Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.
View
July 24, 2025
California, United States
On July 24, 2025, the California Privacy Protection Agency (CPPA) unanimously approved new rules under the CCPA covering automated decision-making technology (ADMT), risk assessments, and cybersecurity audits. Businesses must now assess privacy risks when using ADMT for significant decisions, processing sensitive data, or selling personal information.
The final rules limit opt-outs to cases where ADMT replaces human decision-making and requires human oversight. References to AI and behavioral advertising were removed to narrow the scope and address industry concerns. The rules await final approval by the Office of Administrative Law.
Organizations in California using ADMT should be mindful of the obligations of these regulations to stay compliant.
July 1, 2025
Colorado, United States
On July 1, 2025, Colorado’s biometric privacy law (House Bill 24-1130) came into force, introducing strict requirements for businesses collecting biometric data such as fingerprints, facial scans, and voiceprints. The law applies even to entities not covered by the broader Colorado Privacy Act and mandates written policies, clear consent, limited use, and strong security measures.
Employers must ensure biometric data is only used for defined purposes like access control or timekeeping, and cannot use it for tracking without separate, voluntary consent. The law marks a significant move toward stronger biometric protections and is enforced by the Colorado Attorney General.
July 1, 2025
Virginia, United States
As of July 1, 2025, Virginia’s new law (SB 754) prohibits businesses from collecting, disclosing, or selling reproductive or sexual health information without a consumer’s explicit, opt-in consent. The law broadly defines such data and applies to a wide range of entities, even those outside the scope of Virginia’s main privacy law (VCDPA).
Modeled after Washington’s My Health My Data Act, SB 754 includes a private right of action and strict consent requirements. Businesses must now ensure clear disclosures and strong safeguards when handling sensitive health information linked to Virginia consumers.
July 1, 2025
Tennessee, United States
On July 1, 2025, the Tennessee Information Protection Act (TIPA) came into force, introducing comprehensive consumer privacy rights and business obligations. The law applies to businesses targeting Tennessee residents and meeting certain data thresholds, even those outside the state.
TIPA grants consumers rights to access, correct, delete, and port their data, and to opt out of targeted ads, data sales, and profiling. It requires clear privacy notices, consent for sensitive data (including children's data), and documented data protection assessments. A unique feature of TIPA is its affirmative defense: businesses that implement and maintain a NIST-aligned privacy program may avoid penalties for certain violations. Enforcement rests with the Attorney General, with fines of up to $7,500 per violation and treble damages for intentional breaches.
Businesses in Tennessee must align their practices as per TIPA to avoid penalties.
July 31, 2025
Minnesota, United States
The Minnesota Consumer Data Privacy Act (MCDPA) came into effect on 31 July 2025. The law introduces comprehensive privacy obligations with several unique requirements. Controllers must maintain a personal data inventory, document compliance policies, and ensure data is not retained beyond its relevance or necessity.
The law also gives consumers the right to question profiling outcomes and requires controllers to retain records of all appeals and responses for at least 24 months. Businesses operating in Minnesota should prepare now to meet these distinct compliance obligations.
Organizations handling Minnesota residents' data should review and update their practices accordingly.
July 30, 2025
United Kingdom
The UK's Information Commissioner's Office (ICO) issued its guidance for organizations that use automated profiling tools for safety and trust purposes by analyzing individual preferences, predicting behaviors, and making decisions.
The guidance emphasizes UK GDPR and Data Protection Act 2018 compliance and reiterates that organizations must also practice data minimization and obtain a lawful basis for data sharing. It also highlights the limits under Article 22 of the UK GDPR, which prohibits decisions based solely on automated processing that significantly affect individuals, unless explicit exceptions apply.
Organizations are advised to ensure transparency, accountability, and human oversight in any profiling activity.
July 25, 2025
United Kingdom
As of July 25, 2025, user-to-user and search services with ties to the UK, such as a significant UK user base, targeted UK marketing, or accessibility that poses material risks to children, are required to implement stringent child safety measures under the Online Safety Act. These obligations aim to protect minors from harmful content, including material related to suicide, self-harm, eating disorders, and pornography.
Platforms must deploy effective age assurance methods, ensure content-recommending algorithms filter out harmful material, maintain rapid takedown procedures, and offer easy reporting mechanisms for children. Non-compliance may result in fines of up to £18 million or 10% of global revenue, and in severe cases, criminal liability for executives.
This marks a major step in the UK’s push to hold digital services accountable for user well-being, underscoring the urgent need for platforms to implement robust child protection frameworks.
