets.
September 16, 2025
China
CAC has released its draft measures for public consultation to identify internet platforms with significant minor users. The draft implements Article 20 of the Regulations on the Protection of Minors on the Internet, refining criteria and processes to determine which platforms fall under stricter obligations to safeguard minors online. Platforms may be identified if they serve more than 10 million registered minor users or 1 million monthly active minor users, or if they exert significant influence on minors. It also outlines assessment procedures and consultation mechanisms, while emphasizing the responsibility of platforms to ensure the healthy growth of minors.
These draft measures are open to comments until October 15, 2025. If adopted, they will have repercussions on platform operations, requiring stricter safeguards and compliance mechanisms.
September 16, 2025
Vietnam
Vietnam’s Ministry of Public Security has released a draft decree detailing provisions of the Personal Data Protection Law (PDPL), open for public consultation until September 26, 2025. The decree extends to both domestic and foreign entities processing the personal data of Vietnamese citizens and introduces heightened obligations for banks, credit providers, and financial institutions, including mandatory annual assessments and 72-hour breach notifications.
Part of Vietnam’s broader digital transformation and national security strategy, the decree reinforces the recognition of personal data as a national resource and aligns the PDPL more closely with global standards. It is expected to take effect on January 1, 2025.
September 16, 2025
UAE
The Abu Dhabi Global Market (ADGM) Registration Authority has amended its 2021 Data Protection Regulations and issued the Data Protection Regulations (Substantial Public Interest Conditions) Rules 2025. These new rules clarify when special categories of personal data may be processed without consent, including for insurance purposes in the public interest and to protect children from emotional or physical harm.
The update reflects ADGM’s effort to balance individual privacy rights with broader societal needs, particularly where safeguarding vulnerable groups is concerned. It emphasizes ADGM’s alignment with global data protection standards while introducing locally relevant safeguards.
September 23, 2025
South Korea
South Korea’s Personal Information Protection Commission (PIPC) has amended the Enforcement Decree of the Personal Information Protection Act (PIPA), with changes signed into law by the President and effective October 2, 2025. The amendments require overseas businesses serving Korean users to appoint qualified domestic agents with clear oversight duties. They also obligate public institutions funded or invested in by local governments to register personal information files within 60 days and complete impact assessments within two years.
These updates mark a significant step toward stronger data protection governance, tightening compliance for both foreign and domestic entities operating in South Korea.
September 16, 2025
South Korea
South Korea and the European Union have finalized a mutual adequacy decision enabling the free flow of personal data between the two regions without additional transfer mechanisms or consent requirements. The agreement applies across both private and public sectors and builds on the Korea-EU Free Trade Agreement and Digital Trade Agreement.
For businesses, this decision reduces compliance burdens and strengthens digital trade opportunities, while providing a stable and legally recognized framework for cross-border data transfers. Companies handling EU-Korea data flows should review internal practices to ensure alignment with the new adequacy framework.
September 24, 2025
New Zealand
New Zealand’s Privacy Amendment Bill has received Royal Assent, enhancing individuals’ control over their personal data. The law requires agencies to notify people when data is collected from third parties, detailing what is collected, why, and with whom it will be shared. This applies across contexts such as marketing, credit reporting, financial services, and CCTV surveillance, though exemptions exist for certain public-good purposes.
The reform aligns New Zealand more closely with international standards like the EU GDPR, reinforcing transparency and accountability. Lawmakers stressed the importance of balancing oversight with practical enforcement and ensuring that exemptions are not misused. This update marks a significant step in modernizing New Zealand’s privacy framework for the digital age.
September 15, 2025
China
The Cyberspace Administration of China (CAC) has released the National Cybersecurity Incident Reporting Management Measures, effective November 1, 2025. The rules require network operators to classify incidents by severity and report them rapidly within 1 hour for major incidents and within 4 hours for others. Reports must include system details, preliminary causes, attack evidence, countermeasures and be followed by updates and a full summary within 30 days.
These measures heighten accountability for operators, aiming to improve rapid detection and containment of cyber threats with potential impacts on national security, public services, and personal data.
