Privacy Regulation Roundup: Top Stories of April 2025

Securiti’s Privacy Regulation Roundup summarizes the latest significant global privacy regulatory developments, announcements, and changes. These developments will be added to our website monthly. You can find a link to related resources at the bottom for each relevant regulatory activity.

Editorial Note

Data Rules Tighten Worldwide and the Margin for Error Shrinks 

April 2025 showed us that regulators worldwide are no longer merely reacting - they are setting sharper expectations across privacy, data transfers, and platform accountability. Global regulators from the U.S. FTC to the European Commission and Chinese authorities are demanding deeper accountability, faster responsiveness, and tangible safeguards, especially around minors' data, AI systems, and cross-border data flows. Laws are no longer static checklists. They are dynamic frameworks that force companies to rethink how they design services, manage relationships, and build consumer trust. Companies that treat privacy as a core business function rather than a back-office burden will not only mitigate regulatory risks, but also strengthen their brand and customer loyalty.

In a world of rising digital scrutiny, proactive privacy governance is not just compliance- it’s strategy.

North and South America Jurisdiction

1 .Oklahoma and Alabama Move Toward Comprehensive Privacy Laws

Date: April 24, 2025
State: Oklahoma; Alabama, United States

Oklahoma’s Senate Bill 546 is advancing through the legislative process, proposing a new privacy framework for businesses that handle large volumes of personal data. This bill would grant consumers rights to access, delete, and opt out, while requiring companies to limit data use, boost transparency, and assess risks. If enacted, the law is scheduled to take effect on January 1, 2026.

Meanwhile, Alabama’s House Bill 283 also moved forward, establishing similar consumer rights and obligations for businesses. If passed, it would take effect on October 1, 2025, and would make Alabama another state adopting a comprehensive privacy framework.

Businesses operating in either Oklahoma or Alabama should monitor developments closely and prepare for stricter privacy compliance obligations in these states. Read more on Oklahoma’s SB 456 and Alabama’s HB 283.

2. Montana Passes Amendments to Consumer Data Privacy Law

Date: April 22, 2025
State: Montana, United States

Montana’s SB 297 that amends the Montana Consumer Data Privacy Act (MTCDPA) is signed by the President and now awaits signature by the Montana governor.

The bill significantly enhances privacy rights, particularly for minors. It prohibits the sale, profiling, or targeted advertising of known minors' data and mandates reasonable safeguards against harm. It also expands applicability by lowering thresholds for covered entities and introducing stricter rules on privacy notices, opt-outs, and data collection practices.

Furthermore, it eliminates the 60-day cure period and grants the Attorney General enforcement powers, including civil penalties of up to $7,500 per violation. It also allows for mandatory data protection assessments where there is heightened risk, especially involving minors.

Organizations operating in Montana should prepare now for these substantial changes. Read More

3. Montana Moves to Expand Privacy Law to Cover Neural Data

Date: April 22, 2025
State: Montana, United States

Montana’s Senate Bill 163, amending the Montana Genetic Information Privacy Act (MGIPA), was transmitted to the governor on April 22, 2025. If signed, Montana would become the third U.S. state to enact a law protecting neural neurotechnology data.

The bill expands privacy protection to neural data recognizing it as sensitive personal information. It requires explicit consent before collecting or sharing neural information, blocks unauthorized access by insurers, employers, or even government agencies without a warrant, and bans offshoring neural data to sanctioned countries. Companies must now disclose exactly how they collect, use, and store neurotechnology data and consumers can demand its deletion or destruction.

Montana’s move highlights growing concerns about cognitive privacy as neurotechnology becomes more commercially widespread. Read More

4. FTC Publishes Final Amendments to COPPA Rule

Date: April 22, 2025
Country: United States

The Federal Trade Commission (FTC) has finalized significant amendments to the Children’s Online Privacy Protection Act Rule (COPPA), published in the Federal Register on April 22, 2025. The new Rule becomes effective June 23, 2025, with a compliance deadline of April 22, 2026.

