Privacy Regulation Roundup: Top Stories of November 2025

North & South America Jurisdiction

1. FCC Reaches $1.5 Million Settlement With Comcast Over Cable Communications Policy Act Violations

November 24, 2025
United States

The FCC’s Enforcement Bureau settled a $1.5 million fine with Comcast Cable Communications for violating the Cable Communications Policy Act of 1984. The fine follows an investigation into a data breach at Financial Business and Consumer Solutions, a Comcast vendor, which exposed the PII of 235,702 current and former Comcast customers. Comcast was found to have failed in ensuring proper PII deletion and protection.

As part of the settlement, Comcast will pay $1.5 million and implement a comprehensive compliance plan focusing on enhanced vendor oversight, updated training, and robust breach response. The case highlights the FCC’s growing willingness to enforce data governance requirements, particularly around data lifecycle management and third-party risk and reinforces that companies remain accountable for privacy obligations even when data handling is delegated to vendors.

Read More

2. Jam City Agrees to $1.4 Million Settlement After CCPA Violations

November 21, 2025
California, United States

California AG Rob Bonta has announced a $1.4 million settlement with Jam City for violations of the CCPA and Unfair Competition Law. The investigation found that Jam City failed to provide CCPA-compliant methods for consumers to opt out of the "sale" or "sharing" of their personal information in any of its 21 mobile applications, despite generating revenue through data-driven advertising. Additionally, the company sold or shared the personal information of users between the ages of 13 and 16 without obtaining the required affirmative "opt-in" consent, violating enhanced protections for minors' data under the CCPA.

As per the settlement, Jam City must now implement in-app methods for consumers to opt out and prohibit the sale or sharing of minors’ data without explicit consent. The settlement reinstates California’s effort to protect consumers’ privacy.

Read More

3. Canadian Privacy Authorities Issue Joint Resolution Affirming Rights to Education & Privacy

November 20, 2025
Canada

Federal, provincial, and territorial privacy regulators across Canada have issued a joint resolution titled “Protecting the privacy of children and youth in the classroom through responsible use of educational technologies.” The authorities emphasize that the rights to education and privacy are fundamental and warn that EdTech tools introduce significant risks, including data breaches, profiling, and manipulative or deceptive design. The resolution urges governments to take responsibility for safeguarding student data when approving EdTech solutions, requires educational institutions to embed privacy-by-design into procurement and to engage transparently with parents and students, and calls on vendors to design privacy-protective tools while avoiding secondary uses of children’s data.

Overall, the resolution signals a coordinated regulatory push to strengthen privacy protections within the rapidly expanding EdTech ecosystem.

Read More

4. CalPrivacy Publishes Infographic Highlighting Critical Changes to CCPA

November 20, 2025
California, United States

CalPrivacy has published an infographic highlighting seven critical changes to the CCPA that will take place on January 1, 2026. These updates expand business obligations and strengthen consumer rights. Key requirements include conducting risk assessments prior to engaging in "high-risk" processing activities, providing visible confirmation that opt-out requests have been honored, providing a clear way to request access to all their personal information collected since January 1, 2022, classifying data for minors under 16 as sensitive personal information, requiring businesses to prevent inaccurate data from third parties from overriding corrected consumer data, and providing consumers the right to submit a written statement contesting the accuracy of health information, which the business must make available to any third party to whom the contested data was disclosed.

The infographic also highlights the phased rollout of upcoming obligations such as mandatory cybersecurity audits and Automated Decision-Making Technology rules, which signal a tightening compliance environment for California businesses heading into 2026 and beyond.

Read More

5. Privacy Commissioner of Canada Reaffirms Commitment to Children's Privacy Rights

 November 20, 2025
Canada

The Privacy Commissioner of Canada has issued a statement underscoring the OPC’s renewed commitment to protecting the privacy rights of children and youth. The announcement highlights several ongoing initiatives, including the development of a dedicated children’s privacy code aimed at strengthening safeguards around minors’ personal information in an increasingly digital environment. The OPC also emphasized its Contributions Program, which continues to study youth privacy risks associated with emerging technologies such as AI, mobile gaming, and virtual reality. Additionally, the Commissioner referenced the joint investigation into TikTok, which led to the platform implementing stronger protections for minors, including enhanced age-based measures and restrictions on targeted advertising for users under 18.

