Privacy Roundup: Top 10 Stories of March 2025

March saw major developments in global privacy enforcement, from a coordinated crackdown on the right to erasure across Europe to investigations into TikTok and Reddit over children’s data practices. Here’s a roundup of the key privacy updates you need to know this month.

32 Data Protection Authorities (DPAs) across Europe have launched a coordinated initiative to enforce the right to erasure under GDPR. This right, frequently exercised by individuals, remains a key area of concern for regulators, who often receive complaints about improper data deletion practices. Read more

On February 3, 2025, the Swiss privacy authority introduced new cookie consent guidelines. The rules permit functional cookies with an opt-out option but require explicit consent for non-functional cookies used for advertising. The guidelines also prohibit dark patterns—misleading tactics that trick users into consenting to data collection. Non-compliance could result in penalties or legal action. Read more

The European Union has issued its first Digital Markets Act (DMA) interoperability instructions to Apple, requiring the tech giant to allow third-party apps and connected devices to function more seamlessly with its ecosystem. This directive aims to reduce anti-competitive barriers and provide users with greater choice and control over their digital experiences. Read more

Meta has settled a lawsuit in the UK concerning its ad tracking practices. The lawsuit, which focused on individuals’ right to object to data tracking under GDPR, resulted in Meta agreeing not to track the plaintiff. While the settlement applies only to this case, it could set a precedent for future challenges to Meta’s ad tracking policies. Read more

The UK Information Commissioner’s Office (ICO) has initiated investigations into TikTok, Reddit, and Imgur to assess how they handle children’s personal data. TikTok’s probe focuses on how the personal information of users aged 13-17 is used to fuel content recommendation algorithms. Meanwhile, the investigations into Reddit and Imgur will examine their broader use of children’s data and the effectiveness of their age-verification tools. Read more

Honda has agreed to pay $632,500 to settle violations of the California Consumer Privacy Act (CCPA). The California Privacy Protection Agency (CPPA) found that Honda interfered with consumers’ ability to exercise their rights and shared personal data with ad tech companies without proper contractual safeguards. Read more

A heated privacy dispute between Apple and the UK government continues to unfold. Under the Investigatory Powers Act, the UK demanded that Apple create a backdoor to access encrypted user data. Instead of complying, Apple removed its data protection tool from the UK market, raising concerns about how such mandates could impact global privacy protections. Read more

The California Privacy Protection Agency (CPPA) Board has released draft regulations that could make California one of the most significant states to regulate AI. The proposed rules focus on automated decision-making technology, aiming to provide oversight on AI-driven processes. If adopted, these regulations could reshape AI governance in the US. Read more

The Court of Justice of the EU (CJEU) has ruled that under Article 16 of the GDPR, individuals have the right to correct their recorded gender identity if it is inaccurate. While national authorities may require proof of inaccuracy, they cannot demand evidence of gender reassignment surgery to process such requests. Read more

The Court of Justice of the European Union has fined Germany, Luxembourg, the Czech Republic, Estonia, and Hungary for failing to implement the Whistleblower Directive. This directive mandates companies with 50+ employees to establish whistleblower protection mechanisms, ensuring compliance across the EU. Read more