The amendments expand the scope of personal information protected under the COPPA Rule, now including biometric identifiers and government-issued IDs. They introduce enhanced parental consent requirements, stricter privacy notice obligations, mandatory data retention policies, and requirements for written information security programs. Operators must now obtain separate verifiable parental consent for disclosing children's personal information to third parties not integral to their services

The FTC’s action highlights the increasing regulatory focus on children’s online privacy, emphasizing that compliance with both federal and emerging state-level protections is essential.

If your organization operates websites, apps, or online services directed at children under 13, immediate steps toward updating your compliance frameworks are recommended. Read more

5. Oregon Advances Bill to Ban Sale of Geolocation and Teen Data

Date: April 21, 2025
State: Oregon, United States

Oregon’s amended HB 2008 has cleared the House and referred to the Senate Committee on Judiciary. The Bill is set for public hearing on May 5, 2025.

HB 2008 proposes key updates to the Oregon Consumer Privacy Act (OCPA). If enacted, the bill would prohibit the sale of personal data or its use for targeted advertising or profiling when the controller knows or willfully disregards that the user is under 16.

It would also ban the sale of precise geolocation data capable of identifying a user’s location within 1,750 feet, citing risks of surveillance, stalking, and intrusive tracking.

The bill reflects growing U.S. legislative momentum around teen protections and sensitive data. Organizations operating in Oregon will need to review consent practices and geolocation-based offerings for compliance.

6. Arkansas Enacts Children and Teens’ Online Privacy Protection Act

Date: April 21, 2025
State: Arkansas, United States

Arkansas has officially enacted HB 1717 as Act 952, establishing one of the most comprehensive privacy laws in the U.S. for minors online. The law applies to operators of websites, apps, and digital services directed at or knowingly collecting data from children under 13 and teens aged 13-16.

The law mandates strict data minimization, limits retention, prohibits targeted advertising without consent, and grants rights to access, delete, and correct data. It requires verifiable parental consent for processing children's data and, for teens, mandates either teen or parental consent unless the processing falls under seven permitted exceptions (e.g., fraud prevention, internal operations).

Unlike COPPA, the law extends protections to teens without requiring mandatory age verification. It will be enforced exclusively by the Arkansas Attorney General and takes effect on July 1, 2026.

Organizations offering online services to minors in Arkansas should start preparing now for significant compliance changes. Read more

7. State Regulators Launch Consortium for Privacy Collaboration

Date: April 16, 2025
Country: United States

Eight state privacy regulators, including the California Privacy Protection Agency (CPPA) and Attorneys General from California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon, have announced the formation of the Consortium of Privacy Regulators. This bipartisan initiative aims to strengthen coordination on the implementation and enforcement of state privacy laws and promote consumer protection across jurisdictions

Through a formal memorandum of understanding, the Consortium will facilitate dialogue on privacy developments, share investigative resources, and streamline enforcement strategies where state laws align particularly around rights such as data access, deletion, and opting out of data sales.

The creation of this Consortium signals a new era of cross-state privacy collaboration in the U.S., with regulators prioritizing more consistent and effective protection against real-world data harms. Read more

8. Nebraska’s Age-Appropriate Design Code Bill Advances to Final Reading

Date: April 11, 2025|
State: Nebraska, United States

Nebraska’s LB504 aimed at adopting the Age-Appropriate Online Design Code Act has advanced to Final Reading as of April 11, 2025. The bill, introduced in January and steadily progressing through hearings and amendments, now awaits a final vote in the legislature before potentially heading to the Governor for signature.

LB504 introduces strong default protections for children by requiring online platforms to treat all users as minors unless they have verified otherwise. It prohibits the use of manipulative design features ("dark patterns"), mandates publicly posted third-party audits instead of risk assessments, and requires businesses to implement tools like time limits, visibility controls, and opt-ins for chronological feeds.