July 21, 2025
Poland
On July 21, 2025, Poland’s Data Protection Authority (UODO) fined McDonald’s Polska €3.8 million and its processor, 24/7 Communication, €40,000 for a major data breach exposing sensitive employee data, including PESEL, passport, and national ID numbers. The breach involved a “shift scheduling module” managed solely by the processor, without McDonald’s oversight.
UODO found that McDonald’s failed to assess the processor’s security capabilities, did not conduct proper risk analysis, and allowed unauthorized subprocessing. Former employees were notified only via press releases, deemed inadequate. Despite using a processor, McDonald’s was held responsible as the data controller due to its ownership of the system.
The case highlights the critical need for controller oversight, proper processor agreements, and direct communication in the event of a breach under the GDPR.
July 17, 2025
On July 17, 2025, the European Commission launched a public consultation on the upcoming Digital Fairness Act (DFA), which aims to strengthen consumer protections online by targeting dark patterns, unfair pricing, and problematic personalization. The consultation, open until October 9, 2025, invites feedback from consumers, regulators, and businesses across the EU.
However, one day earlier, on July 16, IAB Europe and its advertising industry allies called for the Commission to reconsider the proposal. They argued that the DFA overlaps with existing laws such as the GDPR, ePrivacy Directive, DSA, AI Act, and UCPD and would create regulatory confusion and compliance burdens. The coalition urged the Commission to focus on enforcing current laws and limit new rules to unregulated areas.
A formal legislative proposal for the DFA is expected in Q3 2026, where concerns about regulatory overlap will be weighed against the Commission’s goal of closing consumer protection gaps in the digital space. Read More on the consultation launch here and the industry response here.
July 16, 2025
On July 16, 2025, the European Commission adopted an adequacy decision for the European Patent Office (EPO), enabling seamless data flows between the EPO and entities within the EU. This marks the first time an international organization has received such recognition, signaling a major milestone in cross-border data governance.
The decision, subject to review every four years, enhances legal certainty and trust in data exchanges, while streamlining intellectual property processes. It also sets a precedent for future adequacy decisions involving other international organizations.
July 7, 2025
France
On July 7, 2025, France’s data protection authority CNIL, in partnership with the Association of Data Protection Officers (AFCDP), released joint guidance and a practical toolkit aimed at helping Data Protection Officers (DPOs) educate employees, particularly parents, on protecting children’s online data. The initiative focuses on children aged 8-10, recognizing this age as a common entry point into the digital world.
The guidance outlines key risks such as data collection, identity theft, cyberbullying, and exposure to inappropriate content, while the toolkit supports the delivery of 1.5-hour digital parenting workshops. These resources are freely available and customizable, providing DPOs with actionable tools and CNIL materials to raise awareness and promote safer digital habits for children.
July 4, 2025
France
On July 4, 2025, France’s CNIL published new guidelines allowing websites and apps to use audience measurement tools without user consent, provided strict conditions are met. These tools may only be used for specific purposes such as measuring website performance, detecting navigation issues, or optimizing technical functionality, and must operate solely on behalf of the site publisher.
To qualify, the tools must rely exclusively on first-party cookies, avoid cross-site tracking, and collect only minimal, anonymized data. Sharing or matching data with third parties in a non-anonymized form is strictly prohibited. Additionally, tracker lifespans are limited to 13 months, with data retention capped at 25 months. The update aims to streamline essential website analytics while upholding strong data protection and privacy standards.
July 3, 2025
On July 3, 2025, the European Data Protection Board (EDPB) adopted the “Helsinki Statement on enhanced clarity, support and engagement,” a major initiative aimed at easing GDPR compliance, particularly for micro, small, and medium-sized organizations. The statement promotes a fundamental rights-based approach to innovation and competitiveness.
Key measures include the release of ready-to-use GDPR templates, unified breach notification forms, and practical resources such as checklists and FAQs. The EDPB also plans to publish case law-style guidance and national DPA decisions to clarify expectations, conduct coordinated enforcement to align interpretations, and enhance stakeholder dialogue to anticipate compliance challenges. This initiative marks a significant step toward making GDPR compliance more accessible and consistent across the EU.
July 1, 2025
Germany
On July 1, 2025, Berlin’s data protection authority found Chinese AI company DeepSeek in breach of the GDPR for unlawfully transferring German user data to China without adequate safeguards. As a result, both Apple and Google were instructed to remove DeepSeek’s apps from their German app stores.
