Veeam Completes Acquisition of Securiti AI to Create the Industry’s First Trusted Data Platform for Accelerating Safe AI at Scale
View
December 19, 2025
New York, United States
The New York Governor has vetoed the New York Health Information Privacy Act (NYHIPA), which had been passed by the Senate and Assembly in early 2025.
The Act would have broadly restricted the processing and sale of “regulated health information,” granted individuals access and deletion rights, and imposed strict compliance obligations on covered entities.
The Governor cited concerns that the bill’s scope was overly broad and could create significant compliance uncertainty. Enforcement would have been led by the Attorney General, with penalties of up to $15,000 per violation or 20% of New York-derived revenue. An override is possible but unlikely.
December 17, 2025
California, United States
The California Privacy Protection Agency (CalPrivacy) issued Enforcement Advisory No. 2025-01, clarifying data broker registration obligations under the Delete Act and the CCPA.
The Advisory emphasizes that each distinct legal entity that qualifies as a data broker must register separately and establish its own DROP account, rather than relying on a parent or affiliate’s registration. Data brokers must also accurately disclose all trade names (DBAs) and websites used to provide services and verify this information during registration.
All data brokers are required to register with the CCPA by January 31, 2026. Failure to comply may result in administrative fines of $200 per day.
December 17, 2025
Texas, United States
Texas Attorney General Ken Paxton has secured a temporary restraining order (TRO) against Hisense, prohibiting the company from collecting, using, selling, sharing, or transferring Texans’ personal data through Automated Content Recognition (ACR) technology.
The action follows a lawsuit alleging that Hisense collected audio-visual data from smart TVs without consumers’ knowledge or consent. According to the Attorney General, the data was monetized and accessible to foreign entities. The TRO remains in effect while the case proceeds and signals heightened enforcement against unauthorized smart-device data collection.
December 16, 2025
Pennsylvania, United States
The Pennsylvania House of Representatives has passed House Bill 1530, which would regulate how direct-to-consumer genetic testing companies collect, use, and protect consumer genetic data.
The bill requires companies to publish transparent privacy policies, obtain express consumer consent before using or disclosing genetic information, and implement reasonable security safeguards for sensitive biological data. It also grants consumers rights to access and delete their genetic information.
Companies that fail to comply may face civil penalties of up to $2,000 per violation.
December 16, 2025
United States
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has reached a settlement with Concentra, Inc. to resolve a HIPAA Privacy Rule investigation involving an alleged failure to provide timely access to protected health information.
OCR determined that Concentra did not provide individual access to its medical records within the required 30-day timeframe. The settlement marks OCR’s 54th enforcement action under its Right of Access Enforcement Initiative.
As part of the resolution, Concentra agreed to pay $112,500 and implement a corrective action plan to strengthen compliance with HIPAA’s Right of Access requirements.
December 8, 2025
United States
The Federal Trade Commission (FTC) has denied a petition filed by Scott Zuckerman, CEO of Support King, LLC (doing business as SpyFone), seeking to vacate or modify a 2021 consent order.
The FTC found that Zuckerman failed to demonstrate any material change in law or facts warranting reconsideration. The original order bans Zuckerman and his company from offering surveillance or monitoring products and requires the implementation of a comprehensive information security program with independent biennial assessments.
The Commission voted 2-0 to deny the petition following public comment.
December 3, 2025
California, United States
The California Privacy Protection Agency (CalPrivacy) has fined ROR Partners LLC $56,600 for failing to register as a data broker under California’s Delete Act.
CalPrivacy found that the marketing firm used billions of data points to create consumer profiles and custom audience segments for targeted advertising, including inferences about individuals’ demographics, behaviors, and interests. The Agency determined that selling these audience segments constituted the sale of personal information, even when bundled within broader marketing services.
The decision reinforces that advertising and marketing firms may qualify as data brokers and must register accordingly or face enforcement action.
December 2, 2025
Arizona, United States
Arizona Attorney General Kris Mayes has filed a lawsuit against Temu, alleging violations of the Arizona Consumer Fraud Act related to unlawful data collection, deceptive practices, and privacy harms affecting Arizona consumers, including minors.
The complaint alleges that Temu’s mobile app secretly collects extensive sensitive data such as precise location, microphone and camera access, and activity on other apps, without user knowledge or consent. The lawsuit also raises concerns about deceptive advertising, counterfeit goods, misuse of payment information, and data security risks linked to Temu’s foreign ownership.
The case seeks to halt the alleged practices and hold Temu accountable under state law.
December 2, 2025
Florida, United
Florida Attorney General James Uthmeier has issued an investigative subpoena to TP-Link Systems Inc. as part of a consumer protection inquiry into the company’s cybersecurity practices, supply chain, and handling of U.S. consumer data.