Overall, the statement reinforces the OPC’s position that safeguarding children’s privacy remains a top regulatory priority in Canada.

Read More

6. CalPrivacy Announces Formation of Data Broker Enforcement Strike Force

November 19, 2025
California, United States

CalPrivacy has announced the formation of a Data Broker Enforcement Strike Force within its Enforcement Division to intensify investigations into privacy violations by the data broker industry. It's designed to ensure data brokers comply with both the Delete Act, specifically the requirement to register and pay annual fees and the California Consumer Privacy Act (CCPA). The registration fees collected will also fund the development of the Delete Request and Opt-Out Platform (DROP), a mechanism launching in January 2026 that will allow consumers to direct all registered data brokers to delete their personal information with a single request.

The formation of the enforcement strike force indicates California's intent to take action against the data brokers’ violations. Hence, organizations falling under the ambit of these laws must ensure their practices are aligned with the applicable laws.

Read More

7. White House Issues Executive Order Enhancing Children's Digital Safety

November 13, 2025
United States

The White House has issued an Executive Order, titled "Fostering the Future for American Children and Families", which sets a policy commitment to empower parents and support children in need with a focus on enhancing their digital safety.

The order mandates that federal agencies take action to modernize child welfare to improve the collection, transparency, and utility of state-level child-welfare data, establish a "Fostering the Future" initiative to create new educational and employment opportunities for individuals in or transitioning out of the foster care system, and take action to address state and local policies that inappropriately prohibit qualified individuals or organizations from participating in federally-funded child-welfare programs based on their sincerely-held religious beliefs.

The executive order indicates the intent of California’s legislature in enhancing children’s safety in increasingly technology-driven environments.

Read More

8. CalPrivacy Announces Approval of Regulations Implementing the Delete Act

November 13, 2025
California, United States

The California Privacy Protection Agency has announced that the Office of Administrative Law has approved new regulations implementing the Delete Act, with requirements taking effect on January 1, 2026. The rules outline how Californians will be able to submit deletion requests through CalPrivacy’s new Delete Request and Opt-out Platform (DROP), a state-hosted one-click tool that allows consumers to request deletion of their personal information held by hundreds of data brokers. Starting August 1, 2026, data brokers must regularly access the DROP, process all matching deletion requests, including those for inferred data, and report their compliance within 45 days. They must also maintain ongoing records to ensure data remains deleted.

The approval marks a major milestone in California’s effort to give consumers simplified, centralized control over their data across the broader data broker ecosystem.

Read More

9. CISA Reauthorized Until January 30, 2026

November 12, 2025
United States

CISA 2015 has been temporarily reauthorized until January 30, 2026, as part of legislation passed on November 12 to reopen the federal government. The statute had previously lapsed at the end of September 2025, removing key liability protections and statutory safeguards that companies rely on when sharing cyber threat information with government agencies, ISACs/ISAOs, and other private-sector partners. Although information sharing continued during the lapse, organizations faced increased legal uncertainty, including potential FOIA exposure and heightened regulatory or litigation risks. The temporary extension provides Congress roughly two months to negotiate a long-term reauthorization, with some lawmakers proposing a 10-year extension that may incorporate updates to address emerging AI-driven threat-intelligence practices.

For now, companies can again rely on CISA 2015’s protections, but legal teams should remain vigilant, given the possibility of another lapse if Congress fails to enact a permanent renewal.

Read More

10. ANPD Concludes Review of WhatsApp–Meta Data Sharing Practices

November 12, 2025
Brazil

Brazil's National Data Protection Authority (ANPD) concluded its formal assessment regarding the sharing of personal data between WhatsApp and its parent company, Meta, following changes to WhatsApp's Privacy Policy in 2021. The ANPD's investigation identified that the data sharing occurs under two frameworks: Meta acts as a data operator for activities related to WhatsApp's messaging service, and as a data controller for activities connecting WhatsApp to other Meta services (like business tools).

