Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.
View
June 25, 2025
United States
The Electronic Privacy Information Center (EPIC) released its new report, titled "Assessing the Assessments: Maximizing the Effectiveness of Algorithmic & Privacy Risk Assessments". In it, they respond to the California Privacy Protection Agency’s (CPPA) ongoing work to develop risk assessment rules under CCPA. The report also highlights the privacy harms that can result from personal data being collected without meaningful oversight, especially in the case of behavioral advertising and surveillance pricing, and automated decision-making in critical sectors such as employment, healthcare, housing, education, and law enforcement.
The report calls for a robust risk assessment framework to give consumers greater visibility and control over how their data is used.
June 25, 2025
Connecticut, United States
On June 25, 2025, Connecticut’s Senate Bill 1295 was signed into law, introducing significant amendments to the state’s consumer privacy framework.
The new law modifies applicability thresholds, exemptions, definitions, consumer rights, data minimization requirements, and provisions related to children’s privacy. Notably, the consumer threshold for applicability has been lowered from 100,000 to 35,000 consumers. Additionally, it removes the prior requirement that a controller must process data from at least 25,000 consumers and derive over 25% of gross revenue from selling personal data. As a result, the law now applies to any entity that offers consumers’ personal data for sale in trade or commerce.
These changes mark an important expansion of privacy protections in Connecticut and could have significant implications for businesses operating in the state. The amendments are set to take effect on July 1, 2026.
June 23, 2025
United States
On June 23, 2025, the amended rules under the Children’s Online Privacy Protection Act (COPPA) officially came into effect, strengthening protections for children’s personal data online.
The new rules require verifiable parental consent before sharing children’s data with third parties for targeted advertising. They also mandate that personal information be retained only as long as necessary for its original purpose. Additionally, COPPA Safe Harbor programs must now disclose their membership lists and report compliance details to the Federal Trade Commission (FTC).
Other changes expand the definition of personal information to include biometric data and government-issued identifiers. These updates signal a significant step forward in safeguarding children’s privacy in the digital age.
June 20, 2025
United States
The New York Children’s Data Protection Act took effect on June 20, 2025, strengthening privacy protections for children and young adults under 18. The law restricts digital services from collecting, selling, or disclosing personal data of individuals under 18 without consent. Covered entities must also obtain informed consent before collecting any personal information, with the consent revocable at any time through a simple, accessible process.
This new law marks a significant step in safeguarding young users’ privacy and adds important compliance responsibilities for digital service providers operating in New York.
June 17, 2025
United States
On June 17, 2025, the Federal Trade Commission (FTC) released a new set of FAQs to help clarify the Safeguards Rule under the Gramm-Leach-Bliley Act (GLBA). This rule requires financial institutions to maintain a documented security plan to protect customer information. Following updates in 2023, certain data breaches must now be reported directly to the FTC.
The FAQs also clarify the difference between the Safeguards Rule and the GLBA’s Privacy Rule. While the Safeguards Rule focuses on protecting customer data through security measures, the Privacy Rule requires financial institutions to provide privacy notices explaining how customer information is collected, used, and shared, particularly when consumers apply for or receive financial services.
These FAQs aim to help financial institutions better understand and comply with their obligations under the GLBA.
June 12, 2025
Vermont, United States
On June 12, 2025, Vermont Governor signed the Age Appropriate Online Design Code Act (SB 69) into law. The legislation applies to businesses operating in Vermont that generate a majority of revenue from online sales, offer products or services likely to be accessed by minors, collect personal data directly or through processors, and determine the purposes and means of processing consumer personal data.
The law introduces a duty of care for covered entities, prohibiting the use of personal data in ways that could cause emotional distress or discrimination against consumers. It also includes enhanced privacy protections for minors’ online accounts.
The law is set to take effect on January 1, 2027, giving businesses time to prepare for compliance. Organizations operating in Vermont should monitor developments closely to ensure readiness.
June 5, 2025
Paraguay
On June 5, 2025, Paraguay’s Chamber of Deputies approved the long-pending Data Protection Bill of 2021, sending it to the Senate for final consideration and approval, before proceeding to the President’s signature.
The bill establishes core principles for personal data processing in line with international standards, requiring adherence to principles such as accuracy, lawfulness, purpose limitation, proportionality, loyalty, transparency, and due diligence. It prohibits the publication of sensitive data, mandates prior and informed consent with the right to withdraw, sets guidelines for minors’ consent, and requires the appointment of a Data Protection Officer. Additionally, it calls for Data Protection Impact Assessments for high-risk processing activities.
If enacted, this bill would significantly reshape Paraguay’s data privacy landscape. Organizations should closely monitor their progress to prepare for timely compliance.