The enforcement action followed DeepSeek’s failure to comply with a May deadline to demonstrate that data processed in China received protection equivalent to EU standards. The case also triggered escalation under the Digital Services Act (DSA), marking a precedent-setting move against non-compliant international AI providers.
This incident highlights the critical importance for global digital service providers to align data handling practices with EU regulations or risk severe legal and commercial consequences.
July 1, 2025
United Kingdom
On July 1, 2025, the UK Information Commissioner’s Office (ICO) announced that eight men were found guilty of unlawfully accessing personal data from vehicle repair garages to generate leads for personal injury claims, in violation of the Data Protection Act. The investigation, which began in 2016, was triggered by complaints from a garage owner after customers received nuisance calls following repairs.
The ICO uncovered a conspiracy spanning from 2014 to 2017, during which approximately one million personal records were accessed without consent. The data was used to target accident victims with marketing calls. Raids in Manchester and Macclesfield revealed extensive digital evidence, including millions of documents and files. The case highlights the severe consequences of unauthorized data access and reinforces the ICO’s commitment to protecting personal information.
July 18, 2025
China
On July 18, 2025, the Cyberspace Administration of China (CAC) issued a directive mandating the appointment and registration of personal information protection officers. This requirement is grounded in Article 52 of the Personal Information Protection Law and Article 12 of the Compliance Audit Management Measures, which oblige organizations handling data of over one million individuals to designate responsible personnel.
Organizations have 30 days to comply with this requirement; those that already do must submit the necessary details of such personnel by August 29, 2025. Failure to comply may lead to legal consequences under the applicable regulatory framework, signaling China’s continued emphasis on accountability and transparency in personal data governance.
July 16, 2025
UAE
The Dubai International Financial Centre (DIFC) has enacted amendments to its Data Protection Law under Law No. 1 of 2005, introducing a Private Right of Action through the DIFC Courts. This marks a shift towards greater individual empowerment, aligning DIFC’s framework with global data protection regimes that emphasize enforceable rights for data subjects.
Other changes include clarifications on the law’s extra-territorial scope and revised criteria for assessing the adequacy of third countries for data transfers. These updates reflect DIFC’s intent to ensure international compatibility, particularly as a cross-border financial hub.
Additional clarificatory amendments were also made to the Law of Security, Insolvency Law, and Employment Law, reinforcing DIFC’s commitment to legal clarity and global best practices.
Date: July 15, 2025
Country: Hong Kong
July 15, 2025
Hong Kong
Hong Kong and Macau have signed a Memorandum of Understanding that boosts collaboration on personal data protection and covers law enforcement, training, education, and secure cross-border data flows.
This move signals a strategic alignment in privacy governance within the region, positioning Hong Kong and Macao as key data connectors in China's broader digital economy ambitions. Both authorities emphasized that the partnership will help address emerging privacy challenges and support high-quality regional development.
July 14, 2025
South Korea
South Korea’s Personal Information Protection Commission released a new Integrated Guide on Personal Information Processing, replacing its 2020 version to reflect key amendments to the Personal Information Protection Act (PIPA). The guide introduces a shift toward accountability-based processing, with less reliance on consent and greater emphasis on notification, data minimization, and contextual reuse.
It clarifies distinctions between data consignment and third-party sharing, tightens retention and destruction rules, and strengthens obligations for outsourcing and cloud services. Thus, the guide marks a growing regulatory push for risk-based governance and enhanced organizational responsibility.
July 9, 2025
Australia
In response to growing cyber risks targeting small businesses, the Australian Cyber Security Centre (ACSC) has launched practical security guides for Apple, Google, and Microsoft users. These resources reflect a shift from reactive to proactive security, encouraging businesses to adopt basic but effective safeguards.
With small businesses increasingly targeted due to weaker defences, steps like enabling multi-factor authentication, using antivirus software, and keeping devices updated are no longer optional- they're essential. The guides aim to close this gap by offering easy, actionable advice for immediate implementation.
July 3, 2025
Singapore
Singapore’s Personal Data Protection Commission has fined Ezynetic Pte. Ltd. SGD 17,500 for its violation of Article 24 of the PDPA after a data breach that involved the exfiltration of personal data belonging to more than 190,000 individuals associated with the Moneylenders Credit Bureau (MLCB) platform. Ezynetic’s weak data security has been identified as the primary reason that enabled unauthorized access to a system administrator account.
This enforcement action highlights regulators’ growing intolerance for lax security practices, especially in sectors handling sensitive information and reinforces that safeguards are not optional but core compliance requirements.