While the ANPD found that the most voluminous data processing occurs where Meta acts as an operator, it identified high risks due to the sheer volume of data, the shared economic group structure, and Meta's inherent business interest in using the data. Consequently, the ANPD obliged WhatsApp to conduct mandatory external audit within 45 business days to verify that Meta is strictly limited to acting only as a data operator in its capacity, and is not using shared data for its own purposes (such as targeted advertising), and develop a compliance plan aimed primarily at enhancing transparency for data subjects, clearly explaining to users when Meta acts as a data operator versus a data controller.

The decision did not result in direct sanctions but reinforced the transparency and accountability obligations under Brazil's General Data Protection Law (LGPD).

Read More

11. New York’s Algorithmic Pricing Act Takes Effect

November 10, 2025
New York, United States

The New York Algorithmic Pricing Disclosure Act took effect on November 10, 2025. Under the regulation, businesses that use dynamic pricing based on consumer data must disclose as such, with a header stating, “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA”. Failure to comply will lead to civil penalties of up to $1,000 per violation.

The law marks one of the first U.S. efforts to bring transparency to algorithmic pricing models, signaling heightened scrutiny of data-driven personalization practices and placing immediate compliance obligations on organizations that rely on automated pricing tools.

Read More

12. Ecuador’s New Resolution Bans Use of Legitimate Interest as a Means to Collect Sensitive Data

November 7, 2025
Ecuador

Ecuador’s Superintendent of Personal Data Protection issued Resolution No. SPDP-SPD-2025-0041-R, establishing a detailed framework for private sector organizations processing personal data and mandating documentation of “balancing tests” to ensure the organizational interests do not override an individual’s fundamental rights. The Resolution prohibits the use of legitimate interest as a reason to collect sensitive data, children’s data, or audio recordings in video surveillance.

The Resolution highlights Ecuador’s increasing regulatory focus on protecting sensitive information and signals that organizations must revisit their legal bases, documentation practices, and data governance controls to align with the strengthened requirements.

Read More

13. New York, California, & Connecticut Attorney Generals Secure $5.1 Million Settlement With Illuminate Education Over Student Data Breach

November 6, 2025
New York, California, Connecticut, United States

New York, California, and Connecticut Attorneys General have reached a $5.1 million settlement with Illuminate Education after an investigation concluded that the company failed to implement basic security measures, leading to a 2022 breach that exposed the personal information of millions of students, including 1.7 million in New York. Regulators found that Illuminate left sensitive student data unencrypted, failed to monitor for suspicious activity, retained outdated accounts and unnecessary permissions, and did not delete student records after contracts ended. Under the settlement, Illuminate must adopt strengthened cybersecurity measures, including comprehensive information security controls, access restrictions, encryption, network monitoring, and vulnerability management.

The action- Connecticut’s first under its Student Data Privacy Law- signals heightened enforcement against EdTech providers and underscores that companies handling children’s data face strict obligations to safeguard student information nationwide.

Read More

14. California Privacy Protection Agency Rebrands as“CalPrivacy”

November 5, 2025
California, United States

The California Privacy Protection Agency has adopted a new public-facing name, CalPrivacy, as part of its effort to make the agency more accessible and consumer-friendly. While its formal legal name remains unchanged, the shift away from “CPPA” reflects a focus on clearer public guidance and broader consumer engagement. Alongside the rebrand, CalPrivacy released eight simple privacy tips to help Californians better understand and safeguard their personal data, including guidance on opting out of tracking, limiting data collection, securing accounts, and submitting privacy requests.

Read More

15. CalPrivacy Releases Details on DROP, California’s Centralized Deletion Platform

November 5, 2025
California, United States

CalPrivacy has published new details about the upcoming Delete Request & Opt-Out Platform (DROP), a state-run, centralized portal that will allow Californians to request deletion of their personal data from data brokers through a simple three-step process. Scheduled to launch in January 2026, DROP represents the first tool of its kind in the United States and is designed to streamline and enforce the CCPA/CPRA’s right to delete at scale. Data broker registration remains open through January, and brokers will be required to begin retrieving and processing deletion requests starting August 2026.