If passed into law, LB504 would take effect on January 1, 2026 - ushering in a new era of online safety regulation in Nebraska that could significantly shape national trends.

9. DOJ Final Rule on Foreign Access to Sensitive Data Takes Effect - Implementation Guidance Follows

Date: April 11, 2025
Country: United States

The U.S. Department of Justice’s Final Rule restricting access to sensitive U.S. personal and government-related data by foreign adversaries officially took effect on April 8, 2025, under Executive Order 14117. The Rule targets data transfers to countries of concern (including China, Russia, Iran, and others) and introduces a framework of prohibited, restricted, and exempt transactions.

Just days later, the DOJ’s National Security Division (NSD) released critical implementation guidance, including an Enforcement Policy, a Compliance Guide, and detailed FAQs. The documents clarify that although some audit and reporting requirements take effect in October, companies are expected to begin compliance immediately. While the DOJ will consider good-faith efforts during an initial 90-day window, enforcement remains active, especially in cases of willful violations. The Rule complements frameworks like CFIUS and Commerce’s ICTS, signaling a tighter grip on cross-border data flows.

If your organization handles sensitive data or operates across borders, it is time to assess exposure and implement controls.

Know more about the Rule and access the official link here

10. CPPA & NJAG Urge A Federal Data Privacy Framework

Date: April 7, 2025
Country: United States

The California Privacy Protection Agency (CPPA) and the New Jersey Attorney General (NJAG) have submitted a joint letter to the U.S. House Committee on Energy & Commerce’s Privacy Working Group, calling for a strong federal data privacy framework that sets a floor not a ceiling for protections.

The letter stresses that a federal law should preserve states' rights to enact stronger safeguards, highlighting the crucial role states have played in driving innovation in privacy protections. It also calls for transparency and accountability in AI-driven decision-making and urges Congress to incorporate state enforcement powers into any federal privacy regime.

The move reflects growing state-led momentum to ensure that evolving federal efforts build on  rather than weaken the privacy protections Americans already rely on. Read More

11. Bermuda Clarifies Age Assurance Obligations Under PIPA

Date: April 3, 2025
Country: Bermuda

The Office of the Privacy Commissioner for Bermuda (PrivCom) has published a blog on age assurance methods under the Personal Information Protection Act 2016 (PIPA). Organizations must now verify if users are under 14 and get parental consent before collecting children's data.

PrivCom outlines methods like self-declared ages, document checks, facial estimation, email analysis, and payment verification. No single solution fits all, and organizations are urged to prioritize privacy-enhancing technologies and follow Privacy by Design principles.

This update follows Bermuda’s endorsement of a joint international statement on age assurance and aims to help organizations better comply with children’s data protections under PIPA.

Digital services targeting kids? Stronger compliance expectations are now in place. Read More

Europe and Africa Jurisdiction

12. UK NCSC Releases Report On Cryptography Techniques

Date: April 28, 2025
Country: United Kingdom

The UK’s National Cyber Security Centre (NCSC) has released a report on cryptography techniques to help organizations comply with their data protection obligations. The report includes details on advanced cryptography techniques, such as Fully Homomorphic Encryption (FHE) and Multiparty Computation (MPC). These new encryption protocols represent leaps in overall cryptographic methodology as FHE allows for direct encryption without the need for prior decryption of data, while MPC allows for cooperative calculations without secret inputs being shared.

Organizations involved in handling, searching, or computing sensitive data should adopt advanced cryptography techniques, like FHE and MPC, as highlighted by the U.K.'s NCSC, to enable secure processing of sensitive data, and facilitate compliance with data protection obligations. Read More

13. UK’s Ofcom Publishes Draft Protection of Children Codes To Enhance Children’s Safety Online

Date: April 24, 2025
Country: United Kingdom

The UK’s Office of Communication (Ofcom) has published its draft Protection of Children Codes setting out the safety standards digital services must meet to protect children under the Online Safety Act.

