As the year comes to a close, it’s a good moment to pause and take stock. Over the past twelve months, data privacy regulation has never stood still. This year-end edition of Regulation Station looks back at the final privacy moves of 2025, not as isolated updates, but as part of a larger pattern. One that clearly points to what’s coming next and what teams should prepare for as we head into 2026.

‍

India’s Digital Personal Data Protection Rules
Effective: November 14, 2025

India’s long-awaited privacy framework took a significant step forward in November when the detailed rules operationalizing the Digital Personal Data Protection Act took effect. These rules fill in the gaps left by the broad law, spelling out requirements for consent collection, breach notifications, and how organizations must handle personal data. 

The rules are somewhat strict, with the main principles demanding minimization of processing and data collection, and data security breaches at any level must be reported. Key deadlines for the rules’ implementation are phased, so companies have time to align some of their systems, but regulators can already enforce many of the fundamental standards. 

‍

European Union Proposals on AI and Data Privacy
Status: In progress

We’ve all been witnessing the EU’s evolution in data privacy over recent years, and it is fascinating to see the clash between strict rules and the need to innovate and progress. As the world is focusing on AI, some data rules are being reopened for discussion. The European Commission recently suggested adjustments to current EU digital and privacy rules to ease burdens for certain AI-linked data practices. 

These proposals have not yet become law but signal where EU legislators might head next year. If adopted, we could see streamlined consent mechanisms and changes to how data used in AI services is treated under privacy law. 

‍

Three New California Privacy Bills Advance
Status: In progress

Three new proposals advanced in their legislative journey in November and aim to change enforcement, encourage whistleblowers to report violations and approach the CPPA, and make request submission simpler, while also broadening consumers’ deletion rights in new ways that address third parties.  

‍

Global Privacy Enforcement Network Annual Sweep (Focus: Children’s Data)

This initiative comes from dozens of national data protection authorities from around the world, who together form the Global Privacy Enforcement Network. The Network recently presented its 2025 privacy sweep, which focuses on how digital services handle children’s personal information. A similar sweep was conducted 10 years ago, and it’s fascinating to compare the two. A comprehensive report detailing the annual sweep should be published in 2026. 

‍

Apple’s Updated App Review Guidelines 

Effective: November 13, 2025

Regulators have great power over organizations, but so do tech giants. Apple recently made a notable change to its App Store guidelines, requiring app developers to explicitly disclose and obtain user consent before sharing personal data with third-party AI systems. Apps that do not comply risk removal from the App Store. 

‍

Sierra Leone: Data Protection and Right to Access Information Bill 2025

Sierra Leone concluded its long-awaited privacy framework with a formal national validation of its Data Protection and Right to Access Information Bill. The bill combines data protection and information access rights to form the country’s core privacy principles. It signals strong momentum toward establishing a comprehensive data protection regime aligned with international standards, marking a significant development for data governance in West Africa and setting the stage for broader regional alignment.

‍

United States: Presidential Executive Order on State AI Regulation
Issued: December 11, 2025

In December, President Trump issued an executive order aimed at limiting US states' ability to impose their own AI regulations. The order argues that a fragmented regulatory landscape could hinder innovation and economic competitiveness, signaling a preference for centralized or federal-level oversight of AI systems. While not a data privacy law per se, the move has clear privacy implications, particularly for AI systems that rely on large-scale processing of personal data. 

‍

Lessons for 2026

‍

In 2026, we can expect to see more data privacy regulation (some of which is already in progress), as well as continuous focus on the following topics: 

‍

1. Privacy laws keep evolving, even after initial rollout

New laws in India, Sierra Leone, and the US show that no corner of the globe is left unattended when it comes to data privacy. Even laws that have long been finalized may be revised over time as reality shifts. The EU is already considering revisions that may ease demands in some areas, reminding us never to assume a law is “done” once it’s passed.

‍

2. Commercial policy changes matter too

Apple’s updated App Review Guidelines now explicitly govern how personal data can be shared with AI. These kinds of platform rules shape real-world behavior and can impact compliance in the same way laws do. With corporations moving at a different speed than governments, businesses might have to deal with an even faster pace of regulation. 

‍

3. Tension between innovation and protection persists
‍

Across jurisdictions, regulators push for stronger privacy protections while industries build new data-powered experiences. Recent statements from the EU and the US show that AI is shifting things, prompting regulators to rethink their positions to ensure their regions aren’t left behind in the AI race. 

‍

Want your privacy program to be ready for these laws and the many that will surely follow? Let’s talk. 

‍