INTERNATIONAL 

UNITED STATES OF AMERICA

7. Privacy Lawsuit over Period-Tracking App settled^[7]

Google LLC (“Google”) and Flo Health Inc. (“Flo”) agreed to pay a combined USD 56 million to settle a class action lawsuit alleging that the Flo period-tracking app shared users’ sensitive health data without proper consent. The lawsuit claimed that between November 2016 and February 2019, Flo transmitted personal information about users’ menstrual cycles and pregnancies to third parties, including Google and Meta, for advertising purposes. Despite Flo’s assurances of confidentiality, users’ data was allegedly accessed through Software Development Kit (“SDK”) integrated into the app. Google will contribute USD 48 million, while Flo will pay USD 8 million. Meta Platforms Inc., another co-defendant, did not settle and was found liable by a jury in August 2025; the company plans to appeal. The plaintiffs argued that Flo’s integration of third-party SDKs allowed companies to access intimate health data, violating the California Invasion of Privacy Act, 1967 that imposes statutory penalties of USD 5,000 per violation, potentially leading to damages in the billions of dollars. Google denied that any data was used for advertising and emphasized its policies against collecting health information through Google Analytics.

This settlement underscores the growing scrutiny of tech companies’ data practices, particularly concerning sensitive health information. It also highlights the importance of obtaining explicit user consent and maintaining transparency in data collection and sharing practices. For anyone using a health or wellness app, it’s a reminder to be fully aware of privacy policy. The case sets a significant precedent for privacy litigation in the digital age.

8. Violation of Privacy Laws leads to Disinvestment Order against Prominent Social Media App^[8]

The US President has signed an Executive Order (“EO”) titled ‘Saving TikTok While Protecting National Security’ on September 25, 2025. The goal is to separate its control from its China-based parent company, ByteDance Ltd. (“ByteDance”), primarily because of national security and data privacy concerns. The decision comes after months of legal delays and negotiations on how to keep the app available to its 170 million American users without compromising national security.

Under the new framework, TikTok’s US business will operate through a newly formed joint venture, majority-owned and managed by American investors, with ByteDance retaining less than a 20% minority stake. The EO requires that all US user data be stored on American cloud servers, for which Oracle has been designated as the security partner, and that TikTok’s recommendation algorithms be retrained and overseen by US security officials. A new board of directors, comprising experts in cybersecurity and national security, will ensure the platform’s operations remain independent from foreign influence.

For tech companies, this EO signals that data localization, algorithm transparency, and ownership structure are now inseparable from market access. For India and other countries grappling with similar data sovereignty and national security concerns, the US approach demonstrates how technology governance can ensure keeping platforms alive while protecting user data and national interests.

9. New Regulations to strengthen CCPA announced^[9]

California Privacy Protection Agency has finalized new regulations to strengthen privacy protections under the California Consumer Privacy Act (“CCPA”). The new regulations address areas such as cybersecurity audits, risk assessments, automated decision-making technology (“ADMT”), and obligations for insurance companies. The process involved years of engagement with industry stakeholders, civil society, and the public, including multiple hearings and review of hundreds of comments, ensuring that the rules balance strong consumer protections with practical compliance for businesses. It establishes clear deadlines and requirements for businesses of different sizes. Companies making over USD 100 million must complete cybersecurity audits by April 1, 2028, while smaller businesses have extended timelines up to 2030. Risk assessments must be completed starting January 1, 2026, with formal attestations and summaries submitted to CPPA by April 1, 2028. Businesses using ADMT to make major decisions affecting consumers are required to comply with related rules beginning January 1, 2027. These measures are designed to ensure companies carefully evaluate potential risks to consumer data and adopt strong safeguards against misuse. Beyond compliance, the regulations emphasize transparency and accountability, giving meaningful control over their personal information while guiding businesses through practical implementation pathways. With the regulations taking effect on January 1, 2026, and staggered deadlines for full compliance, this initiative solidifies California’s privacy standards, while helping businesses understand their responsibilities and maintain trust in the digital economy.