The Codes apply to user-to-user and search services likely to be accessed by children. Key requirements include conducting risk assessments, implementing age assurance measures, moderating harmful content like suicide, pornography, or abuse, and ensuring clear reporting and complaints procedures.

Services posing greater risks or with large UK user bases (7 million+) will face stricter obligations, including annual risk reviews and enhanced content controls. Providers may adopt Ofcom’s recommended measures or alternative ones, as long as they document how those fulfil their legal duties.

Organizations with online services accessible to children in the UK should proactively familiarize themselves with Ofcom's draft Protection of Children Codes and strategically plan for the implementation of necessary safeguards in anticipation of the Codes' expected parliamentary approval on July 25, 2025. Read More

14. France Launches Consultation on Multi-Terminal Consent Collection

Date: April 24, 2025
Country: France

The French data protection authority, CNIL, has opened a public consultation on its draft recommendation for collecting multi-terminal consent i.e., cookie and tracker consent that applies across all devices linked to a user account.

The draft focuses on “logged-in universes” and outlines GDPR-compliant ways for organizations to collect a single consent that would automatically apply across smartphones, tablets, laptops, smart TVs, and browsers provided they are connected to the same user account.

The recommendation aims to support digital stakeholders (e.g., publishers and ad tech providers) in improving consent experiences while meeting legal standards. It supplements CNIL’s 2020 guidance on cookies and trackers.

The consultation is open until June 5, 2025.

If your organization navigates multi-terminal user consent, we encourage you to review CNIL's draft recommendation on multi-terminal consent and participate in the public consultation to help achieve a final version of the recommendation. Read More

15. The European Commission Fines Apple and Meta Under Digital Markets Act for Non-Compliance

Date: April 23, 2025

The European Commission has fined Apple €500 million and Meta €200 million for breaching the Digital Markets Act (DMA) owing to their restrictive practices and non-compliant advertising models, respectively.

Apple was penalized for preventing app developers from informing users about alternative, cheaper purchasing options outside the App Store violating DMA anti-steering provisions. The Commission has ordered Apple to remove these restrictions.

Meta’s earlier “Consent or Pay” model- which required users to either consent to personalized ad tracking or pay for an ad-free service was found non-compliant, as it failed to offer an equivalent, less intrusive alternative. The fine applies to the period before Meta introduced a revised model in November 2024.

Both companies must comply with the decisions within 60 days or face further penalties.

The ruling signals strict enforcement of the DMA and a clear warning for businesses operating in the EU to ensure compliance with user choice and transparency obligations. Read More

16. EU-Canada Agreement Finalized on Passenger Name Record (PNR) Data

Date: April 16, 2025

The Council of the European Union has formally adopted a decision concluding EU-Canada passenger name record (PNR) agreement. This agreement allows for the transfer of airline passenger data such as names, itineraries, and payment details to Canada to support the prevention and prosecution of terrorism and serious transnational crime.

The agreement includes strong privacy safeguards, excluding sensitive data (e.g., political or ethnic information), requiring transparency toward passengers, and assigning independent oversight authorities.

It will enter into force once both the EU and Canada have formally notified each other of the completion of their internal procedures. The EU’s process is considered complete following the adoption of the Council decision.

If your organization operates in aviation, travel, or transatlantic data processing, this agreement sets a precedent for balancing data utility with fundamental rights in international transfers. Read More

17. EDPB Releases Draft Guidelines on GDPR-Compliant Blockchain Data Processing

Date: April 14, 2025

The European Data Protection Board (EDPB) has adopted new guidelines addressing how personal data can be processed through blockchain technologies in compliance with the GDPR. As decentralized systems see increasing adoption, the EDPB aims to bring legal clarity around roles, responsibilities, and risks.

The guidelines explore blockchain architecture, highlight the importance of technical and organizational safeguards by design, and clarify how core GDPR principles such as data minimization, rectification, and the right to erasure apply in blockchain settings. Key actors in the blockchain ecosystem are defined, and regular Data Protection Impact Assessments (DPIAs) are recommended for relevant use cases.