By creating a unified deletion mechanism, DROP aims to resolve long-standing logistical challenges in exercising deletion rights and marks a significant step forward in California’s data rights infrastructure.

Read More

16. New York Attorney General Issues Consumer Alert on Algorithmic Pricing

November 5, 2025
New York, United States

New York Attorney General Letitia James has issued a consumer alert warning residents about the use of algorithmic or “surveillance” pricing ahead of the state’s Algorithmic Pricing Disclosure Act taking effect on November 10, 2025. The alert explains that companies may use personal data such as location, income, or shopping history to set individualized prices and reminds businesses that they must clearly display the mandated notice: “THIS PRICE WAS SET BY AN ALGORITHM USING YOUR PERSONAL DATA.” Attorney General James urged consumers to report any instances where algorithmic pricing is used without proper disclosure.

The alert highlights growing scrutiny of personalized pricing practices, citing examples such as hotel rates varying by ZIP code and in-store price increases based on app activity. Businesses that fail to comply face penalties of up to $1,000 per violation, signaling active enforcement as the law comes into effect.

Read More

17. 2nd Amendment to NYDFS Cybersecurity Regulations Take Effect

November 1, 2025
New York, United States

The last phase of the NYDFS Second Amendment to its Cybersecurity Regulation (23 NYCRR 500) came into effect on November 1, 2025, introducing expanded multi-factor authentication requirements and mandatory written asset inventory procedures for all covered entities. The rules now require MFA for any user accessing any information system, reflecting NYDFS’s continued focus on MFA failures as a leading cause of breaches, subject to only narrow small-business exemptions. Covered entities must also maintain a formal, regularly updated asset inventory that tracks ownership, classification, location, support timelines, and recovery objectives.

These updates complete the multi-year rollout of the Second Amendment and will factor into the April 2026 annual cybersecurity certification, signaling NYDFS’s ongoing emphasis on core security controls and enforcement in the financial sector.

Read More.

Europe & Africa Jurisdiction

18. AEPD Fines Aena €10.04 Million For Unlawful Biometric Processing Under The GDPR

November 25, 2025
Spain

Spain’s data protection authority (AEPD) has fined airport operator Aena €10.04 million for violating the GDPR by improperly processing biometric data in its facial recognition pilot program and failing to conduct a valid Data Protection Impact Assessment. The investigation found that Aena could not justify the necessity and proportionality of its centralized 1:N facial recognition system deployed at Madrid-Barajas, Barcelona-El Prat, and Menorca airports, nor demonstrate compliance with safeguards for such high-risk processing. The AEPD also determined that the company did not adequately assess or mitigate the heightened risks associated with biometric identification at scale.

Aena has announced it will contest the decision, marking one of the EU’s more significant enforcement actions involving biometric technologies and proportionality assessments under the GDPR.

Read More

19. Danish DPA Issues Guidance on Legal Basis For Suppliers to Disclose Employee Personal Data

November 24, 2025
Denmark

The Danish Data Protection Authority has issued a guidance opinion on when suppliers may disclose employee information, such as pay slips, time sheets, or employment contracts, to contracting authorities as proof of compliance with employment clauses. These clauses are widely used to ensure fair labor conditions and prevent social dumping, but suppliers often question their legal basis for sharing such personal data.

The DPA concluded that, in most cases, disclosure can rely on GDPR Article 6(1)(f)’s legitimate interest basis, as contracting authorities have strong, justified interests in verifying compliance with labor obligations. However, suppliers must still assess whether any special circumstances would override those interests in specific cases.

Read More

20. EU General Court Dismisses Amazon’s Challenge to DSA VLOP Designation

November 19, 2025

The EU’s General Court has rejected Amazon’s attempt to overturn the European Commission’s decision designating the Amazon Store as a Very Large Online Platform (VLOP) under the Digital Services Act. The Court confirmed that Amazon meets the DSA’s threshold of more than 45 million monthly active users in the EU and held that the resulting obligations, such as systemic risk assessments, algorithmic transparency, and independent audits, are a lawful and proportionate interference with the company’s freedom to conduct business.

The decision reinforces the Commission’s broad discretion in applying the VLOP criteria and signals continued judicial support for the DSA’s heightened regulatory framework for large online platforms.