10. FTC secures $2.5 Billion Settlement over Deceptive Subscription Practices^[10]

The Federal Trade Commission (“FTC”) has finalized a landmark USD 2.5 billion settlement with Amazon Inc. (“Amazon”), resolving allegations that the company used deceptive practices to enroll consumers in its Prime subscription service without their consent and made it challenging for them to cancel. The settlement, announced on September 25, 2025, addresses violations of the federal Restore Online Shoppers’ Confidence Act (“ROSCA”), which mandates clear disclosure of subscription terms and easy cancellation processes. The FTC’s complaint highlighted that Amazon’s design choices, such as less prominent options to decline Prime enrollment and a convoluted cancellation process, misled consumers and hindered their ability to manage subscriptions effectively. Under the terms of the settlement, Amazon is required to pay USD 2.5 billion to resolve the allegations. Additionally, it must implement significant changes to its subscription practices, including providing clearer disclosures about subscription terms and simplifying the cancellation process to ensure compliance with ROSCA. These measures aim to restore consumer trust and promote transparency in online subscription services.

This settlement underscores the FTC’s commitment to holding companies accountable for practices that undermine consumer confidence in online shopping. It serves as a reminder to businesses of the importance of adhering to consumer protection laws and maintaining transparent and fair practices in their operations.

11. Homebuyers Privacy Protection Regulation becomes Law, restricting Unsolicited Mortgage Offers^[11]

The Homebuyers Privacy Protection Act (H.R. 2808) (“Act”) was signed into law on September 5, 2025, strengthening consumer privacy protections in residential mortgage transactions. The Act amends the Fair Credit Reporting Act (“FCRA”) to restrict the use of “trigger leads,” which occur when a lender or credit reporting agency shares a consumer’s credit information with third parties after a mortgage application, often resulting in unsolicited offers. Under the Act, credit reporting agencies can only share consumer credit reports in connection with a mortgage if the third party has obtained consumer consent, has originated a mortgage, serves the consumer’s current mortgage, or holds a current account for the consumer. The Act also sets clear timelines, with the provisions taking effect 180 days after enactment, on March 4, 2026. Additionally, the Act mandates a study by the Comptroller General to evaluate the impact of trigger leads received via text messages, with findings to be submitted to Congress within a year. These measures aim to enhance transparency, limit unsolicited marketing, and protect consumers’ personal financial information during the sensitive mortgage application process.

By curbing the widespread sharing of credit data for unsolicited mortgage offers, the Act positions itself as a landmark privacy safeguard, providing consumers with greater control over their personal information while promoting fair and responsible lending practices.

EUROPEAN UNION

12. Data Act enters into Force ^[12]

The Data Act, 2025 (“Act”) officially published as Regulation (EU) 2023/2854 (“Act”), became law on January 11, 2024 and is taking full effect since September 12, 2025. The Act is a central part of the European Union’s digital strategy, aimed at democratising access to data generated by connected products and services. It seeks to promote fair data-sharing practices, enhance competition, and foster innovation across all sectors of the economy. Unlike GDPR, which governs only personal data, the Act applies to both personal and non-personal data generated by connected devices and digital services, making it a more comprehensive framework for Europe’s evolving data ecosystem. From September 2025, users, both individuals and businesses, will gain explicit rights to access, use, and share the data generated by their own devices and digital services. The Act also introduces new obligations for manufacturers, service providers, and cloud operators, ensuring that data-sharing agreements are fair and transparent. It mandates that users can easily switch between different cloud or data service providers without facing restrictive barriers, marking a significant step towards a more open and competitive digital market.

Additionally, the Act empowers public authorities to access data in cases of public emergencies, such as natural disasters or cybersecurity incidents, but under strict safeguards to protect user privacy. The Act complements GDPR, reinforcing Europe’s commitment to a human-centric, innovation-friendly data economy that balances accessibility with strong privacy protections.