The guidelines are currently open for public consultation until June 9, 2025.

If your organization leverages blockchain technology, now is the time to assess compliance strategies and participate in the consultation. Read More

18. EU Signals GDPR Simplification for SMEs

Date: April 14, 2025

European Commissioner for Justice Michael McGrath has confirmed that the European Commission plans to simplify the General Data Protection Regulation (GDPR), particularly to reduce burdens on small and medium-sized enterprises (SMEs). The confirmation came during a livestreamed interview as part of the “Future of Transatlantic Digital Collaboration” event hosted by CSIS.

The simplification will focus on easing record-keeping obligations for businesses with fewer than 500 employees, while maintaining the GDPR’s core principles. This initiative is part of a broader “Digital Package” anticipated in Q4 2025, which aims to streamline various pieces of EU digital legislation, including the GDPR, Cybersecurity Act, and the AI Act. The move aligns with the Commission’s 2025 Work Programme and its Competitiveness Compass goals to reduce administrative burdens and improve legal coherence across digital laws.

If your organization is an SME operating in the EU, this upcoming simplification could reduce compliance overhead, but core data protection obligations will remain unchanged. Read More

19. European Commission Proposes First-Ever Adequacy Decision for European Patent Organization

Date: April 5, 2025

The European Commission has launched the process to adopt an EU adequacy decision for the European Patent Organization (EPO)- marking the first time such a decision has been proposed for an international organization under GDPR.

The draft decision concludes that EPO’s data protection framework provides a level of protection essentially equivalent to that of the EU. Once adopted, it would allow EU-based entities to transfer personal data to the EPO without the need for additional safeguards, supporting smoother cross-border data flows in the patent ecosystem.

This would ease GDPR compliance for data transfers to the EPO, especially for innovation and IP-driven businesses operating across borders. Read More

20. EU Publishes Final Report on B2B Data Sharing And Cloud Computing Contracts

Date: April 2, 2025

The European Commission’s Expert Group has released its long-awaited final report proposing model contractual terms (MCTs) for B2B data sharing and standard contractual clauses (SCCs) for cloud computing agreement, under Article 41 of the EU Data Act. The Data Act applies from September 12, 2025, and this release marks a key step in preparing stakeholders for it.

The MCTs offer four contract templates for various data sharing relationships including  data holders to users, and data sharer-to-data recipients. The SCCs contain six standard clauses that address key elements of cloud contracts like termination, switching/exit strategies, liability, and security. Though voluntary, these templates serve as practical tools for organizations to align with data sharing expectations under the Data Act. A formal Commission Recommendation based on this report is expected before summer.

If you are a business involved in data sharing or cloud services especially in B2B contexts, this is the time to review your agreements and prepare for alignment with the Data Act. Read More

Asia Jurisdiction

21. Saudi Arabia Opens Consultation on Licensing Rules for Data Protection Services

Date: April 29, 2025
Country: Saudi Arabia

The Saudi Data and Artificial Intelligence Authority (SDAIA) has opened a public consultation on draft rules regulating commercial, professional, and non-profit activities related to personal data protection under the PDPL.

The draft outlines new licensing and permit requirements for those offering consultancy, training, compliance tech, and events related to data protection.Entities will need to register on the National Data Governance Platform, disclose prior PDPL violations or complaints, and meet specific compliance obligations to obtain permits. SDAIA will also license organizations providing certifications and audits.

This is a significant step toward formalizing the data protection services industry in Saudi Arabia, creating clearer entry and compliance standards for professionals in this emerging market. Read More

22. Malaysia’s Enacts Data Sharing Act to Accelerate Public Service Innovation

Date: April 28, 2025
Country: Malaysia

Malaysia’s Data Sharing Act officially took effect on April 28, 2025, establishing a structured framework for secure data sharing among federal ministries and agencies.

