In 2025, several new data protection laws are set to come into force globally, introducing significant compliance requirements for organisations across a spectrum of sectors and markets. Proactive Data Protection Officers (DPOs) and privacy managers can navigate these changes effectively by taking a risk-based approach and having a broad view of how the changes inter-play across the jurisdictions they cover. The following are top-line highlights of regulations to watch out for in 2025.
The European Union’s Strengthened AI and Data Frameworks
The Digital Services Act (DSA) expansion will continue to have phased rollouts throughout 2025. The DSA imposes greater accountability obligations on platform operators processing user data, including reporting and rights to appeal content moderation decisions.
Canada’s Consumer Privacy Protection Act (CPPA) expected to come into force
The CPPA is expected to come into effect in 2025 and will replace the Personal Information Protection and Electronic Documents Act (PIPEDA). The CPPA establishes stronger individual rights, including the right to erasure and introduces algorithmic transparency obligations for businesses.
China’s Enhanced Data Security Regulations
In January 2025, China introduced new regulations targeting illegal data handling, focusing on black and grey markets that unlawfully obtain, sell, or provide data. These measures aim to strengthen data security governance and prevent systemic risks, emphasising the need for organisations to monitor data security risks, particularly in key industries.
Australia’s Statutory Tort for Privacy Invasions
Effective June 2025, Australia has implemented a new statutory tort for serious invasions of privacy, holding businesses vicariously liable for privacy breaches committed by employees, even when reasonable preventive measures were in place. This development necessitates that organisations reassess their liability insurance and internal policies to mitigate potential legal risks.
United States’ Privacy Laws
Multiple states have enacted comprehensive privacy laws effective in 2025, each with specific requirements:
- Delaware Personal Data Privacy Act (DPDPA): Effective 1 January 2025, this law mandates transparency in data processing activities and grants consumers rights to access, correct, and delete personal data.
- Iowa Consumer Data Protection Act (ICDPA): Effective 1 January 2025, the ICDPA requires data controllers to conduct data protection assessments for processing activities involving sensitive data.
- Nebraska Data Privacy Act (NDPA): Commencing 1 January 2025, this Act imposes obligations on businesses to implement reasonable security measures and ensure clear privacy notices are in place.
- New Hampshire Data Privacy Act (NHDPA): Effective 1 January 2025, the NHDPA focuses on consumer rights, with restrictions on data collection and sharing without explicit consent.
- New Jersey Data Privacy Act (NJDPA): Effective 15 January 2025, this law emphasises consumer consent and mandates prompt breach notifications.
- Tennessee Information Protection Act (TIPA): Effective 1 July 2025, the TIPA requires organisations to conduct data protection assessments and uphold consumer rights regarding personal data.
- Maryland Online Data Privacy Act: Starting 1 October 2025, this Act restricts data collection to what is reasonably necessary for providing requested services and mandates transparency in data practices.
India’s Digital Personal Data Protection Act (DPDP Act) Draft Rules
Expected to be implemented in 2025, the rules are currently in the consultation phase. Key points include:
- Broad applicability to all digital personal data.
- Establishes significant rights for individuals, such as access, correction, and data portability.
- Sets obligations for businesses to implement consent management, robust data security, and transparency measures.
Staying prepared for the upcoming changes in global privacy laws
To ensure compliance with these evolving regulations, DPOs can empower privacy teams to do the following:
- Conduct data protection assessments: Evaluate current data processing activities to identify areas requiring adjustments in line with new legal requirements, particularly concerning consumer rights and data security measures.
- Enhance transparency: Update privacy notices and policies to clearly communicate data collection, usage, and sharing practices, ensuring they meet the specific disclosure requirements of each applicable law.
- Review and update contracts: Ensure that agreements with third-party processors include clauses that address new compliance requirements, such as data protection assessments and breach notification protocols.
- Implement robust security measures: Adopt appropriate technical and organisational safeguards to protect personal data, including encryption, access controls, and regular security audits, to prevent unauthorised access and data breaches.
- Refresh or develop incident response plans: Establish or update procedures for promptly addressing data breaches, including notifying affected individuals and regulatory authorities within mandated timeframes.
Data protection laws continually evolve but, thankfully, develop in stages that allow privacy teams to digest incoming changes and plan ahead. HewardMills’ team of data protection and privacy experts can help your business navigate these changes as they continue to come into force.