Veeam Completes Acquisition of Securiti AI to Create the Industry’s First Trusted Data Platform for Accelerating Safe AI at Scale
ViewA quick overview of global privacy headlines you cannot afford to miss.
October 30, 2025
California, United States
California Attorney General Rob Bonta reached a $530,000 settlement with Sling TV after finding that the streaming service made it confusing for users to opt out of the sale of their personal data and failed to protect children’s privacy
The investigation- part of a 2024 DOJ sweep of streaming platforms- revealed that Sling TV mixed cookie settings with CCPA opt-outs, forced redundant forms, and lacked in-app options for users to exercise their rights.
Under the settlement, Sling TV must simplify its opt-out process, add in-app privacy controls, and introduce “kids’ profiles” that block data sales and targeted ads. The action, Bonta’s fifth CCPA enforcement, signals increasing scrutiny of digital services using dark patterns and reaffirms California’s stance that privacy controls must be clear, accessible, and functional across all consumer touchpoints.
October 22, 2025
United States
The Electronic Privacy Information Center (EPIC), joined by several consumer and digital rights groups, has urged the Consumer Financial Protection Bureau (CFPB) to retain the strong privacy safeguards in its Personal Financial Data Rights (PFDR) rules finalized in 2024. EPIC emphasized that weakening these standards could increase fraud and national security risks, calling for verified data access requests, third-party liability, clear deletion timelines, and bans on access request fees.
This development highlights the growing tension between open banking innovation and consumer data protection in the U.S., signaling how future financial data frameworks may evolve toward stronger, GDPR-style accountability.
October 21, 2025
New York, United States
The New York Department of Financial Services (NYDFS) has issued new guidance urging regulated entities to strengthen oversight of third-party service providers (TPSPs). As financial firms increasingly rely on cloud, AI, and fintech vendors, the DFS warns that cybersecurity accountability cannot be outsourced.
The guidance reinforces existing Cybersecurity Regulation (Part 500) obligations, calling for stronger due diligence, contractual safeguards (like encryption, MFA, and AI-use clauses), continuous monitoring, and structured offboarding. The move highlights growing regulatory focus on supply-chain resilience and third-party accountability amid rising cyber and AI-related threats.
October 16, 2025
Texas, United States
The Computer & Communications Industry Association (CCIA) has filed a federal lawsuit against Texas, seeking to block enforcement of SB 2420, a new law set to take effect on January 1, 2026. The law mandates age verification, parental consent, and detailed age-rating disclosures for all app stores and developers, which CCIA argues violate the First Amendment and user privacy.
The association contends the law compels speech, restricts lawful content, and imposes excessive burdens on app stores, developers, minors, and parents. While framed as a child-safety measure, the case highlights a broader clash between state-level online protection efforts and constitutional safeguards around digital expression and privacy.
October 15, 2025
Ontario, Canada
Ontario’s Information and Privacy Commissioner (IPC) has released an updated version of its De-identification Guidelines for Structured Data, expanding on the 2016 framework. The new guidance offers practical methods for organizations to balance data utility with privacy protection, reflecting advances in data analytics and re-identification risks.
The update reinforces Canada’s push toward responsible data innovation, encouraging privacy-by-design approaches as organizations leverage structured datasets for AI, research, and policymaking.
October 14, 2025
Brazil
Brazil's National Data Protection Authority (ANPD) has published the fifth edition of its Technological Radar, focusing on Age Verification in Digital Environments. The report explores technical methods for determining whether a user is a child, adolescent, or adult while maintaining data privacy and security.
Released following the new Digital ECA Law (No. 15.211/2025), which gives ANPD oversight of children’s digital protection, the study highlights the delicate balance between effective age verification and minimizing data processing risks. This edition continues the Radar series’ mission to map emerging technologies shaping Brazil’s data protection landscape, following previous reports on Smart Cities, Biometrics, Generative AI, and Neurotechnologies.
October 14, 2025
Florida, United States
Florida Attorney General James Uthmeier has filed a civil enforcement action against Roku, Inc. and its Florida subsidiary, alleging violations of the Florida Digital Bill of Rights (FDBOR) and the Florida Deceptive and Unfair Trade Practices Act (FDUTPA).
