Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't).
United Kingdom - Data (Use and Access) Bill receives royal assent
The UK Government will phase implementation of the Data (Use and Access) Act 2025 (DUAA) by way of publishing secondary legislation. While most new rules are expected to come into force within two to six months, the UK data protection authority (the ICO) states that some may take up to 12 months before they are in force. See relevant ICO resources.
Once the DUAA is in force, it will mean some significant changes to the current UK regime. For example, there will be a relaxation of the rules on automated decision-making; a simplification of the rules on cookies consent requirements; and an increase in the maximum fines that can be imposed under the Privacy and Electronic Communications Regulations: from £500k to £17.5 million or 4% of annual global turnover. There are also broader provisions in the DUAA which cover areas such as smart data schemes and new rules for digital verification services.
Finland – DPO contact details must be up to date
The Finnish data protection authority, the Ombudsman, has issued a request for organisations to check that the contact details of their Data Protection Officer which have previously been notified to the Ombudsman are up to date. The Ombudsman has stated that if it does not receive confirmation or an update of the information by 13 July 2025, then it will delete the information.
The Ombudsman sent a request directly to the DPOs on its records on 12 and 13 June. If the request has not been received, then the organisation must contact the Ombudsman.
China – New national standard on sensitive personal information
China - New national standard on sensitive personal information
The National Information Security Standardization Technical Committee has issued a new national standard GB/T 45574-2025 Data Security Technology Security Requirements for Processing Sensitive Personal Information which will take effect on 1 November 2025. The Standard aligns with the data protection requirements set out under the Personal Information Protection Law (PIPL), providing detailed operational guidance to ensure compliance with the PIPL principles for personal information processing and, in particular, sensitive personal information.
The Standard is a recommended national standard and as such, is not legally binding. However, it provides organisations with practical information on operational requirements and may be referred to in the context of enforcement action.
South Korea - new rules on local representatives
A proposed amendment to the rules on local representatives has been passed by the South Korean parliament and will come into force on 2 October 2025. The amendment makes changes to the requirements around the appointment of local agents by foreign businesses subject to PIPA, with a more formal appointment and operation process.
Non-compliance could attract an administrative fine and enforcement is undertaken by the South Korean data protection authority, the PIPC which has published a consultation (Korean only) on its draft changes to the data protection Enforcement Decree (which needs to be amended to permit enforcement by the PIPC of the new rules).
United States – Oklahoma – Data breach notification law enacted
A new Security Breach Notification Act in Oklahoma became law on 28 May 2025. The Act expands the definition of ‘personal information’ and requires any individual or entity that owns or licenses computerised data that includes personal information to notify the Attorney General of a data breach within 60 days of notifying affected individuals (under existing law, data breaches must be notified to affected Oklahoma residents as soon as practicable after discovery).
A single security breach that affects fewer than 500 Oklahoma residents is exempt from the new notice requirement, and a data breach of a security system maintained by a credit union (where fewer than 1,000 Oklahoma residents are affected) is also exempt. There are specific content requirements for notifications.
Sanctions. We're keeping count.
211. That's the number of regulatory sanctions around the world that Rulefinder Data Privacy has already tracked in 2025. It amounts to over 2,267,380,000 US dollars in penalties and numerous other reprimands and corrective actions.
Not seen our Enforcement Tracker yet? Ask us for a demo.
United States – Connecticut – Amendments to Data Privacy Act
On 12 June 2025, the Governor of Vermont signed S.69 (An act relating to an age-appropriate design code), which will take full effect on 1 January 2027. The act applies to entities that: conduct business in Vermont; generate more than 50% of annual revenue from online services; have online products or services reasonably likely to be accessed by a minor (e.g. routinely accessed by at least 2% of under 18s); and determine the means and purposes of personal data processing. It establishes a minimum duty of care, and contains provisions on default privacy settings, transparency, and data minimisation.
Read the Act
United States – Vermont – Age-Appropriate Design Code Act signed into law
On 12 June 2025, the Governor of Vermont signed S.69 (An act relating to an age-appropriate design code), which will take full effect on 1 January 2027. The act applies to entities that: conduct business in Vermont; generate more than 50% of annual revenue from online services; have online products or services reasonably likely to be accessed by a minor (e.g. routinely accessed by at least 2% of under 18s); and determine the means and purposes of personal data processing. It establishes a minimum duty of care, and contains provisions on default privacy settings, transparency, and data minimisation.
Read the Act
United States – Oregon – Consumer Privacy Act amended
The Governor of Oregon has signed into law HB 2008, which amends the Oregon Consumer Privacy Act’s (OCPA) provisions on the processing of children’s data and the sale of geolocation data.
Pursuant to the amendment, it is prohibited under the OCPA: (i) to sell the personal data of a consumer, or process the personal data of a consumer for the purposes targeted advertising or for profiling that produces legal or similar effects, if the controller has actual knowledge that (or wilfully disregards whether) the consumer is under 16 years of age; and (ii) to sell personal data that accurately identifies a consumer’s present or past location (within a radius of 1,750 feet), or the present or past location of a device that is linkable to an individual consumer (e.g. by way of a global positioning system (GPS)).
India – Consent management rules published
India’s Ministry of Electronics and Information Technology has published guidelines for consent management systems under the new Digital Personal Data Protection Act (DPDPA), which has been passed but is not yet in force (pending notification of an effective data via the official Gazette of India).
The aim of a consent management system is to enable the management of consent, to give individuals’ control over their consent, and to facilitate compliance with the DPDPA’s provisions on consent, security, purpose limitation and data minimisation. The rules also set out an operational and technical framework for consent management systems, proposed technical standards, and information on the creation of mechanisms to facilitate complaints and requests.
Australia – OAIC publishes Privacy Foundations self-assessment tool
The Office of the Australian Information Commissioner (OAIC) has launched the Privacy Foundations tool, which has been designed for businesses who want to embed a culture of privacy, and who want to establish or improve privacy practices, procedures, and systems.
The tool provides a basic overview of privacy fundamentals via a series of questions covering areas of core privacy practice and practical examples of what good privacy looks like. The OAIC indicates that completing the tool should take 15-20 minutes, and will provide a privacy maturity score and tailored recommendations (which can be used to create a privacy management plan).
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
