India - Direct marketing regulations amended
On 12 February 2025, the Telecom Regulatory Authority of India (TRAI) announced significant amendments to the Telecom Commercial Communications Customer Preference Regulations 2018 (the TCCCPR). The TCCCPR is the principal piece of legislation governing the sending of direct electronic marketing in India. The amended regulations will largely take effect 30 days after their publication in the Official Gazette (with certain limited provisions taking effect after 60 days).
Organisations will now need to take specific actions when sending direct marketing messages, including providing opt-outs, marking messages with standard identifiers (to make it clear if a message is transactional, promotional, or service related), not requesting consent again within 90 days of an opt-out, and not relying on implicit consent in relation to transactional/service messages beyond the duration of the relevant service.
Read the new regulations and the press release
Poland - new guidance on reporting data breaches
Following a public consultation which concluded in July 2024, on 20 February 2025 the Polish supervisory authority (the UODO) published an updated guide on reporting personal data breaches. The updated version takes into account the latest interpretation of regulations, case law, and practical guidelines that will help organisations make the right decision in the event of a personal data breach. The guide includes, among other things: (i) updated procedures for responding to breaches (reporting to the President of the UODO); (ii) practical examples and case studies; (iii) guidelines on cooperating with the UODO and other supervisory authorities; and (iv) key recommendations on risk assessment and prevention of breaches.
EDPB adopts new guidelines on pseudonymisation
At its most recent plenary, the European Data Protection Board adopted a new set of Guidelines on pseudonymisation, open for public comment until 28 February 2025. In particular, the guidelines: (i) clarify that pseudonymised data is still personal data; (ii) clarify that pseudonymisation can reduce risks, making it easier to use legitimate interests as a legal basis for processing and to ensure that processing for secondary purposes is compatible with the original purpose; (iii) explain how pseudonymisation can help organisations comply with key data protection principles; and (iv) analyse technical measures and safeguards when using pseudonymisation, to ensure confidentiality and prevent unauthorised identification of individuals.
Switzerland - new guidelines on reporting security breaches
On 6 February 2025, the Swiss data protection authority, the Federal Data Protection and Information Commissioner (FDPIC) published new guidelines on reporting data breaches. Particularly helpful are the details and clarifications provided in the context of what qualifies as a "high risk" breach (and therefore triggers the requirement to notify the FDPIC). Organisations subject to a breach should consider both (i) the severity of the potential consequences; and (ii) likelihood of these consequences arising, and the Guidelines go into detail as to what should be considered under each of those headings. The guidelines also deal with notification to individuals, which the FDPIC suggest should be done if the affected individuals "can or must take action themselves to minimise or avert harm from a data security breach”.
UK - ICO published guidance on employment records
The ICO has published its final guidance on data protection considerations in the context of keeping employment records. The guidance is split into three sections: (i) collecting and keeping employment records (covering core issues such as lawful basis, transparency, retention, and security); (ii) using employment records (covering more specific questions, for example about internal sharing within the organisation and handling of employment data in the context of mergers); and (iii) checklists to assist with compliance (including in relation to outsourced functions, equality monitoring, pensions, and insurance).
France - CNIL publishes guidance on database security
The French data protection regulator (CNIL) has issued guidance with suggested measures to protect large databases containing personal data. The CNIL published the guidance after digesting its learnings from investigating a number of significant data breaches in 2024. It found that a database security compromise is often the result of a succession of common security failings which allow the attacker to move forward, from one stage to the next. The guidance runs through these specific stages and suggests mitigating measures that are particularly helpful in the context of protecting large databases. The stages are as follows: (i) attacker obtains login information; (ii) attacker obtains access; (iii) attacker is able to access large amounts of data (e.g. because of poor access management practices); (iv) large amounts of data is extracted (due to inadequate detection); and (v) data is put up for sale, as the organisation is unaware of the extraction.
China - CAC publishes measures on audit management
On 12 February 2025, the Cyberspace Administration of China (CAC) published final Measures on Personal Information Protection Compliance Audit Management following a public consultation held in 2023. The measures aim to implement the compliance audit mechanism stipulated in the PIPL, which requires organisations to regularly, or under certain circumstances, conduct compliance audits on their personal data processing activities. The measures address the conditions, methods, and procedures for undertaking compliance audits. They include guidelines and timeframes for periodic self-audits, as well as setting out the conditions in which the CAC may order an external audit. The measures come into force on 1 May 2025.
United States - COPPA Rule updated
The Federal Trade Commission (FTC) has finalised amendments to the Children’s Online Privacy Protection Act Rule (the COPPA Rule), setting new obligations regarding the collection, use and sharing of children's personal data (the first time the COPPA Rule has been updated since 2013).
Under the amended COPPA Rule, websites and online service operators covered by COPPA must obtain separate verifiable parental consent to disclose children’s data to third parties (both for targeted advertising and other disclosures). In addition, personal data may only be retained for as long as is reasonably necessary (with indefinite retention being expressly prohibited by the new rule), and organisations must have a data retention policy. There will also be increased transparency of participants within the self-regulatory, FTC-approved COPPA Safe Harbor program (whose participants are effectively deemed to be in compliance with COPPA). The final version of the amended COPPA Rule is available here, and becomes effective 60 days after publication in the Federal Register (with full compliance due one year after that).
Nigeria - Regulator publishes Annual Report and Journal
The Nigerian Data Protection Commission (NDPC) has published its 2024 Annual Report which provides a detailed account of the NDPC’s activities and accomplishments over the past year, which include publishing guidelines, implementing a national certification program for DPOs, increasing cooperation and collaboration with various key organisations, awareness raising, and increased investigation and enforcement action.
The NDPC has also published the first edition of its International Journal of Data Privacy and Protection through which the NDPC aims to "embark on a critical journey to foster dialogue and scholarship on key issues within the evolving data protection ecosystem".
Oman - Grace period for new data protection law extended
In 2022, Oman introduced its first ever comprehensive data protection law (the PDPL), which is accompanied by Executive Regulations that provide more specific details and guidance on how personal data should be processed. The PDPL came into force on 13 February 2023, and the Executive Regulations on 5 February 2024. Initially, the Executive Regulations had a one-year grace period to give parties time to implement its rules. That grace period has now been extended to 5 February 2026, allowing everyone another year to consider the PDPL and Executive Regulations and ensure compliance.
Sanctions. We're keeping count.
47. That's the total number of regulatory sanctions around the world that Rulefinder Data Privacy has tracked so far in 2025.
It amounts to over $21,780,000 US dollars in penalties and numerous other reprimands and corrective actions.
Want to find out more?
Rulefinder Data Privacy subscribers hear about these and other privacy law developments as soon as we cover them.