The investigation examines whether TP-Link’s Wi-Fi routers expose Floridians to cybersecurity risks or mislead consumers about potential foreign government access to data. The subpoena seeks information on TP-Link’s corporate structure, software development, and data-handling practices.
The Attorney General emphasized that the subpoena does not constitute a finding of wrongdoing, and the investigation remains ongoing.
December 1, 2025
Alberta, Canada
OIPC has published comments and recommendations related to Bill 11, the Health Statutes Amendment Act, 2025 (No. 2), which was tabled in the Legislative Assembly on November 24, 2025.
The amendments aim to modernize the Health Information Act for team-based care and data-driven innovation. However, OIPC has raised concerns about the sharing custodian model for health information due to inadequate governance. Among other things, the OIPC recommended granting its office the power to issue administrative monetary penalties to deter non-compliance.
December 1, 2025
United States
The Federal Trade Commission (FTC) has taken enforcement action against Illuminate Education, Inc., alleging that the company’s data security failures led to a breach affecting the personal information of more than 10 million students.
According to the FTC, Illuminate failed to implement reasonable safeguards for cloud-stored student data despite making security assurances to schools and districts. The proposed settlement requires Illuminate to establish a comprehensive information security program, delete unnecessary data, follow a public data retention schedule, and refrain from misrepresenting its privacy and security practices.
The Commission voted 2-0 to accept the proposed order for public comment.
December 1, 2025
Ecuador
Ecuador’s Superintendencia de Protección de Datos Personales (SPDP) has announced the first major sanctions under the Ley Orgánica de Protección de Datos Personales (LOPDP), fining the Liga Profesional de Fútbol del Ecuador (LigaPro) $259,644.01 and the Federación Ecuatoriana de Fútbol (FEF) $194,856.16, totaling approximately $454,500 USD.
These fines come after the organizations were accused of grave violations related to the unlawful processing of biometric data collected through Fan ID and FanFEF applications (used for stadium access control and ticket sales).
December 22, 2025
Spain/Netherlands
The Spanish Data Protection Agency (AEPD) and the Dutch Data Protection Authority (AP) have both warned that TikTok continues transferring EU users’ personal data to China and other non-EU countries, despite EU regulators previously finding such transfers non-compliant with the GDPR.
Earlier in 2025, Ireland’s Data Protection Commission fined TikTok €530 million and ordered corrective measures, though enforcement has been temporarily suspended pending judicial review. Both authorities emphasized that the underlying GDPR assessment remains valid and urged users, particularly minors, to review privacy notices, app permissions, and transfer risks, while organizations are encouraged to assess continued use through data protection impact assessments.
Read More: Spain/Netherlands
December 19, 2025
United Kingdom
The European Commission has renewed its 2021 adequacy decisions permitting the free and safe flow of personal data between the European Economic Area (EEA) and the United Kingdom.
The renewal follows a six-month technical extension adopted in June 2025 to allow assessment of changes introduced by the UK’s Data (Use and Access) Act. The Commission concluded that the UK’s data protection framework remains essentially equivalent to EU standards under both the GDPR and the Law Enforcement Directive.
The renewed adequacy decisions include a six-year sunset clause, expiring on 27 December 2031, with a review planned after four years.
December 18, 2025
Austria
The Austrian Supreme Court has issued a final ruling requiring Meta to provide users with full access to their personal data within 14 days, following a long-running case brought by privacy activist Max Schrems.
The court held that under GDPR Article 15, users are entitled to a complete copy of all personal data, including information on processing purposes, sources, and recipients, rejecting Meta’s trade secret arguments.
The ruling also reinforced opt-in consent requirements for targeted advertising and strict safeguards for sensitive data under Article 9. Meta was ordered to pay damages for delayed compliance, and the decision is enforceable EU-wide.
December 18, 2025
Croatia
The Croatian Data Protection Authority (AZOP) has imposed a €1.5 million fine on Erste Bank for multiple GDPR violations related to its mobile banking application.
The authority found that the bank unlawfully collected and stored lists of all applications installed on users’ mobile devices, affecting over 433,000 users without a valid legal basis. The bank also failed to provide transparent information about this processing and did not apply data protection by design and by default.
The authority concluded that the practice was excessive, intrusive, and disproportionate to its stated purpose. The decision is subject to appeal.
December 16, 2025
The European Commission has launched the Data Act Legal Helpdesk to support organizations in understanding and complying with the EU Data Act.