The Act sets out clear procedures for government data requests, with the National Data Sharing Committee responsible for strict evaluations to ensure accountability and the protection of personal data. By enabling real time access to shared data, the law aims to enhance public service delivery, support AI-driven solutions across sections and promote Malaysia’s broader aspiration of becoming a leading AI nation through initiatives like the National AI Office (NAIO).

This marks an important precedent for public sector data use in the region, reinforcing the need for transparency, purpose limitation, and standardized data sharing protocols. Read More

23. SDAIA Launches Public Consultation On PDPL Implementing Regulations Amendments

Date: April 27, 2025
Country: Saudi Arabia

The Saudi Data and Artificial Intelligence Authority (SDAIA) has launched a public consultation on proposed changes to the Personal Data Protection Law (PDPL) Implementing Regulations. Key proposals include mandatory registration for controllers who transfer data outside Saudi Arabia, process sensitive data, or handle personal data beyond family use. Controllers would also need to maintain detailed records of processing activities.

The amendments further clarify privacy notice requirements, strengthen breach response obligations, and introduce expanded duties for personal data protection officers.

These updates aim to align Saudi Arabia’s privacy framework with international best practices while ensuring greater legal clarity for businesses operating in or transferring data from the Kingdom. Feedback from stakeholders is open until May 27, 2025. Read More.

24. Upgraded ASEAN-Australia-New Zealand Free Trade Agreement Takes Effect

Date: April 21, 2025
Region: Asia-Pacific

The new ASEAN-Australia-New Zealand Free Trade Agreement (AANZFTA) officially came into force on April 21, 2025, expanding tariff preferences, broadening market access, and strengthening regulatory alignment across the region.

The updated agreement introduces new chapters on digital trade, including provisions on data protection, cross-border financial data storage, and e-commerce rules.

This marks a significant step toward digital trade harmonization in the Asia-Pacific. Businesses operating across ASEAN, Australia, and New Zealand will benefit from greater legal clarity and stronger safeguards for digital transactions, positioning the region as a leader in setting data governance standards within trade agreements. Read More.

25. South Korea's PIPC Updates Guidelines On Personal Information Processing Policies

Date: April 21, 2025
Country: South Korea

South Korea’s Personal Information Protection Commission (PIPC) has released revised guidelines for “Writing Personal Information Processing Policies” to improve transparency and align with evolving data protection priorities.

The updates provide clearer distinctions between data processing activities that require consent and those that do not, offer more flexibility in listing personal data items, and allow broader options for disclosing privacy notices across mobile apps.The guidelines also enhance transparency obligations around automated decision-making, behavioral advertising, and AI-related data use. The revision signals heightened expectations around privacy governance.

Organizations operating in or targeting South Korea should review and align their processing policies ahead of the 2025 evaluation cycle. Read More

26. People’s Bank Of China Issues Guidelines on Cross Border Financial Data Transfers

Date: April 17, 2025
Country: China

The People's Bank of China has issued the "Guidelines for Promoting and Standardizing the Compliance of Cross-border Flow of Financial Industry Data" alongside six other departments. The guidelines provide conditions for compliant data exports in over 60 common financial business scenarios including cross-border payments, account openings, and remittances.

It introduces exemptions from security assessments, clarifies when standard contracts or certifications apply and emphasizes the need for technical and organizational safeguards. The aim is to streamline and clarify conditions for cross-border data transfers in the financial sector, strengthen compliance and security and support opening up China's financial sector to global players.

If you are a financial institution operating in or with China, these guidelines offer much needed predictability for cross-border flows while reinforcing expectations of robust security and technical controls for financial data. Read More

27. China’s CAC Issues Q&A on Outbound Data Transfer Rules

Date: April 9, 2025
Country: China

The Cyberspace Administration of China (CAC) has issued a new set of Q&As to guide businesses on cross-border data transfer requirements. The Q&A addresses frequently asked questions on implementation, thresholds, exemptions, and regulatory expectations. This release is a follow-up to the Regulations on Promoting and Regulating Cross-Border Data, which were finalized on March 22, 2024 and took effect immediately.