13. Publishing Names of Doping Athletes Online may violate Privacy Law^[13]

The Advocate General of the Court of Justice of the European Union (“Advocate General”) has issued an opinion in NADA Austria and Others[14], stating that the online publication of names of professional athletes found guilty of doping violations may contravene GDPR. The case stems from an Austrian law that required the national anti-doping agency to publicly disclose athletes’ names, banned substances, exclusion periods, and reasons for sanctions. Several athletes challenged this rule, arguing that such publication disproportionately infringed their privacy and data protection rights. In his opinion, the Advocate General noted that making this information publicly available online, without restriction and for an unlimited audience, could go beyond what is necessary for transparency or deterrence and proposed that limited disclosure, such as to relevant sporting bodies or through pseudonymised reporting could achieve similar objectives while offering greater respect for privacy. The opinion is not binding but will inform the final decision at the Court of Justice of the EU.

14. EU-US Data Privacy Framework upheld^[15]

The General Court of the European Union (“Court”) has dismissed an annulment action brought against the European Commission’s adequacy decision for the EU US Data Privacy Framework (“DPF”), confirming that the United States ensures an adequate level of protection for personal data transferred from the EU. The decision reaffirms that organizations in the US certified under the DPF may continue receiving personal data from EU entities under Article 45 of the GDPR.

In reaching its decision, the Court addressed core objections raised by the challenger, including concerns about the independence and impartiality of the US Data Protection Review Court (“DPRC”) and the legality of bulk collection of data by intelligence authorities without prior authorization. The Court held that ex post judicial review via the DPRC, together with safeguards under US reform measures such as Executive Order 14086, suffices to bring US practices in line with essential equivalence to EU data protection standards.

The ruling offers legal certainty for transatlantic data flows, particularly for EU and US companies relying on the DPF. However, it is subject to appeal before the CJEU, and the European Commission retains the power to suspend, amend, or repeal the adequacy decision should the US framework deviate from required privacy safeguards.

15. Court clarifies when Pseudonymised Data constitutes Personal Data^[16]

The CJEU, has issued a ruling in the case of European Data Protection Board v. Single Resolution Board (“SRB”), providing significant clarification on the status of pseudonymised data under EU data protection law. The case involved the SRB transferring pseudonymised comments from stakeholders to Deloitte for analysis without informing the stakeholders, leading to a dispute over whether the data remained personal under Regulation (EU) 2018/1725.

The CJEU concluded that pseudonymised data is not automatically considered personal data in all cases. Whether data is personal depends on the ability of the recipient to re-identify individuals using available means. If re-identification is not reasonably possible for the recipient, the data may not be personal data for them. However, the Court emphasized that the original data controller must assess the identifiability of data at the time of collection, not at the point of transfer.

This judgment underscores that pseudonymisation does not inherently anonymise data and that data controllers must carefully evaluate the identifiability of data before sharing it, ensuring compliance with transparency obligations.

16. Italy becomes first EU country to enact National AI Law^[17]

On September 17, 2025, Italy’s Parliament approved Law No. 132/2025, making Italy the first EU member state to establish comprehensive national legislation on AI. It was published in the Official Gazette on 25^th September 2025 and is scheduled to come into force on October 10, 2025. It aims to ensure AI is used responsibly, transparently, and safely across various sectors, including healthcare, public administration, justice, labour, intellectual property, and criminal law. It introduces oversight measures, mandates human supervision, and enforces transparency in AI applications. It also criminalises the creation and dissemination of harmful AI-generated content, including deepfakes, with penalties of up to five years in prison. Additionally, it establishes a 1 billion Euros venture capital fund to support the AI, cybersecurity, and telecommunications sectors. Enforcement will be managed by Italy’s Agency for Digital Italy and the National Cybersecurity Agency. This pioneering move positions Italy at the forefront of AI governance in Europe.

17. Stakeholder Consultation to Develop Guidelines for Transparent AI Systems launched^[18]

The European Commission has initiated a comprehensive stakeholder consultation aimed at developing clear guidelines and a code of practice for transparent AI systems. This move forms part of the broader EU effort to implement the Artificial Intelligence Act, 2024 ensuring that AI technologies are developed and deployed in a manner that is trustworthy, ethical, and accountable. By seeking inputs from governments, industry, academia, and civil society, the consultation aims to create a shared understanding of transparency requirements, helping both AI developers and users navigate the evolving regulatory landscape.