June 1, 2025
Texas, United States
On May 27, 2025, Texas Governor Greg Abbott signed SB 2420, known as the App Store Accountability Act, into law. The legislation defines app stores as publicly accessible websites, software applications, or other electronic services that distribute software applications from developers to users of mobile devices.
Under the new law, app store owners must use commercially reasonable methods to verify users’ ages and categorize them into groups: child (under 13), younger teenager (13-16), older teenager (16-18), and adult (18 and above). Additionally, the law requires that a minor’s account be affiliated with their parents’ account, with parental consent needed for each download or purchase made by the minor.
Businesses operating app stores in Texas must ensure compliance with these requirements to avoid potential penalties.
June 1, 2025
Nebraska, United States
On May 30, 2025, Nebraska Governor Jim Pillen signed LB 504, the Age Appropriate Online Design Code Act, into law. The legislation applies to online businesses operating in Nebraska that determine the purposes and means of personal data processing, have annual gross revenue exceeding $25 million, process personal data of at least 50,000 consumers, or derive at least 50% of their revenue from selling or sharing personal data.
The law also requires covered entities to provide parents with tools to protect and support minors when using online services. It is set to take effect on January 1, 2026.
Organizations falling within these thresholds should prioritize compliance to avoid potential penalties.
June 25, 2025
On June 25, 2025, the European Data Protection Board (EDPB) submitted its comments on the European Commission’s draft guidelines for protecting minors online under the Digital Services Act (DSA).
The EDPB’s key recommendations for online platforms and regulatory authorities include promoting cooperation between competent authorities under both the DSA and GDPR, providing clearer guidance on platforms’ roles and responsibilities in safeguarding minors’ data, and addressing concerns about the reliability of self-declaration for age assurance compared to more precise age estimation or verification methods.
These comments reflect the EDPB’s push for stronger, coordinated regulatory measures and more effective, privacy-conscious age verification processes to protect minors online.
June 24, 2025
On June 24, 2025, the European Commission extended its GDPR adequacy decision for the United Kingdom until December 27, 2025. This extension ensures that data can continue to flow freely between the EU and the UK beyond the original expiration date of June 27, 2025.
The additional time allows the Commission to review the UK’s data protection framework, particularly in light of the recently enacted Data (Use and Access) Act. The decision signals a cautious approach as the Commission assesses whether the UK’s standards remain “essentially equivalent” to the GDPR- a crucial determination for the future of seamless UK-EU data transfers.
June 20, 2025
On June 20, 2025, the European Commission opened a public consultation on the impact assessment of requiring service providers to retain data for use in criminal proceedings. The consultation will remain open until September 12, 2025.
The initiative follows the Commission’s concerns that the lack of an EU-wide legal framework for mandatory metadata retention limits authorities’ ability to access critical information in a timely manner for fighting crime.
While aimed at strengthening law enforcement capabilities, the proposal is expected to spark significant debate over privacy and data protection implications across the EU.
June 19, 2025
United Kingdom
On June 19, 2025, the UK’s Data Use and Access Bill became law, aiming to boost the economy through responsible data use and improve public services.
Key changes include removing opt-in consent for certain cookies, introducing “Recognised legitimate interests” for broader data processing in areas like security and crime prevention, and updating rules for Data Subject Access Requests to require only “reasonable and proportionate” searches. The Act also relaxes rules on automated decisions, applying stricter safeguards only to significant cases involving sensitive data, and adjusts standards for international data transfers.
The Act signals a shift toward a more flexible, pro-innovation data protection regime, differentiating the UK from the GDPR in key areas.
June 18, 2025
On June 18, 2025, the European Commission made AliExpress’s commitments under the Digital Services Act (DSA) legally binding, following compliance concerns raised in 2024.
Key obligations include tougher monitoring to block illegal products, clearer ad labelling and targeting information, stronger seller verification, and improved user complaint systems. AliExpress must also provide researchers access to public data for studying systemic risks.
Breaching these commitments now constitutes a DSA violation, carrying the risk of significant fines tied to global turnover.
June 16, 2025
On June 16, 2025, the European Parliament and Council of the EU reached a provisional deal on new rules to strengthen cooperation among national data protection authorities (DPAs) for cross-border GDPR cases.
Key changes include unified criteria for assessing complaints across the EU, clearer rights for complainants and businesses, and set deadlines of 15 months for investigations, extendable for complex cases. A new early resolution mechanism will allow DPAs to close cases swiftly if corrective actions are taken and the complainant agrees.
Once formally adopted, these new EU rules will streamline and speed up cross-border GDPR enforcement, enhancing cooperation and clarity for DPAs, complainants, and organizations.