The Q&As confirm that only important data and personal information above specific thresholds are subject to outbound restrictions, while general business data can flow freely. The CAC also addressed consistency in negative list design across free trade zones, group-level efficiencies in data transfer processes, new guidance for defining “necessity” and “important data,” and clarification on extension for data export assessment validity (from original 2 to 3 years).

If your company operates in or with China, this guidance clarifies which data flows require compliance steps and where exemptions or extensions may apply, helping streamline cross-border data strategies. Read More

28. New Zealand Enacts Act For Sharing of Customer & Product Data Between Businesses

Date: April 1, 2025
Country: New Zealand

New Zealand has officially enacted the Customer and Product Data Act 2025, introducing an economy-wide consumer data right framework. Passed on March 29 and effective March 30, the Act enables customers - both individuals and entities - to direct their data to accredited third parties and access product data in designated sectors. Banking is the first sector to be designated under this new regime, laying the foundation for open banking in New Zealand.

The Act sets clear obligations for data holders, creates an accreditation framework for data recipients, and interacts closely with the Privacy Act 2020, clarifying overlapping responsibilities. Enforcement measures are robust, with penalties of up to NZ$2.5 million for non-compliance.

If your organization handles consumer or product data in New Zealand, particularly in banking or related sectors, you should begin assessing CDR compliance obligations and prepare for future designations beyond finance. Read More

WHAT'S NEXT: Key Privacy Developments to Watch For

• Colorado House to Decide Fate of Social Media Bill: After the Senate overrode Governor Polis’s veto, the Colorado House has until May 7 to finalize the override of SB25-086. A successful vote would impose major new moderation and reporting rules on social media platforms.
• California Age-Appropriate Design Code Litigation: Key public hearing on April 29, 2025, and work session on May 1, 2025, will determine the future of California’s children's privacy protections.
• Growing focus on protecting minors’ data: States like Texas (SB 2991), Vermont (SB 71), Oregon (HB 2008), and Florida (SB 868) are advancing bills restricting targeted advertising and regulating social media access for minors. Organizations engaging with young users should monitor these developments closely.
• Broader Consumer Data Protection Bills Progressing: Comprehensive privacy initiatives are moving forward in Oklahoma (SB 546, SB 626), Oregon (HB 3875), California (SB 361), Vermont (SB 71), and Florida (SB 868), signaling rising momentum for stronger individual rights and stricter business obligations across states.
• Bermuda - Pink Sandbox Application Deadline Approaches: Organizations developing innovative, privacy-focused products using personal data have until May 11, 2025 to submit an Expression of Interest to join Bermuda’s Pink Sandbox initiative. This free advisory program by PrivCom promotes privacy-by-design and provides tailored guidance on responsible personal data use.
• US - TAKE IT DOWN Act Awaits Presidential Signature: Passed with overwhelming bipartisan support, the TAKE IT DOWN Act mandates platforms remove nonconsensual intimate images, including deepfakes, within 48 hours of a valid request. It now heads to President Trump, who has pledged to sign it into law.
• Public Consultation on Blockchain Guidelines: Organizations using blockchain for personal data processing should submit feedback via form on the EDPB's draft guidelines by June 9, 2025.
• Personal Information Audit Management Measures: The Personal Information Protection Compliance Audit Management Measures in China are expected to take effect on May 1, 2025.
• Multi-Device Consent Consultation (France): Entities engaged in multi-terminal user consent (publishers, advertisers) should review CNIL’s draft recommendation and submit feedback by June 5, 2025.
• EU-Canada Passenger Name Record (PNR) Agreement: Track the formal entry into force as both sides complete internal procedures.
• NIST’s Privacy Framework Update: There is likely to be progress in the NIST’s Privacy Framework after the release of version 1.1 of Privacy Framework addressing AI privacy risks and better integration with the Cybersecurity Framework 2.0.