Keeping track of data privacy regulations doesn’t just ensure we stay on top of recent and upcoming changes. It also enables us to fully understand the dynamic, fast-moving, and future-facing nature of regulation in this field. This understanding helps put things in the right perspective and form a healthy strategy that keeps organizations safe and relevant. That’s why we’re back with another quarterly Regulation Station report, giving you the roundup of key new privacy laws you should know about.

‍

UK’s Data (Use and Access) Act 2025 (DUAA)
Effective: June 2025
The UK has finally passed its long-anticipated and debated new rules regulating data usage. The new law enables and requires the establishment of new data schemes, trusted digital verification tools, a national asset register, and more. It defines legitimate data processing options and consumer privacy rights in detail, amending and updating previous regulations in the UK. On the one hand, the DUAA significantly increases the fine for breaches, but on the other hand, it minimizes organizations’ responsibility in some instances, such as the use of soft opt-in for non-profits, “stopping the clock” when a DSAR requires further information from users, and more. 

‍

China’s Compliance Audit Measures
Effective: May 2025

China has introduced mandatory personal data compliance audits for organizations handling personal information. The detailed measures were published by the Cyberspace Administration of China (CAC) in May, differentiating between “regular” organizations and those that process data on a larger scale. Businesses approaching users in China now need structured internal reviews to confirm they’re meeting legal standards, which cover how data is collected and used.

‍

Vietnam Personal Data Protection Law (PDP Law)
Effective: January 2026
Vietnam’s new data law sets clearer rules on how personal information can be collected, used, and transferred. It features harsh consequences, such as fines that reach 10 times the amount gained from unlawful data processing, demonstrating local authorities’ strict approach. Organizations must obtain explicit consent from users or meet other strict compliance standards, with specific rules applicable to sensitive sectors such as healthcare, finance, and insurance. The law also addresses specific technologies, including AI, cloud computing, and blockchain. 

‍

Australia’s Privacy Tort for Serious Invasions
Tort Effective: June 2025
An additional section to the Privacy and Other Legislation Amendment Act 2024 came into effect, introducing a statutory tort for serious invasions of privacy. This intriguing reform creates a new legal path for individuals to sue organizations for severe privacy breaches. Plaintiffs must demonstrate an intentional or reckless severe invasion of their privacy, where a reasonable expectation of privacy exists, with specific public interest exemptions for journalists, law enforcement, and other entities. 

‍

Nebraska Age-Appropriate Design Code
Effective: January 2026
Nebraska has signed into law a privacy regulation focused on children’s online safety, requiring companies to practice data minimization and adopt privacy-first default settings. While the law only applies to businesses deriving more than 50% of their revenue from data-related activities, it is still significant and imposes restrictions on targeted ads, as well as potential penalties that can reach $50,000 per violation. 

‍

Vermont Age-Appropriate Design Code Act (AADC)
Effective: January 2027
Another state that has recently adopted a privacy-by-design approach is Vermont, which has joined the trend of regulating online services for children’s safety. Companies must verify users’ age and handle minors’ data with special care and supervision. The law requires that data deletion requests be made particularly accessible and easy to submit, and gives users the option to file a lawsuit should the organization violate their right. 

‍

FTC COPPA Rule Amendments
Effective Date: June 2025 (Compliance Deadline: April 2026)
We discussed this regulation in our previous update, and new amendments are already emerging. They emphasize transparency, require additional consent from parents when third-party data disclosure is involved, and implement stricter security standards. 

‍

Arkansas Children and Teens’ Online Privacy Protection Act
Effective: July 2026
The wave of regulations protecting children’s privacy is far from over, and now Arkansas joins the parental-consent party by expanding children’s privacy laws to cover teenagers aged 13 to 16. The law requires any entity operating online to apply protective measures, such as data minimization and security mechanisms, not just to young children but also to teenagers. While one-time data collection may not be considered a violation under specific terms, this law requires companies to meet strict consent and transparency standards.

‍

The UK’s Online Safety Standards
Effective: July 2025
This law has just reached its predetermined deadline and finally goes into effect, reminding us that the focus on protecting minors’ data privacy exists well beyond US states. The UK's new rules address online safety for children across social media networks, gaming apps, and other platforms. These regulations have just come into effect, introducing new requirements for content moderation and age verification practices.

‍

Connecticut Data Privacy Law Update (SB 1295)
Effective: July 2026
Connecticut has updated its privacy law to provide individuals with greater insight into how their personal data is used. Consumers now have the right to learn what conclusions businesses are drawing about them based on their data, including profiling practices with significant effects. 

‍

Oregon Consumer Privacy Act Changes (HB 2008)
Effective: January 2026
We’re not done with child-focused privacy protection yet! With its most recent regulation updates, Oregon has tightened privacy protections for young people under 16, banning the sale of their personal data, as well as targeted advertising. The law also imposes new restrictions on selling precise geolocation information, defined as tracking someone’s location within about 1,750 feet. 

‍

California Senate Bill 690 CIPA Amendment
Status: January 2026
This amendment to the California Invasion of Privacy Act (CIPA) addresses the issue of “privacy trolls” who abuse the law to file lawsuits. By adding a specific consideration for acts that are “Consistent with a commercial business purpose,” legislators hope to reduce lawsuits that some may consider opportunistic. The original law was created many years ago, and the latest updates are more aligned with current legitimate data collection and usage practices.

‍

What We Can Learn from Recent Regulation

• Privacy by design: The implementation of privacy-dedicated design codes across multiple states demonstrates that regulators consider privacy a product feature, expecting businesses to incorporate it into their product development, rather than treating it as an afterthought. 

• Higher risk: From high fines to individual lawsuits, the price of failing to adhere to privacy regulation is becoming impossible to ignore - and that’s a good thing. Companies are well aware of the importance of closely following these regulations and preparing in advance by implementing an established data privacy strategy. 

• Increasing sense of control: From managing their online profiles to protecting their kids’ data, people worldwide are gaining a new sense of control thanks to these regulations. Companies are also better equipped to address this complex issue, thanks to technological tools and professional guidance. The helplessness that once accompanied data privacy discussions is giving way to detailed guidelines and workflows. 

‍

Organizations face a challenging task nowadays, as they must keep pace with rapidly evolving technology (GenAI, anyone?) and dynamic regulations. It’s essential to do both, as well as select the tools that help you meet these high standards effortlessly, and adopt a future-ready data privacy strategy in advance. We invite you to follow updates on our DPO Advisor section and schedule a demo to watch our challenge-solving platform in action. 

‍