The state claims Roku unlawfully collected and sold children’s sensitive personal data—such as viewing habits and voice recordings without parental consent or clear notice, and misrepresented its privacy controls. The lawsuit seeks civil penalties, injunctive relief, and stronger parental controls to ensure lawful handling of minors’ data.
This marks one of the first major enforcement actions under Florida’s new digital privacy regime, signaling heightened scrutiny of child data practices and the expanding reach of U.S. state-level privacy laws.
October 13, 2025
California, United States
Governor Gavin Newsom has signed a broad set of child online safety bills that introduce new rules for age verification, platform transparency, and social media accountability.
Under AB 1043, app stores and operating systems must build age verification mechanisms dividing users into specific age groups and transmit age “signals” to app developers by 2027. Sharing or misusing this data will attract penalties of up to $7,500 per affected child.
Meanwhile, AB 56 requires social media platforms to display Surgeon General-style mental health warnings to users under 18. These notices must appear when minors first access the platform and periodically during long usage sessions.
Together, these measures expand California’s privacy and safety framework, reflecting a nationwide trend toward state-led action on protecting children from digital and AI-related harms while promoting responsible innovation. Read More on AB 56 here and on AB 1043 here.
October 8, 2025
United States
Minnesota and New Hampshire have joined the Consortium of Privacy Regulators, a bipartisan coalition coordinating enforcement of state privacy laws. With their addition, ten states now collaborate to harmonize oversight and share resources.
Both states recently enacted privacy laws granting consumers rights to delete, correct, and opt out of data use. The expansion highlights growing state-level alignment on privacy enforcement and a shift toward stronger, cooperative regulation across the U.S.
October 8, 2025
California, United States
During San Francisco Tech Week, Governor Gavin Newsom signed a package of privacy bills expanding Californians’ control over their personal data. The centerpiece, AB 656 (Account Cancellation Act), requires social media platforms to offer a clear “Delete Account” option that permanently erases users’ data.
Newsom also approved SB 361, strengthening the Data Broker Registration Law by increasing transparency around how brokers collect and share personal data, and AB 566, mandating browsers include a setting to automatically send opt-out signals under the California Consumer Privacy Act (CCPA).
Together, these measures build on California’s broader privacy framework, including the Click to Cancel law and the DELETE Act, reinforcing the state’s role as a national leader in consumer data protection and digital accountability. Read More on AB 656 here, AB 361 here, and AB 566 here.
October 3, 2025
California, United States
On October 3, 2025, Senate Bill (SB) 446 was passed, amending existing law. Effective January 1, 2026, Senate Bill 446 (SB 446) will require businesses in California to notify affected individuals of data breaches within 30 days of discovery, replacing the previous vague “without unreasonable delay” standard.
Breaches affecting over 500 residents must also be reported to the Attorney General within 15 days. Failure to comply will be treated as a violation, carrying potential CCPA fines of up to $7,988 per case and civil damages of $107- $799 per person. The law marks a major step toward faster, more transparent breach reporting in the state.
October 1, 2025
California, United States
The California Privacy Protection Agency (CPPA) has fined Tractor Supply Company $1.35 million- the largest penalty in its history for violating the California Consumer Privacy Act (CCPA). The company, which operates over 2,500 stores nationwide, failed to provide required privacy notices, disclose applicant data rights, and implement proper opt-out mechanisms for data sales and sharing.
Tractor Supply also disclosed personal data to third parties without proper contractual safeguards. In addition to the fine, the company must overhaul its privacy practices, audit its tracking technologies, and submit annual compliance certifications for four years.
The decision highlights the CPPA’s growing enforcement focus on privacy notices, opt-out compliance, and employee data rights, marking a significant precedent for businesses handling Californian consumers’ and job applicants’ information.
October 1, 2025
Montana, United States
Montana has become the third state to regulate neural data with SB 163, which amends the Genetic Information Privacy Act (GIPA) to cover “neurotechnology data.” Effective October 1, 2025, the law protects information captured by devices that record or alter neural activity, such as EEGs and brain–computer interfaces.
