Privacy Roundup: Top 10 Stories of April 2025

Microsoft’s new consent rule, the UK’s first GDPR fine for a processor and Meta’s return to AI training in Europe, April delivered major privacy shifts. Here are the top stories to know.

Starting May 5, 2025, Microsoft Advertising will mandate websites using its tracking tools, like the Universal Event Tracking (UET) tag, to send a consent signal for visitors from the EU, UK, and Switzerland. This applies regardless of whether the site directly targets users in these regions. The move brings Microsoft in step with privacy expectations increasingly seen across the tech industry. Read more

The UK’s data regulator Information Commissioner’s Office (ICO), has fined a software provider, Advanced Computer Software Group Ltd, £3 million for poor security practices that contributed to a ransomware attack. This marks the first time a data processor has been fined under the UK GDPR, highlighting that vendors can also be held directly accountable for safeguarding user data. Read more

A new study by Consumer Reports and Wesleyan University found that many companies are not honouring global opt-out requests like the Global Privacy Control (GPC). These mechanisms are meant to let users opt out of data collection at scale, but researchers found widespread non-compliance, despite growing state-level enforcement. Read more

Virginia has expanded its consumer privacy law with new protections for reproductive and sexual health data. Signed into law on March 24, 2025, the amendment bars the collection, sharing, or sale of such sensitive information without user consent, signalling a growing legislative focus on digital health privacy. Read more

The European Commission is moving ahead with the enforcement of the Digital Services Act (DSA) and Digital Markets Act (DMA), both of which introduce sweeping obligations for tech platforms. Despite criticism from US officials and tech executives, EU leaders say the regulations are necessary to curb disinformation and monopolistic behaviour. Read more

After halting its AI rollout last year amid regulatory pressure, Meta is now resuming training using public posts from European users. The company says the European Data Protection Board has “affirmed” the legality of its revised approach, which includes a new opt-out mechanism for users. Read more

Ahead of its April board meeting, the California Privacy Protection Agency (CPPA) published draft updates to the CCPA regulations. The changes cover new requirements for cybersecurity audits, risk assessments, and the use of automated decision-making tools, offering a clearer roadmap for businesses grappling with AI governance. Read more

Ireland’s data protection authority has opened an inquiry into X’s (formerly Twitter’s) use of publicly available posts to train its large language models. The investigation focuses on whether this data processing complies with EU data protection law, particularly around consent and transparency. Read more

A federal judge in Virginia has ruled that Google unlawfully maintains monopoly control over online advertising technologies. This follows earlier rulings targeting its dominance in search and app distribution, collectively raising the stakes for antitrust action against the tech giant. Read more

The U.S. Federal Trade Commission has published new amendments to the Children’s Online Privacy Protection Act (COPPA), adding stricter obligations for sites and services that collect data from kids under 13. The changes go into effect on June 23, 2025, and aim to curb behavioural profiling and third-party tracking. Read more