Key global data privacy developments you might have missed (but Rulefinder Data Privacy hasn't).
United States – breach notification law amended
The Governor of California has signed into law SB 446 (Data breaches: customer notification), which amends data breach notification obligations in California (themselves set out under Section 1798.82 of the California Civil Code). The final version of SB 446 was published on 6 October 2025 and takes effect on 1 January 2026.
There is a new 30-day time limit from discovery of a data breach to notify affected individuals (with delays acceptable for reasons of law enforcement or as necessary to determine the scope of a breach and restore the integrity of affected systems). Where there is an obligation to notify more than 500 affected California residents due to a single data breach, the California Attorney General must now be notified within 15 calendar days of notifying those affected individuals. There was previously no time limit for notifying the Attorney General.
Australia - first civil penalty imposed under the Privacy Act
On 8 October 2025, Australia's Federal Court reached a decision in Australian Information Commissioner (OAIC) v Australian Clinical Labs Limited, a judgment of firsts for privacy and cybersecurity practitioners. It is the first civil penalty imposed under the Privacy Act (AUD 5.8 million), the first penalty judgment applying s13G to an APP 11.1 cybersecurity failure, and the first judicial consideration of APP 11.1(b). It also considers what it means to notify the OAIC “as soon as practicable” after identifying an eligible data breach.
Taiwan - changes to data breach notification requirements
The Legislative Yuan has passed an amendment to the Taiwanese Personal Data Protection Act (the "Amendment") which introduces new notification requirements in case of a personal data breach. The Amendment has been submitted to the President and will take effect once the President makes a formal announcement.
Once the formal announcement is made, the law will come into force and relevant organisations should be prepared to notify data breaches to the relevant authority. There will also be a fine for breaching the notification requirement; between NT$20,000 and NT$200,000 (approximately USD $648 and USD $6,480). Finally, the Amendment will set out which authority will be responsible for enforcement and details in relation to any transition periods.
View the Amendment (in Chinese)
Peru - new online incident notification form
The Peruvian government has launched a digital form for the notification of information security incidents. The new form is now the official and unified channel for complying with reporting obligations under Peru’s Personal Data Protection Law and the Digital Trust Framework (which is relevant for digital service providers in certain sectors). Organisations must therefore use it to ensure effective notification (i) to Peru’s data protection authority (the ANPD) in the event of a personal data breach and (ii) to the National Digital Security Centre under the Digital Trust Framework.
South Korea - appointment of local representatives
On 2 October 2025, amendments to the South Korean data protection law (PIPA) come into force that require a local representative to be appointed if: (i) a corporation is established in South Korea by an overseas business operator (head office); or (ii) an overseas business exerts dominant influence over a domestic corporation ("dominant influence" is determined by reference to 30% or more shareholding and/or appointment of a representative director or more than 50% of the relevant company's officers).
If the requirement is triggered, a "domestic agent" must be appointed by the foreign entity from among the domestic corporations. The overseas business is under an obligation to manage and supervise the domestic agent to faithfully perform its duties and it must disclose the name, address, phone number, and email address of the domestic agent in its privacy notice.
United States - California - Opt Me Out Act signed into law
On 8 October 2025, the Governor of California signed into law AB 566 (the California Opt Me Out Act), which requires internet browsers to offer individuals a simple, built-in mechanism for opting out of the sale or sharing of personal information.
The Act takes full effect on 1 January 2027 and will prohibit businesses from developing or maintaining a browser that does not include configurable functionality enabling consumers to send an opt-out preference signal (via the browser) to businesses that the consumer interacts with through that browser. The California Consumer Privacy Act (CCPA) is one of the US state data privacy laws which mandates that businesses must recognise opt-out requests made via opt-out preference signals (OOPS), through which individuals can easily and automatically communicate their privacy preferences to websites.
EU - launch of AI Act Service Desk and Information Platform
The European Commission has launched the AI Act Service Desk and the AI Act Single Information Platform, aimed at supporting the effective implementation of the AI Act.
The AI Act Single Information Platform gives access to interactive online tools which can be used to determine the applicability of legal obligations under the EU AI Act, and to understand any steps that may be required in order to comply. The platform includes the AI Act Explorer, the AI Act Compliance Checker tool, and a database of national member state resources (guidance, tools, etc.).
The AI Act Service Desk itself is a centralised European initiative, providing an information hub and offering guidance on the application of the EU AI Act. Using the Service Desk, questions on the AI Act can be submitted directly to the EU AI Office (which requires an EU Login account) in any official EU language.
Israel - PPA launches new privacy risk assessment tool
The Privacy Protection Authority (PPA) has launched the tool to help organisations quickly assess privacy risks. It also gives recommendations to mitigate the risks to ensure compliance with data protection law. In particular, the tool assists organisations with implementing the new obligations introduced by Amendment 13 which came into force in August this year.
Organisations using the tool are asked to answer a number of short questions and will receive a summary of the situation and instant recommendations. The submissions are anonymous and submitted questions are not retained by the PPA. The PPA specifically recommends using the tool when setting up new databases; adopting new information technologies; and changing the way personal information is processed more generally.
Switzerland - FDPIC issues updated cookies guidance
The Swiss data protection authority (the FDPIC) has issued updated cookies guidelines that make a number of changes to the version issued in January 2025.
The changes focus primarily on consent. There is a new clarification on the use of cookie paywalls (consent-or-pay models). The voluntary nature of consent in this instance depends on whether the financial contribution requested instead of consent: (i) is proportionate; and (ii) does not undermine the data subject’s fundamental right to data protection. Separately, if the use of cookies amounts to high-risk profiling, express opt-in consent will be required. The new guidance clarifies that placement of cookies can amount to high-risk profiling if used for personalised advertising.
Finally, although less relevant for the purposes of marketing and cookies, the FDPIC has added new considerations on the subject of location data, including the circumstances in which processing location data can amount to high-risk profiling.
EU - 2026 EDPB enforcement topic announced
The European Data Protection Board (EDPB) has announced that its coordinated enforcement topic for 2026 will cover compliance with transparency and information obligations. Member state Data Protection Authorities will now work on this topic at the national level over the coming weeks, before enforcement action is launched over the course of 2026.
In previous years, the EDPB's coordinated enforcement has led to large-scale regulatory action at the national level comprising: (1) regulatory fact-finding exercises, (2) regulatory assessments to identify if a formal investigation was warranted, and/or (3) commencement of formal enforcement investigations.
View the EDPB’s press release covering the 2026 enforcement topic
889 Sanctions. We're keeping count.
That's the total number of regulatory sanctions around the world that Rulefinder Data Privacy has tracked so far in 2025.
It amounts to over $2,983,860,000 US dollars in penalties and numerous other reprimands and corrective actions.
How Rulefinder Data Privacy can help
Our subscribers hear about these and other privacy law developments as soon as we cover them