The proposed guidelines are expected to cover key aspects of AI transparency, including explainability, data quality, documentation, and user communication. They will provide practical frameworks for organizations to design AI systems that can be audited, monitored, and understood by end-users, thereby promoting responsible AI deployment across sectors. Additionally, the consultation emphasizes the importance of aligning transparency measures with ethical principles, enabling AI solutions to operate without bias and ensuring citizens’ rights are respected.

The consultation also seeks to foster innovation by encouraging collaboration among stakeholders to co-create actionable tools, templates, and best practices. By integrating transparency into AI design from the outset, the EU aims to enhance trust, protect consumers, and ensure that AI contributes positively to economic growth, public services, and societal well-being. Stakeholders are invited to submit their feedback, which will shape the final guidelines and support consistent, reliable, and transparent AI systems across Europe.

18. EDPB issues Guidelines to harmonize DSA and GDPR Enforcement^[19]

On September 12, 2025, the EDPB released Guidelines 3/2025 (“Guidelines”), clarifying the relationship between the Digital Services Act, 2022 (“DSA”) and the GDPR. These guidelines aim to ensure that both frameworks work together effectively to protect individuals’ fundamental rights in the digital environment. The DSA focuses on creating a safer online space by regulating online platforms, while the GDPR governs the processing of personal data, including aspects like transparency, consent, and data minimization. The EDPB emphasizes that the DSA does not override the GDPR; instead, both regulations should be applied concurrently. Specific provisions of the DSA, such as those related to notice-and-action systems, recommender algorithms, and targeted advertising, involve the processing of personal data and thus fall under the purview of the GDPR. The guidelines provide practical guidance on how to interpret and apply these provisions in a way that aligns with data protection principles. Furthermore, the EDPB highlights the importance of cooperation between Digital Services Coordinators, the European Commission, and data protection authorities.

This collaboration is essential to ensure consistent enforcement and to avoid conflicts between the two regulatory frameworks. The Guidelines also stress the need for transparency and accountability in the development of codes of conduct under both the DSA and the GDPR, particularly in areas like online advertising. By fostering a coordinated approach, the EDPB aims to uphold individuals’ rights and promote a trustworthy digital ecosystem.

UNITED KINGDOM

19. Social Media launches Consent-or-Pay Model with ICO Approval^[20]

The UK’s Information Commissioner’s Office (“ICO”) approved Meta Platforms Inc.’s (“Meta”) new
“consent-or-pay” model for Facebook and Instagram users. This approach allows users to either consent to personalized advertisements or pay a monthly subscription for an ad-free experience. The ICO highlighted that this model enhances transparency and user choice compared to the previous approach, where users were automatically subjected to targeted ads under standard terms. It stressed that meaningful consent and clear information about data use are essential to comply with UK data protection laws. Meta also adjusted its subscription pricing for UK users, lowering it to nearly half of the EU rate. This ensures that users can make an informed choice between paying for an ad-free experience or consenting to targeted advertising. The ICO expects Meta to monitor user decisions closely and assess the model’s impact to ensure ongoing compliance with privacy regulations and fair treatment of consumers.

While the ICO has approved, it will continue to observe the rollout and broader implications of the consent-or-pay model. The initiative reflects a shift in how online platforms balance commercial objectives with user autonomy and data protection, aiming to empower consumers to make free and informed choices regarding their personal data.

20. Nationwide Digital ID Scheme to Enhance Service Access and Border Security announced^[21]

The UK government unveiled plans to introduce a free digital ID scheme for all citizens and legal residents. This initiative aims to streamline access to essential services such as driving licences, childcare, welfare, and tax records by eliminating the need for physical documents. The digital ID will be securely stored on users’ smartphones, similar to existing applications like the National Health Service App or contactless payment systems. While carrying the digital ID will not be mandatory, it will be required for proving the Right to Work, thereby preventing individuals without legal status from obtaining employment. The government emphasizes that the digital ID system will be designed with inclusivity in mind, ensuring accessibility for individuals who may not have access to smartphones. A public consultation will be launched later this year to gather input on the service’s delivery. The scheme is expected to be rolled out gradually, with full implementation anticipated by the end of the current Parliament. This move is part of the government’s broader strategy to enhance border security and simplify public service access for legal residents.