The amendment introduces notice, consent, and data localization requirements, including bans on storing neurodata in sanctioned or “foreign adversary” countries. Montana’s move marks a unique, narrower approach to neural privacy by integrating these protections into its genetic data framework.
October 1, 2025
Colorado, United States
Colorado’s SB 24-041 has taken effect, expanding the Colorado Privacy Act to include stronger protections for minors online. The law requires companies to exercise reasonable care when handling children’s data, obtain consent before targeted advertising or data sales, and avoid design features that prolong or intensify minors’ use of online services.
Parental consent is mandatory for users under 13, while teens aged 13- 17 can consent themselves. With these rules now active, Colorado joins the growing wave of states enforcing dedicated child data privacy standards.
October 1, 2025
Maryland, United States
Maryland Online Data Privacy Act (MODPA) took effect on October 1, 2025, becoming the nation’s 16th comprehensive state privacy law and one of the most restrictive. The law sets strict limits on data collection, bans the sale of sensitive data under any circumstance, and imposes strong data minimization and children’s privacy requirements.
MODPA applies to businesses handling data from at least 35,000 Maryland residents and prohibits targeted advertising to minors under 18. It also restricts the collection of sensitive data to what is strictly necessary for providing a requested service.
Although enforcement begins in April 2026, companies are urged to prepare now, as Maryland’s approach signals a tougher, more consumer-centric direction in U.S. privacy regulation.
October 21, 2025
The European Parliament has given its final approval to new rules designed to speed up and clarify the cross-border enforcement of the General Data Protection Regulation (GDPR). The changes aim to accelerate procedures by setting clear deadlines, generally 15 months for an investigation and draft decision by the lead authority, unless the complexity of the case requires an extension of up to 12 months. They also encourage early consensus-building between national data protection authorities and aim to strengthen complainants’ rights by improving access to information and granting them the right to be heard before a final decision.
The legislation now awaits final adoption by the Council. Once approved and in force, it will improve the efficiency and fairness of handling international data protection complaints across the EU.
Date: October 20, 2025
October 17, 2025
Brazil
The European Data Protection Board (EDPB) issued two opinions supporting the European Commission’s proposal to extend the UK’s data adequacy status under both the GDPR and the Law Enforcement Directive until December 2031, allowing continued free data flows from the EEA to the UK.
While broadly supportive, the EDPB urged close monitoring of the UK’s evolving data framework, citing risks from the Retained EU Law Act 2023, new ministerial powers under the Data Use and Access Act, and the UK’s weaker adequacy test for onward transfers. It also flagged concerns over Technical Capability Notices that may undermine encryption and changes to the ICO’s independence.
Under the LED, the EDPB called for a deeper review of national security exemptions and automated decision-making in law enforcement. The decision now moves to the Council for formal adoption.
October 20, 2025
United Kingdom
The UK Information Commissioner’s Office (ICO) has updated its guidance on “consent or pay” advertising models, where users choose to consent to personalised ads, pay for access, or leave the service.
The ICO confirmed these models can be lawful if consent is freely given, choices are clearly explained, and withdrawal is simple. Organisations must not bundle unrelated data uses or pressure users into consenting.
The guidance, now under review following the Data (Use and Access) Act 2025, reinforces that fairness and transparency remain central to compliance under UK data protection law.
October 17, 2025
Netherlands
The Dutch Data Protection Authority (AP) has fined Experian Nederland €2.7 million for violating privacy laws by improperly collecting and using personal data to generate credit scores. The AP found that Experian failed to justify its extensive data collection, used sensitive information inappropriately, and did not adequately inform individuals that their data was being processed.
The investigation followed complaints from people denied services or charged higher deposits without knowing a credit score was involved. Experian has accepted the decision, ceased Dutch operations, and will delete its databases by the end of the year.
October 16, 2025
United Kingdom
The UK Information Commissioner’s Office (ICO) has opened a consultation on its approach to implementing the new ‘charitable purpose soft opt-in’, set to take effect in January 2026 under the Data (Use and Access) Act.