June 12, 2025
Norway
Norway’s Data Protection Authority (Datatilsynet) has fined Kristiansand Municipality NOK 250,000 (approx. $25,120) for GDPR violations on its Alarmophone website.
An investigation found the municipality used tracking pixels and cookies without user consent, failed to disclose cookie use in its privacy policy, and lacked a legal basis for processing children’s personal data, which was shared with third parties.
These breaches violated GDPR Articles 6, 12, and 13. The case highlights that public bodies must uphold the same data protection standards as private organizations, especially when handling sensitive data.
June 10, 2025
France
France’s CNIL has published recommendations for employers conducting diversity surveys, emphasizing privacy safeguards. Employers should avoid collecting identifying details, ensure participation is voluntary, and use pseudonymization or anonymity where possible.
Direct collection of racial or ethnic data remains prohibited, but related information can be gathered through objective measures like place of birth. CNIL also advises using trusted survey providers and sharing only aggregated results.
These guidelines help employers collect diversity data lawfully under GDPR while protecting employee privacy.
June 5, 2025
On June 5, 2025, the European Data Protection Board (EDPB) issued guidelines clarifying how organizations should handle requests from third-country authorities for personal data transfers under GDPR Article 48. The guidance aims to help businesses navigate conflicts between GDPR obligations and foreign government data demands.
Key points include the non-recognition principle, meaning foreign decisions aren’t automatically enforceable in the EU without a legal framework; reliance on international agreements where they exist; and the need for case-by-case assessments if no agreement applies. The guidelines also outline legal bases for transfers, including legal obligations, consent, or specific exceptions under Articles 6(1)(c) through (f).
These guidelines equip organizations to handle foreign data requests while remaining GDPR-compliant.
June 4, 2025
Finland
On June 4, 2025, Finland’s Data Protection Ombudsman fined Yliopiston Apteekki €1.1 million after a University of Turku researcher uncovered privacy violations at Finnish online pharmacies. An investigation into practices between May 2018 and September 2022 found serious GDPR breaches.
The pharmacy had used cookies and tracking technologies that transmitted sensitive data, including prescription details, over-the-counter purchases, and customer IP addresses to Google and Meta.
The case highlights that pharmacy websites cannot deploy standard tracking tools without robust safeguards, as purchase data can reveal highly sensitive health information, making even basic cookies a significant privacy risk.
June 3, 2025
Sweden
Sweden's Court of Appeal backed the data protection authority's decision to fine Spotify SEK 58 million ($6 million) for several GDPR violations. The streaming giant failed on three key transparency requirements: users couldn't easily understand how to exercise their data rights, Spotify didn't explain safeguards for international data transfers, and the company never disclosed how long it keeps user data or why.
This ruling emphasizes that GDPR transparency isn't just about having a privacy policy, but users must also be able to actually understand and act on their rights, with clear explanations of data handling practices.
June 3, 2025
Germany
On June 3, 2025, Germany’s Data Protection Authority (BfDI) fined Vodafone €45 million for GDPR violations related to poor partner oversight and inadequate security measures. Vodafone failed to properly monitor partner agencies handling customer data, breaching GDPR Article 28(1). Additionally, its ‘MeinVodafone’ portal contained authentication flaws, violating Article 32(1). The fine was split, with €15 million for partner oversight failures and €30 million for security weaknesses.
Vodafone has since upgraded systems, cut ties with non-compliant partners, and improved audit processes. BfDI plans a follow-up audit to ensure compliance.
The case highlights that outsourcing data processing does not absolve companies of GDPR responsibilities- they remain accountable for partners’ actions and must maintain strong security and oversight practices.
June 3, 2025
Georgia
On June 3, 2025, Georgia’s Personal Data Protection Service (PDPS) released guidelines for handling minors’ data under the DPA 2023 and GDPR. The guidance targets schools, administrators, and parents, outlining legal obligations for collecting and processing student data.
Schools must establish a legal basis for data collection, seek explicit parental consent for sensitive information like health or disciplinary records, and ensure data is collected only as needed, kept secure, and retained for limited periods. Institutions are required to inform guardians about data use and sharing, and report any data breaches to the PDPS within 72 hours.
These guidelines aim to help educational institutions protect student privacy while maintaining efficient operations.
June 1, 2025
Estonia
Estonia’s Data Protection Inspectorate (DPA) has issued guidance on using legitimate interest for data processing. Unlike consent or contracts, legitimate interest is initiated by the controller for their own or third-party benefit and requires a documented balancing test to protect individuals’ rights.