July 1, 2025
China
Effective August 1, 2025, China’s Cyberspace Administration (CAC) will enforce new regulations mandating critical information infrastructure (CII) operators to use certified commercial cryptography to secure key data and systems. Under the provisions, CII operators are required to appoint qualified personnel, conduct annual security assessments, and adhere to oversight by national and local authorities.
Failure to comply may result in significant penalties, including fines, official warnings, or suspension of operations. These measures reflect China’s ongoing efforts to fortify its cybersecurity posture and protect essential digital infrastructure from evolving threats.
July 1, 2025
Vietnam
On July 1, 2025, Vietnam officially enacted its Personal Data Protection Law (PDPL), set to take effect on January 1, 2026. The law establishes a comprehensive framework governing the processing of personal data by both domestic and foreign entities. It grants individuals core rights such as the ability to provide or withdraw consent, request data correction, and demand deletion.
In addition to strengthening individual rights, the law prohibits unlawful data practices and authorizes regulators to oversee and, when necessary, suspend cross-border data transfers. The PDPL marks a significant milestone in Vietnam’s data governance landscape, aligning the country with global privacy standards and reinforcing individual data autonomy.
July 1, 2025
Vietnam
Effective July 1, 2025, Vietnam has brought into force its new Data Law along with Decree 165/2025/NĐ‑CP, establishing a comprehensive framework for managing, protecting, and using digital data across both public and private sectors. The Data Law recognizes digital data as a national resource and introduces foundational rules for national data centers, cross-border data governance, and digital infrastructure.
Decree 165 operationalizes key aspects of the law by introducing a risk-based approach to classifying and protecting core and important data. It mandates technical and organizational safeguards such as access controls, backup systems, and staff training- particularly for public agencies, while encouraging private sector alignment. This coordinated legal rollout signals Vietnam’s commitment to structured, security-centric data governance. However, enforcement capacity and operational readiness will be critical to realizing the law’s full impact on the country’s digital transformation and AI ambitions. Read More on the Law and the Decree.
July 23, 2025
Saudi Arabia
On July 23, 2025, Saudi Arabia’s National Cybersecurity Authority (NCA) issued the National Cybersecurity Risk Management Framework, establishing a unified approach to cybersecurity risk management across both public and private sectors. The framework requires organizations to implement a structured process for identifying, assessing, engaging with, and continuously monitoring cybersecurity risks. It also mandates the appointment of a liaison officer and the reporting of significant threats directly to the NCA.
It reflects a maturing regulatory landscape in Saudi Arabia, emphasizing proactive cyber governance over reactive compliance. By embedding accountability through liaison roles and mandating early reporting, the NCA aims to centralize situational awareness and elevate national resilience. The phased approach encourages organizations to shift from ad hoc security measures to integrated risk management. For businesses, this signals the importance of aligning internal cybersecurity practices with national oversight mechanisms- not just for compliance, but as a strategic priority in an increasingly digitized economy.
California- Stronger Opt-out Tools Coming Soon: California’s Privacy Push Continues: AB 566, which would require mobile operating systems to support opt-out preference signals, has advanced through the Legislature.
ICO Reviews Adtech and Consent Rules: In the UK, the ICO is reviewing rules for online advertising and cookie-like technologies under PECR and the new Data (Use and Access) Act, potentially easing consent requirements for low-risk uses while tightening oversight on profiling.
EU Digital Markets Act (DMA) Under Review: The EU is reviewing the Digital Markets Act, with public feedback open until September 24, 2025, focusing on platform interoperability and SME impacts.
South Korea Draft PIPA Enforcement Decree Amendments: South Korea is accepting comments until August 4 on proposed amendments to its PIPA enforcement decree, including expanded data transfer rights and improved safeguards.
China’s New Cybersecurity and Government Data Rules Incoming: Three major CAC regulations take effect on August 1, 2025:
Government Data Sharing: The State Council's regulation mandates standards for inter-agency data exchange and imposes strict rules on personal data protection and unauthorized disclosures.
September 2, 2025
Read our August Privacy Regulation Roundup to get the latest major global privacy regulatory developments, announcements, and changes.
July 1, 2025
Read our June Privacy Regulation Roundup to get the latest major global privacy regulatory developments, announcements, and changes.
June 1, 2025
Read our May Privacy Regulation Roundup to get the latest major global privacy regulatory developments, announcements, and changes.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2025 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
3155 Olsen Drive
Suite 350
San Jose, CA 95117