The change will allow charities to send marketing emails or texts to individuals who have shown interest in or supported their cause, without prior consent, provided clear opt-out options are offered. It aims to help charities strengthen supporter relationships while maintaining transparency and choice.
The consultation, running until November 27, invites feedback from charities and third-sector organizations to ensure the ICO’s guidance is practical and supports responsible fundraising practices.
October 16, 2025
The European Parliament’s Internal Market and Consumer Protection Committee has called for new EU-wide safeguards to make online spaces safer for minors. Lawmakers proposed a digital minimum age of 16 for social media and AI companions without parental consent and urged the Commission to crack down on addictive design features, loot boxes, profiling-based recommendations, and influencer marketing targeting minors.
The report also backs bans on “kidfluencing” incentives and AI-powered nudity apps, along with personal liability for executives overseeing repeated breaches. MEPs want the Digital Services Act enforced more forcefully and manipulative online features addressed under a future Digital Fairness Act.
This push highlights the EU’s growing focus on safety-by-design rather than user consent, signalling that platforms may soon need to redesign recommender systems and engagement tools to comply with stricter child-protection standards. A plenary vote is scheduled for late November.
October 15, 2025
United Kingdom
The ICO has fined Capita plc and Capita Pension Solutions Ltd a combined £14 million over a 2023 cyberattack that compromised the data of 6.6 million people. The watchdog found Capita failed to implement adequate security controls, ignored known vulnerabilities, and took 58 hours to act on a high-priority alert, allowing hackers to steal nearly a terabyte of data.
Originally facing a £45 million fine, Capita’s penalty was reduced after cooperation and remediation efforts. The ICO said the case emphasizes that even large organisations must maintain robust cybersecurity and timely breach response, warning that “no company is too big to ignore its responsibilities.”
October 14, 2025
France
The CNIL has issued new guidance clarifying how the right to data portability applies to information from customer loyalty programs. Retailers must now provide consumers with access to product barcodes (GTINs) and promotion amounts linked to their purchases when requested under data access or portability rights.
However, the algorithms or calculation methods used to determine promotional offers are not considered personal data and therefore fall outside the scope of portability. The clarification reinforces CNIL’s stance that data tied directly to identifiable customers must be shareable, helping ensure greater transparency and mobility of consumer data across digital retail ecosystems.
October 10, 2025
Austria
The Austrian Data Protection Authority (DSB) announced a significant ruling following a complaint by privacy activist group NOYB. The DSB found that Microsoft Corporation, alongside a local school, the board of education, and the Federal Ministry of Education, had violated the GDPR.
The case originated in 2024 when a student requested access to their personal data generated through the use of Microsoft 365. The request sparked a dispute over who was responsible for providing the information. Microsoft forwarded the student’s request to the local school, which could only offer limited details.
Ultimately, the DSB determined that Microsoft violated Article 13 of the GDPR by failing to provide complete information about the data processing activities conducted through its Microsoft 365 Education product. Microsoft has now been formally ordered to comply and respond fully to the complainant’s data access request within four weeks. The case exposes long-standing issues with Microsoft’s opaque handling of user data and raises broader questions about the lawfulness of Microsoft 365 deployments across Europe’s schools and public institutions.
October 10, 2025
The European Commission has launched a formal investigation against four major platforms: Snapchat, YouTube, the Apple App Store, and the Google Play Store. This is the first significant enforcement action under the Digital Services Act (DSA) following the publication of the Guidelines on Protection of Minors.
The investigation focuses on how these companies manage risks to children using their services. They have been asked to provide detailed information on their age verification systems and how they ensure users are accurately identified. The Commission is also examining the measures in place to prevent minors from accessing illegal products, including drugs, vaping products, and other restricted items. In addition, the inquiry looks at the platforms’ protocols to block harmful content, such as material promoting eating disorders, self-harm, or other content that could negatively affect minors’ mental health.
The outcome of this investigation could lead to enforcement actions, including fines or additional requirements to improve safety measures for young users.
October 10, 2025
UK
The UK Upper Tribunal has issued a major ruling, upholding the appeal by the Information Commissioner’s Office (ICO) in the case against Clearview AI. This decision overturns an earlier finding by the First-tier Tribunal (FTT).
