Data Privacy Frontline Report

December 2025

Here are key highlights from December 2025 detailing global news and regulatory updates.

 

US & Canada

  • California attorney general actively enforces CCPA in 2025, securing major settlements—including a $1.5 million fine in July—with a strong focus on failures to implement website opt-out requirements.

  • California’s data protection authority delivers instructions about DROP, a delete request and opt-out platform that will allow Californians to erase their personal data from hundreds of data brokers.

  • Indiana’s attorney general releases the Data Consumer Bill of Rights outlining key protections for residents, including the rights to know, control, protect, and take action regarding personal data.

  • New York's governor signs the Responsible AI Safety and Education Act, requiring transparency and disclosures from frontier AI developers, with provisions that track closely to California's Transparency in Frontier Artificial Intelligence Act.

  • US president signs an executive order to curb state-level AI laws by halting enforcement of existing “burdensome” regulations and discouraging new ones, while directing the Department of Justice and Commerce Department to coordinate constitutional challenges and analysis.

  • US National Institute of Standards and Technology (NIST) issues draft guidelines on ways to make AI systems secure, use AI to strengthen defenses against cyberattacks, and proactively counter AI-related threats.


EMEA
  • EU European Commission establishes a legal helpdesk offering direct support to organizations, especially SMEs, by answering practical questions on applying the new Data Act rules.
  • EU European Commission fines social platform X 120M euros for multiple alleged violations, its first regulatory enforcement under the Digital Services Act.
  • EU European Data Protection Board (EDPB) holds its second meeting with data protection authorities from countries with EU adequacy decisions, aiming to strengthen global cooperation, share enforcement experiences, and discuss future priorities for data protection.
  • Spain’s AI supervisor provides guidance to help organizations, especially SMEs, implement and comply with the European Artificial Intelligence Act, offering non-binding recommendations and technical checklists (article in Spanish).
Gain confidence to use and share sensitive data
Find out how our advisory services can help you safely leverage data derived from information about people. Watch this 15-minute webinar.
Watch On-Demand Now
APAC
  • Australian government announces its National AI Plan, shifting focus toward investment and economic growth by enhancing infrastructure and leveraging the AI Safety Institute to monitor and address risks.
  • South Korean e-commerce company to pay users $1.18 billion in compensation for a massive data leak affecting 33.7 million customer accounts.
  • Vietnam’s national assembly approves the country’s first law on AI, scheduled to take effect on March 1, 2026, and seeking to strike a balance between managing risks and fostering innovation.