Accessible via EU Login, the Helpdesk allows stakeholders to submit questions through a short online form on topics including data access and sharing, user rights, cloud switching, and interoperability. Each request is reviewed by experts, with tailored responses provided by email.
While complex inquiries may take longer, the Commission aims to respond within 15 working days, in line with the Code of Good Administrative Behaviour.
December 12, 2025
Regulation (EU) 2025/2518 has been published in the Official Journal of the European Union, establishing harmonised rules for complaint-based and ex officio GDPR investigations by supervisory authorities, as well as dispute resolution by the European Data Protection Board (EDPB).
The regulation sets admissibility requirements for cross-border complaints, including mandatory complainant details and identification of the controller or processor. It also introduces binding timelines, requiring lead supervisory authorities to issue draft decisions within 15 months, with extensions for complex cases. Provisions for early resolution of complaints are included.
The regulation will apply from 2 April 2027.
December 11, 2025
United Kingdom
The UK Information Commissioner’s Office (ICO) has fined LastPass £1,228,283 for failing to implement appropriate security measures following a cyberattack that exposed the personal data of over 1.6 million UK users.
The ICO found that attackers exploited vulnerabilities in 2022 to access LastPass’s development environment and a senior engineer’s personal device, enabling the exfiltration of customer data. Although encrypted passwords were not compromised, the ICO concluded that LastPass breached UK GDPR Articles 5(1)(f) and 32 by allowing access to business accounts from unmanaged personal devices and linking personal and business accounts under a single master password, significantly increasing security risk.
December 10, 2025
Liechtenstein
The Liechtenstein Data Protection Authority (DSS) has issued updated guidance on cookies and similar technologies following amendments to the Communications Act that took effect on February 1, 2025.
The guidance confirms that informed consent is required for cookies in accordance with the GDPR. However, consent is not required for cookies that are strictly necessary for transmitting communications or for providing a service explicitly requested by the user.
Under strict conditions, the DSS permits the use of cookies solely for basic analytics and visitor statistics without requiring a cookie banner. In these cases, the controller must clearly inform users about the cookies in the privacy policy in accordance with Article 13 of the GDPR. The controller must also provide users with the right to object to the use of these cookies.
December 10, 2025
Spain
The Spanish Data Protection Authority (AEPD) has announced the launch of the AEPD Laboratory, a collaborative initiative aimed at fostering innovation, research, and dialogue on data protection and emerging technologies.
The Laboratory provides a technical and conceptual space focused on prevention, cooperation, and multidisciplinary reflection. It comprises three key elements: a peer-reviewed, open-access Privacy, Innovation and Technology Journal, a Lab Blog for professional and academic insights, and Privacy Dialogues, an audiovisual series featuring discussions between AEPD experts and external specialists.
The initiative seeks to strengthen practical and forward-looking approaches to privacy governance.
December 10, 2025
Denmark
The Danish Data Protection Agency (Datatilsynet) has launched a new digital complaint form that requires authentication through MitID, Denmark's national electronic identification system, and is designed to streamline the process of filing complaints about personal data processing.
The form provides guidance to citizens throughout the submission process and reduces the risk of incomplete submissions that lack the information necessary for the agency to process complaints effectively.
The agency recommends that individuals first contact the organization in question directly before filing a formal complaint with Datatilsynet. For those who do not have MitID access or prefer not to use the digital form, alternative contact methods remain available.
December 8, 2025
The European Commission has acknowledged Meta’s commitment to offer EU users a meaningful choice regarding personalized advertising on Facebook and Instagram, in line with the Digital Markets Act (DMA).
For the first time, Meta will allow users to choose between consenting to full data sharing for fully personalized ads or sharing less personal data in exchange for a service with more limited ad personalization. These options will be presented to EU users starting January 2026, following a non-compliance decision issued by the Commission earlier in 2025.
The Commission will monitor implementation and assess feedback on the new ad model.
December 4, 2025
IAB Europe has released standardized transparency text templates in 24 EU languages to help online platforms comply with Article 26 of the Digital Services Act (DSA).
Article 26 requires online platforms to provide users with clear, real-time information about advertisements. Platforms must explain what constitutes an advertisement, identify who is advertising, disclose who paid for the ad, and specify the main parameters that determine why users see specific advertisements.
The templates are the result of a collaborative effort between IAB Europe, IAB Tech Lab, and the European Digital Advertising Alliance (EDAA). The updated guidelines include technical specifications for DSA translations JSON files. These specifications outline the file structure, key data fields, and integration processes that platforms need to implement the transparency requirements.
December 3, 2025
Portugal
Portugal has published Decree-Law 125/2025, formally transposing the EU’s NIS2 Directive into national law.