The ruling sets an important precedent: UK data protection law applies to foreign companies that process or monitor the behavior of UK residents, regardless of where the company or its clients are located. The Tribunal clarified that the reach of the UK GDPR depends on whose data is processed, not the company’s or its customers’ location. It also confirmed that Clearview AI’s activities, scraping images of UK residents from the web and using them in a global facial recognition database, constitute "monitoring of behaviour" under Article 3(2)(b) of the UK GDPR.
The case has now been sent back to the FTT for reconsideration. This ruling strengthens the ICO’s enforcement powers over non-UK companies that monitor the online activity of British citizens.
October 6, 2025
Switzerland
The Swiss Federal Data Protection and Information Commissioner (FDPIC) has released an updated version of its cookie guidelines, refining the January 2025 edition to improve clarity and address practical questions from organizations.
The update clarifies that personalized advertising using third-party cookies often requires explicit user consent, especially when third parties gain access to personal data across multiple sites for profiling. It also expands guidance on location data collection, warning that such processing can reveal sensitive personal details and often constitutes high-risk profiling.
The revised guidelines further discuss “cookie paywalls”, outlining when users can lawfully choose between consenting to tracking or paying for access. The FDPIC plans to follow the update with a public awareness campaign and new supervisory actions to ensure compliance under the Swiss FADP and related regulations.
October 4, 2025
Netherlands
The Dutch Data Protection Authority (AP) and the Royal Dutch Lawn Tennis Association (KNLTB) have closed their long-running dispute over a 2019 fine for sharing members’ data with commercial partners.
The case followed a 2024 Court of Justice ruling that clarified how the GDPR’s “legitimate interest” basis should be interpreted, confirming that a commercial purpose can, in limited cases, qualify as a legitimate interest for data processing, but only where the intrusion on individuals’ privacy is minimal and clearly explained.
The KNLTB admitted it did not meet these standards when disclosing member data and will now launch a privacy awareness campaign for sports organizations in collaboration with the AP. Given these corrective steps, the AP has reduced the fine to €250,000, bringing the case to an end.
October 4, 2025
Herzegovina
Bosnia and Herzegovina’s new Law on Personal Data Protection has officially taken effect, marking a key step in harmonizing the country’s privacy framework with the EU General Data Protection Regulation (GDPR).
Adopted in January 2025, the law introduces GDPR-style obligations, including expanded legal bases for processing, stricter safeguards for minors, mandatory breach notifications, Data Protection Impact Assessments, and data protection officer (DPO) requirements.
Organizations already processing personal data have a two-year transition period until March 8, 2027 to fully align their operations, signaling Bosnia and Herzegovina’s commitment to EU integration and modern privacy standards.
October 3, 2025
Spain
The Catalan Data Protection Authority (APDCAT) has released a renewed Data Protection Impact Assessment (DPIA) application to help organizations assess high-risk data processing.
The updated tool improves usability with guided navigation and integrates the 2022 National Security Framework (ENS) catalog of security measures, mandatory for public bodies. It allows users to describe processing activities, evaluate risks, and generate detailed DPIA reports offline.
APDCAT also issued an updated practical guide, user manual, and templates, promoting the tool as part of a broader push to enhance privacy-by-design and simplify compliance.
October 1, 2025
Netherlands
The District Court of Amsterdam has ordered Meta Ireland to provide Facebook and Instagram users with a direct, easily accessible, and permanent non-profiled timeline option within two weeks.
The case, brought by Bits of Freedom under the Digital Services Act (DSA), found that Meta’s current system, which reverts to a profiled feed after closing the app, constitutes a dark pattern banned under Article 25 DSA.
The ruling, one of the first civil cases enforcing DSA provisions, reinforces user control over algorithmic content curation and signals tighter scrutiny of engagement-based recommendation systems across the EU.
October 1, 2025
Georgia
The Personal Data Protection Service of Georgia has released new guidelines clarifying how public authorities should handle requests for access to information while upholding data protection obligations.