September 12, 2025
China
On September 12, 2025, China’s Cyberspace Administration (CAC) released draft rules requiring major internet platforms to set up Personal Information Protection Supervisory Committees. These bodies would oversee compliance, review audits and impact assessments, and advise on data protection risks.
The draft is open for public comment until October 12, 2025, and reflects a hybrid oversight model that blends internal accountability, external expertise, and regulatory supervision, signaling a shift in how China expects tech giants to govern personal data.
September 9, 2025
South Korea
South Korea’s Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) have launched a three-month initiative to monitor and block the illegal distribution of personal information across websites, forums, social media, and event platforms. The move follows a surge in high-profile hacking incidents involving telecom and credit card companies.
This initiative demonstrates South Korea’s aggressive enforcement posture and highlights the growing expectation for organizations to proactively bolster their cybersecurity defenses and monitoring systems.
September 7, 2025
China
The National People’s Congress is reviewing amendments to China’s Cybersecurity Law (CSL), which would raise penalties for violations and expand liability for “serious” or “particularly severe” consequences, including cross-border activities involving personal or sensitive data. The changes are designed to align with the Personal Information Protection Law (PIPL) and Data Security Law (DSL), further tightening compliance requirements.
If adopted, businesses operating in or targeting China will face greater financial and legal risks. Companies should closely review their data protection and cybersecurity frameworks to avoid exposure under the broadened scope.
India to release DPDPA rules: India is expected to release the long-awaited rules under the Digital Personal Data Protection Act (DPDPA), which will flesh out enforcement procedures and compliance obligations. These rules will set the tone for India’s digital governance framework.
EU-Brazil Adequacy Decision Process Initiated: The European Commission has launched Brazil's adequacy decision process on September 5, 2025, which could eliminate the need for additional safeguards in EU-Brazil data transfers. Watch for EDPB and member state review in the coming months.
EDPB Opens DSA-GDPR Compliance Consultation: The EDPB’s Guidelines 3/2025 are open for consultation until October 31, 2025. These guidelines clarify how online platforms can comply with both the Digital Services Act (DSA) and the GDPR across nine operational areas.
The European Commission Opens Consultation on Digital Simplification Agenda: The European Commission’s consultation on simplifying digital laws, including the AI Act, ePrivacy Directive, and GDPR rules for SMEs, runs until October 14, 2025. Expect proposals aimed at easing compliance and harmonizing reporting duties.
NIST Draft Paper Open for Comments: The U.S. NIST has opened comments until October 20, 2025, on its draft paper guiding migration to post-quantum cryptography (PQC). Organizations with long-term data protection concerns should closely follow.
Colorado Privacy Rulemaking: The Colorado Attorney General’s Office is considering amendments to the Colorado Privacy Act. EPIC has already submitted comments urging stronger protections for minors. The final rules will shape how children’s privacy is handled in the state.
Bill for Massachusetts Data Privacy Act: The Massachusetts Senate unanimously passed S.2608, the Massachusetts Data Privacy Act, which is now headed over to the House for consideration.
Cybersecurity & LGPD Amendments in Brazil: Brazil Advancing Bill No. 4752/2025 (Legal Framework for Cybersecurity), and Bill No. 2379/2025 (amendments to the LGPD). Both could reshape Brazil’s digital compliance landscape.
Senators Neural Data Protection Act (MIND Act): Senators introduced the MIND Act, directing the FTC to explore safeguards for neural data as neurotechnology evolves. Expect early debates on how to regulate brain–computer interface data.
California Advancing New Privacy Bills: AB 1043 on age verification for minors, SB 361 on data broker registry, and SB 771 on violation of personal rights through algorithms by social media platforms. These proposals could expand California’s privacy leadership if enacted.
Amendments to State Privacy Laws Coming into Effect: Colorado SB 276, Montana SB 297, and Oregon HB 3875 amending the respective state laws are coming into effect on October 1, 2025. Review your practices to ensure timely compliance.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2026 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, LLC.
3155 Olsen Drive
Suite 325
San Jose, CA 95117
Type