The guidance highlights areas where legitimate interest may apply, such as property protection, fraud prevention, and legal compliance. However, it cannot be used by public authorities for core legal tasks, for sensitive data like health information, or in cases involving minors unless clearly in the child’s interest.
These insights help organizations apply legitimate interest responsibly under privacy laws.
June 1, 2025
Malta
Malta’s Information and Data Protection Commissioner (IDPC) has published FAQs to help employers navigate GDPR compliance when processing employee data.
Key topics include limits on using biometric data due to workplace power imbalances, proper handling of police certificates and medical checks, strict conditions for employee monitoring, recommendations against automatic email forwarding for former employees, and guidance on data retention periods.
The FAQs urge employers to reassess traditional HR practices to align with GDPR standards.
June 26, 2025
Vietnam
On June 26, 2025, Vietnam’s National Assembly passed the Law on Personal Data Protection, which will take effect on January 1, 2026. The new law establishes a comprehensive data governance framework, defines roles for state authorities, and sets obligations for data controllers and processors. It also bans unauthorized trading of personal data and imposes stricter rules on cross-border data transfers.
To support economic growth, the law allows small businesses and startups to defer some obligations for five years, with partial exemptions for micro-enterprises and household businesses.
June 16, 2025
India
On June 16, 2025, the Telecom Regulatory Authority of India (TRAI), in collaboration with the Reserve Bank of India (RBI), launched a pilot project to enhance digital consent management for commercial communications.
The initiative aims to reduce spam calls, particularly in the banking sector, by requiring businesses to secure explicit, verifiable consumer consent. It signals TRAI’s move toward a stronger consent-driven model to curb data misuse and close gaps in offline consent practices.
June 13, 2025
New Zealand
On June 13, 2025, New Zealand’s Privacy Commissioner released guidance on how the Privacy Act 2020 applies to clubs and societies. Any group collecting personal data must comply with principles like purpose limitation, data minimization, direct collection, and transparency.
Clubs must secure personal data, limit access to authorized members, and uphold individuals’ rights to access and correct their information. The guidance encourages clubs to review practices around member databases, email lists, and event registrations to avoid compliance risks.
June 11, 2025
Singapore
On June 11, 2025, Singapore’s PDPC launched its Guide to Getting Started with Anonymization during the 63rd APPA meeting. The guide outlines a five-step process for anonymizing personal data, covering removal of direct identifiers, use of context-specific techniques, risk assessment for re-identification, and alignment with ISO/IEC 27559 standards.
This guide aims to help organizations use data responsibly for innovation while protecting individual privacy.
June 11, 2025
Hong Kong
Hong Kong’s PCPD announced the conviction of Credit Base (HK) Limited for using personal data in direct marketing without user consent. The company had sourced personal data from District Court filings in November 2023 and used it to promote debt collection services without notifying individuals or obtaining required consent, violating sections 35C(1) and 35F(1) of the PDPO.
Credit Base also failed to inform individuals of their right to opt out of direct marketing free of charge. The company was fined HKD 5,000 after pleading guilty. This conviction underscores that public records cannot be used to bypass direct marketing rules under the PDPO.
June 4, 2025
China
On June 4, 2025, China’s State Council issued new Regulations on Government Data Sharing, set to take effect on August 1, 2025. The rules govern data sharing among government agencies and approved entities, excluding state secrets.
A key provision prohibits agencies from duplicating data collection if shared data meets their needs, aiming to reduce redundancy and improve efficiency. These regulations mark a significant step in formalizing China’s public sector data governance while balancing security and privacy considerations.
June 1, 2025
Malaysia
As of June 1, 2025, Malaysia’s PDPA Amendment Act is fully in force. Organizations are now required to appoint a Data Protection Officer (DPO), notify authorities of data breaches, and strengthen their data protection measures.
Earlier amendments also introduced obligations for data processors, expanded definitions to cover biometric data, and increased penalties for non-compliance.
June 1, 2025
China
China’s Security Management Measures for Facial Recognition Technology took effect on June 1, 2025. The rules limit facial recognition mainly to research and public settings, requiring consent, security safeguards, and risk assessments.
These measures reflect China’s effort to balance innovation with privacy protection and introduce new compliance obligations for entities using facial recognition technology.
June 1, 2025
Read our May Privacy Regulation Roundup to get the latest major global privacy regulatory developments, announcements, and changes.
May 4, 2025
Read our April Privacy Regulation Roundup to get the latest major global privacy regulatory developments, announcements, and changes.
April 6, 2025
Read our March Privacy Regulation Roundup to get the latest major global privacy regulatory developments, announcements, and changes.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2025 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
3155 Olsen Drive
Suite 350
San Jose, CA 95117