Authorities must first determine whether the requested records contain personal data and whether disclosure is legally justified under Georgia’s Personal Data Protection Law. If disclosure is not mandatory, such as for registry data, officials must balance transparency and privacy, assessing data sensitivity and potential harm from disclosure.
The guidelines aim to strengthen consistent decision-making and accountability across public bodies when responding to access-to-information requests.
October 1, 2025
Lithuania
Privacy group noyb has filed a complaint with the Lithuanian Data Protection Inspectorate, accusing Whitebridge AI of unlawfully scraping personal data and generating false “reputation reports.”
The reports, allegedly sold to individuals, included fabricated warnings such as “sexual nudity” or “dangerous political content.” noyb claims the company violated several GDPR provisions and required users to provide a “qualified electronic signature” to correct data- a condition not recognized under EU law.
Whitebridge AI denied wrongdoing, stating it only uses publicly available data for client-requested reports and deletes them after 30 days. The case could set an important precedent for AI-driven profiling and online reputation services under EU privacy law.
October 1, 2025
Switzerland
The Federal Data Protection and Information Commissioner (FDPIC) has released a factsheet clarifying the data protection rules surrounding forms patients are asked to sign during medical visits.
The guidance distinguishes between a doctor’s duty to inform patients about data collection and the requirement for valid consent to process health data. It also addresses secure data communication and the principle of proportionality, emphasizing that only necessary data should be requested from patients.
The FDPIC urges medical professionals and associations to review and update their forms and practices to ensure compliance with the Federal Act on Data Protection (FADP). While designed for doctors, the principles also extend to other therapeutic professions in private practice.
October 31, 2025
Singapore
Singapore has enacted key provisions of the Cybersecurity (Amendment) Act, expanding the Cyber Security Agency’s (CSA) authority to cover virtual Critical Information Infrastructures (vCIIs) and requiring that major cyber incidents, including those linked to Advanced Persistent Threats (APTs), be reported within two hours.
The law also introduces oversight of Systems of Temporary Cybersecurity Concern (STCCs) such as those supporting national elections or vaccine rollouts, enhancing national cyber resilience and ensuring faster, coordinated responses to emerging threats.
October 17, 2025
Taiwan
Taiwan’s Legislative Yuan has approved amendments to the Personal Data Protection Act, significantly tightening rules around data breach reporting and governance accountability.
The amendments establish a new Personal Data Protection Commission to oversee incidents and compliance. Both public and private entities must now immediately notify affected individuals and report data leaks or theft that fall within defined criteria.
Non-public agencies face fines ranging from NT$20,000 to NT$200,000 for failing to report breaches, with repeat penalties for continued violations. Public bodies must also appoint a Chief Data Protection Officer (DPO) to enhance oversight and response readiness.
The reforms mark a major step toward EU-style data protection standards, strengthening Taiwan’s privacy framework and its readiness for potential future cross-border adequacy recognition.
October 10, 2025
Japan
Japan’s Personal Information Protection Commission (PIPC) has revised its privacy guidelines under the Act on the Protection of Personal Information (APPI) to align with the newly launched Global Cross-Border Privacy Rules (CBPR) system.
The updates modify existing guidance and certification documentation to ensure consistency with the international CBPR framework. Organizations engaged in cross-border data transfers are urged to review and update their compliance programs to meet the new standards and maintain seamless data flows under Japan’s privacy regime.
October 9, 2025
Australia
The Federal Court of Australia has fined Australian Clinical Labs (ACL) $5.8 million for privacy failings linked to a 2022 cyberattack on its Medlab Pathology systems that compromised the data of over 223,000 people- the first-ever civil penalty under the Privacy Act 1988.
The Court found ACL failed to secure sensitive data, assess the breach promptly, and notify regulators in time. Justice Halley called the violations “extensive and significant,” highlighting management’s poor oversight and the potential for serious harm to affected individuals.
Privacy Commissioner Carly Kind called the decision a “turning point” for enforcement, warning that under Australia’s strengthened Privacy Act, future violations could draw fines of up to $50 million per breach.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2026 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, LLC.
3155 Olsen Drive
Suite 325
San Jose, CA 95117
Type