The decree applies to a broad range of public and private entities, while excluding systems directly linked to national security, defense, intelligence, and criminal investigations. Covered organizations must implement technical, operational, and organizational cybersecurity measures, designate a cybersecurity officer, and address supply-chain risks. Essential and important entities are subject to incident notification obligations, with essential entities also required to submit annual cybersecurity reports.
The law introduces significant administrative fines, aligned with NIS2’s EU-wide enforcement framework.
December 2, 2025
France
The French data protection authority CNIL has imposed a €1.5 million fine on American Express Carte France (AECF) for GDPR and French data protection law violations related to call recording and cookie practices.
CNIL found that AECF recorded customer calls excessively, including during hold periods, in breach of the data minimization principle under GDPR Article 5(1)(c). CNIL also identified multiple cookie consent violations, including placing advertising trackers without consent and continuing tracking after refusal or withdrawal. In addition to the fine, AECF was ordered to bring its practices into compliance by November 27, 2025.
December 2, 2025
Germany
Germany's antitrust authority, the Federal Cartel Office (Bundeskartellamt), has launched a market test on Apple's proposed solutions for its App Tracking Transparency Framework (ATTF). This follows the authority's February 2025 assessment that flagged major competition concerns in Apple’s ATTF. Apple had employed distinct consent prompts for ad tracking, subtly favoring its own apps over those from third-party developers and undermining market fairness.
Apple's commitments aim to neutralize these prompts by removing dark patterns, aligning wording and design, clarifying technical details, and simplifying choices for third-party apps. However, any advertising attribution practices are omitted from these commitments, signaling Apple’s intent to continue measuring advertising success without obtaining prior consent. This practice will be specifically examined in the market test from both competition and data protection perspectives.
Bundeskartellamt aims to use the results of its assessment to decide whether Apple's proposed solutions adequately address its preliminary concerns.
December 2, 2025
The CJEU has issued a landmark ruling determining that operators of online marketplaces qualify as GDPR data controllers for personal data embedded in third-party user advertisements.
The case involved Russmedia Digital, operator of a Romanian classifieds platform, where unauthorized ads disclosed a woman’s photos and phone number, implying sexual services. The CJEU held that platform operators play an essential role in making such data publicly accessible and must take proactive measures when sensitive data is involved.
The ruling confirms that GDPR obligations prevail over hosting exemptions under the E-Commerce Directive, significantly increasing platform accountability.
December 23, 2025
South Korea
South Korea’s Personal Information Protection Commission (PIPC) has established a dedicated department focused on preventing personal data breaches.
The reorganization includes the creation of a Prevention Coordination Office and a Pre-Inspection Division to proactively identify vulnerabilities and manage data protection risks before incidents occur. A new Digital Communication Team has also been formed to enhance public engagement and responsiveness on privacy issues.
The restructuring is supported by an expansion of 17 additional staff members, including investigators and a dispute resolution officer, reinforcing PIPC’s preventive and enforcement capabilities.
December 12, 2025
Philippines
The Philippines’ National Privacy Commission (NPC) has announced the appointment of Johann Carlos S. Barcena as the new Privacy Commissioner.
The NPC stated that under the new leadership, it will continue to enforce the Data Privacy Act of 2012, while prioritizing the protection of personal data, supporting responsible innovation, and strengthening trust in the digital economy. The Commission also emphasized the importance of closer collaboration with public and private stakeholders to advance effective data protection governance nationwide.
December 9, 2025
Australia
The Office of the Australian Information Commissioner (OAIC) has announced its first-ever privacy policy compliance sweep, targeting around 60 organizations across sectors that frequently collect personal information in person.
These include rental and property businesses, pharmacies, licensed venues, car rental companies, dealerships, and second-hand dealers. The sweep will assess compliance with Australian Privacy Principle (APP) 1.4, which requires entities to maintain clear and up-to-date privacy policies.
Organizations found non-compliant may face penalties of up to AUD 66,000, signalling increased enforcement focus and the need for businesses to review their privacy disclosures.
December 5, 2025
India
India has introduced two legislative proposals- Bill 182 and Bill 277- seeking to strengthen protections for children’s personal data under the Digital Personal Data Protection Act (DPDPA).
Bill 182 defines a child as anyone under 16, requires processing to align with the child’s best interests, and allows limited parental consent exemptions subject to self-assessment. Bill 277 adopts a stricter approach, mandating age verification, enhanced data minimization and retention limits, DPIAs for substantial processing, and deletion rights.
If enacted, the bills would significantly increase compliance obligations for digital platforms and child-facing services.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2026 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, LLC.
3155 Olsen Drive
Suite 325
San Jose, CA 95117
Type