OTHERS

21. New Zealand enacts Privacy Amendment Act^[22]

New Zealand’s Privacy Amendment Act (“Act”) was officially enacted, introducing significant changes to the Privacy Act 2020. The primary enhancement is the addition of Information Privacy Principle 3A (“IPP3A”), which mandates that agencies inform individuals when their personal information is collected indirectly, meaning from a source other than the individual themselves. This new requirement aims to increase transparency and empower citizens to better exercise their privacy rights.

Under IPP3A, agencies are required to notify individuals about the collection of their personal information unless specific exceptions apply. These exceptions include situations where informing the individual would prejudice the purpose of the collection, such as in cases of fraud investigations, or where it is not reasonably practical to do so, for example, if the agency does not hold contact details for the individual. The Privacy Commissioner has emphasized that these exceptions should be applied judiciously and that agencies must take reasonable steps to ensure individuals are informed as soon as reasonably practicable after the information has been collected.

The Act is set to come into effect on May 1, 2026, providing agencies with time to update their systems and processes to comply with the new requirements. The Privacy Commissioner has committed to providing guidance and support to help organizations meet these obligations, ensuring that the changes lead to a more transparent and accountable handling of personal information across New Zealand.

22. Singapore Ministry of Law launches Public Consultation on Guide for Using Generative AI in the Legal Sector^[23]

The Singapore Ministry of Law (“MinLaw”) initiated a public consultation on a Draft Guide for Using Generative Artificial Intelligence (“Draft Guide”) in the Legal Sector, which outlines principles for responsible Generative Artificial Intelligence (“GenAI”) adoption. This initiative aims to provide legal professionals with practical guidance on the responsible, ethical, and effective use of GenAI tools, ensuring compliance with professional standards and enhancing service delivery. The consultation period concluded on September 30, 2025.

The Draft Guide outlines three core principles for integrating GenAI into legal practice. First, professional ethics: legal professionals remain ultimately responsible for all work products and must apply requisite knowledge, skill, and experience to provide competent advice and representation. Second, confidentiality: reasonable steps should be taken to ensure client information is protected when using GenAI tools. Third, transparency: consideration should be given to disclosing the use of GenAI tools to clients, upholding honesty and informing them of all information that may reasonably affect their interests.

The Draft Guide also emphasizes the importance of cybersecurity in adopting GenAI tools. Legal practices are advised to assess whether input data will be stored, used for model training, or could be inadvertently reproduced in outputs for unintended recipients. Clear assurances from GenAI providers regarding data retention and usage, along with data access controls and staff training, are recommended to safeguard client information. This consultation forms part of MinLaw’s broader efforts to support the digital transformation of Singapore’s legal sector, complementing initiatives like the Productivity Solutions Grant for the Legal Sector and the Legal Innovation and Future-Readiness Transformation pilot initiative.

23. Abu Dhabi introduces Rules to strengthen Data Protection Framework^[24]

The Abu Dhabi Global Market (“ADGM”) enacted the Data Protection Regulations Substantial Public Interest Conditions Rules, 2025 (“Rules”). This initiative follows Consultation Paper No. 6 of 2025 and provides clearer guidance on processing sensitive personal data in sectors such as insurance and education. The new rules aim to align with global best practices while balancing robust data protection with public interest requirements. The Rules specify conditions under which organizations can process special categories of personal data without consent. In the insurance sector, insurers are allowed to process sensitive data when necessary for insurance purposes, provided the processing serves a substantial public interest. The Rules also cover safeguarding vulnerable individuals by permitting the processing of sensitive data without consent when necessary to protect children or adults at risk of emotional or physical harm, with clear criteria for determining when individuals over the age of 18 may be considered at risk.

Organizations operating within ADGM’s jurisdiction are required to comply with these updated rules by implementing safeguards to ensure that data processing is necessary and proportionate to the public interest purpose. The enactment of these rules reflects ADGM’s commitment to a strong data protection framework that promotes responsible use of personal data while protecting individual rights.