Read More

21. European Commission Publishes Digital Omnibus Regulation Proposal

November 19, 2025

The European Commission has released its Digital Omnibus Regulation Proposal, aiming to streamline and harmonize the EU’s increasingly complex digital regulatory landscape.

The proposal introduces several significant updates, including clarifying the definition of personal data, creating an explicit legitimate interest basis for AI development, aligning breach notification thresholds, and extending the reporting window from 72 to 96 hours. It also seeks to reduce consent fatigue by allowing certain data storage without consent for security or non-intrusive analytics, while promoting browser-level privacy controls. Additionally, the proposal consolidates multiple EU data laws into a single framework, strengthens trade secret protections, and introduces cloud-switching exemptions for SMEs and SMCs. A standout feature is the creation of a unified cross-sector reporting interface that merges GDPR, ePrivacy, NIS2, and DORA reporting obligations.

If adopted, the regulation would significantly reshape data protection, cookie rules, and cybersecurity requirements across the EU.

Read More

22. European Supervisory Authorities Publish List of Designated CTPPs Under DORA

November 19, 2025

The European Supervisory Authorities have released the official list of Critical ICT Third-Party Providers (CTPPs) designated under the Digital Operational Resilience Act (DORA). This marks a major milestone in rolling out DORA’s oversight framework, as the listed providers deliver essential ICT infrastructure, business services, and data services to financial institutions across the EU, making them subject to heightened supervisory scrutiny.

The publication of the list sets the stage for the next phase of DORA implementation and highlights the EU’s intention to closely monitor systemic ICT risks within the financial sector.

Read More

23. Norwegian DPA Issues Guidance for Credit Reporting Agencies on Historical Data Processing

November 18, 2025
Norway

The Norwegian Data Protection Authority has issued new guidance for credit reporting agencies, clarifying how personal data may be processed within historical archives under the Credit Information Regulations.

The authority reiterated that credit information must be deleted or transferred to the historical archive four years after first registration, with certain exceptions, such as defaulted claims, which must be transferred upon payment even if earlier. Basic identifying data (e.g., name, address, personal ID number) may be retained for up to ten years but must still adhere to GDPR principles. The guidance also restricts how archived information may be used, permitting processing only for documenting potential compensation claims or for internal analysis and service development, explicitly prohibiting its use in current credit assessments.

Read More

24. Council of the EU Adopts Regulation Streamlining Cross-Border GDPR Complaints

November 17, 2025

The Council of the European Union has adopted a new regulation designed to streamline and accelerate the handling of cross-border data protection complaints under the GDPR. The regulation introduces standardized criteria across all member states for determining whether complaints are eligible for investigation, harmonizes rules governing the participation of complainants and the rights of investigated parties, and establishes deadlines of 15 months for most investigations, extendable by 12 months for complex cases and 12 months for simplified cooperation cases. It also creates a new simplified procedure allowing national DPAs to resolve straightforward cross-border matters without triggering the full cooperation and consistency mechanism.

The regulation will enter into force 20 days after its publication in the Official Journal of the EU and become applicable 15 months thereafter, marking a significant step toward greater efficiency and consistency in EU-wide GDPR enforcement.

Read More

25. BfDI Approves First Consent Manager Under Germany’s Consent Management Ordinance

November 4, 2025
Germany

Germany’s Federal Commissioner for Data Protection and Freedom of Information (BfDI) has approved the first consent manager under the country’s new Consent Management Ordinance, which took effect on April 1, 2025. The approval marks a significant step toward giving users more streamlined and user-friendly control over their data protection settings across digital services.

With this milestone, the BfDI expects consent managers to enhance transparency and simplify how individuals manage permissions, supporting more consistent and comprehensive data protection practices nationwide.

