From new state privacy laws and agency regulations to global AI obligations and high-profile enforcement actions, August brought plenty of developments in data protection. Here are the top 10 privacy stories.

01

UK’s online age-verification system sparks privacy concerns

The UK’s Online Safety Act now mandates age checks on adult or harmful websites via third-party IDs, selfies, or payment data. Critics warn inconsistent deletion rules and non-standard tools could undermine data protection. Read more 

02

Big Tech signs EU AI code of practice, except Meta

The EU’s AI Office released the latest list of signatories to its voluntary framework. Amazon, Anthropic, Google, IBM, Microsoft, and OpenAI signed the EU’s voluntary Code of Practice for general-purpose AI. Meta declined to sign. Read more 

03

CPPA greenlights regulations on automated decision-making

California’s privacy regulator approved new rules under the CCPA. The agency finalized regulations on automated decision-making technology, risk assessments, and cybersecurity audits, pending review. Read more 

04

Data brokers hide opt-out pages from Google

An investigation by The Markup and CalMatters/WIRED found over 30 data brokers implementing code to prevent their opt-out pages from appearing in search results, making it difficult for users to delete their data. Read more 

05

Australia’s privacy regulator sues Optus over 2022 breach

The Australian Information Commissioner (AIC) filed a lawsuit against Optus for failing to protect the personal data of around 9.5 million customers in a 2022 breach, potentially facing hefty penalties under the Privacy Act. Read more 

06

UK withdraws demand for Apple backdoor access

US Director of National Intelligence Tulsi Gabbard confirmed the UK dropped its demand for Apple to create a backdoor to encrypted iCloud data after diplomatic pressure. Read more

07

Montana expands genetic privacy law to include neural data

Montana updated its privacy statute to cover new categories of data. The state amended its Genetic Information Privacy Act to include “neurotechnology data.” The law takes effect on October 1, 2025. Read more 

08

EU AI Act GPAI obligations take effect August 2

From August 2, the EU AI Act’s obligations covering transparency, documentation, and security for general-purpose AI (GPAI) models became enforceable. The Commission also published implementation guidance. Read more 

09

FTC warns against weakening US privacy in face of global rules

The FTC sent a letter to major tech firms including Google, Meta, Amazon, Microsoft, and Apple, arguing that the EU’s Digital Services Act should not be applied in ways that threaten freedom of expression or the safety of US citizens. Read more 

10

EU defends DSA enforcement amid US criticism

The European Commission pushed back against US claims that enforcement of the Digital Services Act unfairly targets American firms, pointing to its enforcement actions across a range of global platforms. Read more