Enforcement tightened and new rules took effect across key markets in December. From California and the EU to India and Australia, these are the privacy developments worth watching.

01

CNIL fines American Express €1.5M for cookie consent violations

France’s data protection authority fined American Express €1.5 million after finding that its website failed to comply with cookie consent requirements, reinforcing regulators’ focus on tracking transparency. Read more

02

States reach landmark $5.1M settlement over student data breach

Attorneys general from Connecticut, California, and New York announced a $5.1 million settlement with Illuminate Education following failures to safeguard student data after a 2022 breach, signaling increased scrutiny of ed-tech providers. Read more

03

India’s Digital Personal Data Protection Act comes into force

India’s Digital Personal Data Protection Act is now operational following the release of implementing rules. The law introduces new obligations around consent, data processing, and enforcement for organizations operating in India. Read more

04

Australia begins enforcing world-first social media ban for teens

Australia has begun enforcing a ban on social media for children under 16, prompting debate over age-verification methods, increased data collection, and how platforms will enforce the rules in practice. Read more

05

CalPrivacy launches data broker enforcement strike force

CalPrivacy has created a dedicated enforcement strike force to investigate privacy violations across the data broker industry. The agency will focus on compliance with the Delete Act’s registration requirements and broader CCPA obligations. Read more

06

California AG secures $1.4M CCPA settlement with mobile gaming company

California Attorney General Rob Bonta reached a $1.4 million settlement with Jam City over CCPA violations, including failure to provide opt-out options and improper handling of minors’ data. The company must now implement in-app privacy controls. Read more

07

EU justice chief draws limits on further privacy law reforms

EU Justice Commissioner Michael McGrath warned that additional changes to EU data protection laws could undermine core privacy standards. His remarks follow criticism that the Digital Omnibus proposal already favors business interests. Read more

08

EU fines X €120M in first Digital Services Act enforcement action

The European Commission fined X €120 million for breaching transparency obligations under the Digital Services Act, marking the first non-compliance decision under the new law and underscoring the EU’s enforcement stance. Read more

09

Study finds users want a third option beyond “pay or okay”

A study commissioned by noyb found that most users prefer free access with non-targeted ads over being tracked or paying subscription fees, challenging the legality and fairness of “pay or okay” consent models. Read more

10

EU probes Google’s use of content for AI training

The European Commission has opened an investigation into whether Google is abusing its market dominance by using publishers’ content and YouTube videos to train AI models without fair compensation or meaningful opt-out options. Read more