Read More

26. Latvian DPA Issues Guidance on Cookie Consent Opt-Out Practices

November 4, 2025
Latvia

Latvia’s Data State Inspectorate (DVI) has issued guidance clarifying how website operators must enable users to withdraw cookie consent in a simple and accessible manner. The DVI reiterated that non-essential cookies, such as marketing or statistical cookies, require valid, freely given, specific, and easily revocable consent. If consent can be given in two clicks, it must also be withdrawable in two clicks. The authority highlighted poor practices, such as directing users to browser settings or requiring manual cookie deletion, and emphasized good practices like providing a clearly visible on-site tool (e.g., a footer link or button) for adjusting cookie preferences at any time. The DVI also reminded organizations to ensure third-party cookie management tools comply with GDPR requirements, noting that commercial availability does not guarantee legal compliance.

Read More

Asia Jurisdiction

27. Taiwan Modernizes Privacy Framework with New PDPC and Enhanced Data Protection Obligations

November 24, 2025
Taiwan

Taiwan’s Legislative Yuan has published a detailed comparison table outlining significant amendments to the Personal Data Protection Act (PDPA), marking a major step in the modernization of the nation’s privacy framework. The reforms formally establish the Personal Data Protection Commission (PDPC) as an independent supervisory authority and introduce strengthened requirements for breach notification, security governance, and cross-border data transfer management. The amended PDPA also expands the PDPC’s enforcement powers, granting authority to conduct inspections and impose penalties for non-compliance.

Collectively, these changes signal a markedly stricter regulatory environment and will require private-sector organizations to substantially elevate their data protection, risk management, and overall compliance practices.

Read More

28. Australia Proposes Bill to Criminalize Non-Consensual Deepfakes

November 24, 2025
Australia

Australia has introduced the Online Safety & Other Legislation Amendment (My Face, My Rights) Bill, aimed at criminalizing the non-consensual creation and sharing of realistic AI-generated deepfakes of a person’s face or voice. The proposal would amend the Privacy Act 1988 to establish a new cause of action for wrongful use or disclosure of deepfake material, while strengthening the Online Safety Act 2021 through a formal complaint pathway, a takedown-notice system, and civil penalties for individuals who distribute such content.

Although the Bill does not yet have federal government backing and may not pass in its current form, it signals a significant shift in Australian privacy and online safety policy toward treating deepfakes as a distinct harm and may lay the groundwork for future regulation in this rapidly evolving area.

Read More

29. India’s Ministry Of Electronics & Information Technology Issues Digital Data Protection Rules Of 2025

November 13, 2025
India

India’s Ministry of Electronics & Information Technology (MeitY) has released the Digital Data Protection Rules of 2025, providing detailed operational requirements under the Digital Personal Data Protection Act (DPDPA). The Rules set out obligations for data fiduciaries, consent managers, and government entities across key areas, including notice, verifiable consent, security safeguards, breach reporting, retention limits, and deletion procedures. They also empower the Data Protection Board to register consent managers, oversee compliance, and take enforcement action.

With staggered implementation dates and expanded security and reporting duties, the Rules establish a clearer regulatory framework and mark a significant step toward enhanced privacy governance and accountability across India’s data ecosystem.

Read More

30. China’s ISC and Korea’s KISA Renew MoU on Internet and Data Security Cooperation

November 13, 2025
South Korea

The Internet Society of China (ISC) and the Korea Internet & Security Agency (KISA) have renewed their Memorandum of Understanding on cooperation in internet and personal-information security, reaffirming a partnership first established in 2013. At a signing ceremony in Seoul, both organizations emphasized the expansion of their collaboration over the past 12 years from joint anti-spam initiatives to cooperation on emerging areas such as data protection, cross-border data flows, and AI ethics and governance.

The renewed MoU strengthens their long-standing exchange mechanisms, including policy coordination, technical cooperation, and shared risk-prevention efforts, and highlights both countries’ commitment to deeper bilateral cooperation in digital governance.

Read More

31. Bangladesh Enacts the Data Protection Ordinance

November 6, 2025
Bangladesh

Bangladesh has officially brought its new Data Protection Ordinance into force as of November 6, 2025, establishing a comprehensive legal framework governing the handling of personal data. The Ordinance sets clear obligations for data controllers and processors both within Bangladesh and abroad when processing the data of Bangladeshi individuals, and affirms privacy, confidentiality, and security as fundamental rights of data subjects. While most provisions take immediate effect, certain elements related to regulatory oversight and enforcement will roll out gradually.

The enactment marks a significant step toward modernizing Bangladesh’s privacy regime and will require organizations to reassess and strengthen their data governance and compliance practices accordingly.

Read More

32. Australia’s OAIC Releases Its Annual Report 2024-2025

November 5, 2025
Australia

The Office of the Australian Information Commissioner (OAIC) has released its annual report. In it, the Commissioner highlights their efforts to align emerging technologies with community expectations, support a privacy-protecting digital economy, promote open government, and strengthen personal information protections. The Commissioner received 3,295 privacy complaints (a 3% increase) and finalized 3,123, while also receiving 1,126 data breach notifications under the NDB Scheme (up 12%), with the health service sector leading in both complaints and breach notifications.

The report reflects the OAIC’s growing focus on technology governance, proactive regulation, and strengthening safeguards for Australians’ personal information.

Read More

33. Vietnam Promulgates the National Data Architecture Framework to Unify Data Architectures

November 4, 2025
Vietnam

Vietnam’s Deputy Prime Minister has signed Decision No. 2439/QD-TTg. It promulgates the National Data Architecture Framework to unify data architecture across ministries, government agencies, political organizations, and provincial authorities. Not only does it establish principles for data collection, synchronization, and sharing, while outlining components like users, communication channels, and infrastructure with periodic evaluation and updates, but it also defines basic data layers, models data blocks for sectors such as public services, business management, and security, and mandates compliance with cybersecurity and personal data protection.

This development lays the foundation for standardized, secure, and interoperable data management across Vietnam’s public sector.

Read More

34. New Zealand’s Biometric Processing Privacy Code Takes Effect

November 3, 2025
New Zealand

New Zealand’s Biometric Processing Privacy Code took effect on November 3, 2025. It introduces specific privacy rules for new biometric processing activities, while excluding health agencies and personal consumer devices. Additionally, it establishes 13 key rules governing the collection, storage, access, correction, accuracy, retention, use, disclosure, and management of unique identifiers.

With these new obligations in effect, organizations using biometric technologies are expected to review their practices and ensure full alignment with the Code’s enhanced privacy and governance standards.

Read More

35. China’s CAC issues National Cybersecurity Incident Reporting Management Measures

November 1, 2025
China

China’s Cyberspace Administration (CAC) has issued the National Cybersecurity Incident Reporting Management Measures, establishing unified obligations for all network operators to classify and report cybersecurity incidents in accordance with the national incident-classification guidelines. The Measures require operators to follow standardized reporting procedures and, after resolving any incident, to conduct a post-incident analysis and submit a summary report within 30 days.

The new rules further strengthen China’s cybersecurity governance regime and impose more structured expectations on organizations’ monitoring, response, and reporting practices.

Read More

WHAT'S NEXT:
Key Privacy Developments to Watch For

• Bill No. 5226/2025 to amend Brazil's General Personal Data Protection Law (LGPD), proposing bans on sensitive data sales and strict biometric data rules, is advancing and now sits with the CCJC for formal review.
• Massachusetts House Bill 4746 proposes a new state privacy law, while a December 2 congressional hearing will examine a package of bills aimed at strengthening online protections for children.
• A legislative hearing, Legislative Solutions to Protect Children and Teens Online, is scheduled by the U.S. House Committee on Energy and Commerce for December 2, 2025, to begin the process for advancing a package of around 20 bills regulating online platforms to protect minors from digital harms.
• The European Data Protection Board (EDPB) is seeking feedback via public consultation, ending December 3, 2025, on developing standardized GDPR compliance templates, offering organizations a chance to influence upcoming harmonized documentation tools.
• The UK Cyber Security and Resilience (NIS) Bill has completed its First Reading and awaits further parliamentary debate.
• Australia’s Office of the Australian Information Commissioner (OAIC) released Privacy Guidance on the Social Media Minimum Age (SMMA) under the Online Safety Act 2021,  which will take effect on December 10, 2025.
• The Australian Communications and Media Authority (ACMA) has updated SMS ID Register rules set to take effect on December 15, 2025.
• China’s National People’s Congress has approved amendments to the Cybersecurity Law, which will take effect on January 1, 2026, to address AI growth and associated risks.