Privacy Roundup: Top 10 Stories of May 2025

With Google fined, Meta cleared by a German court, and Europe rethinking GDPR rules, privacy is back in the spotlight. Here are the top stories you need to know.

Starting May 5, 2025, Microsoft Advertising will require all websites using its tracking tools, such as the Universal Event Tracking (UET) tag, to send a consent signal for users in the EU, UK, and Switzerland. This mandate applies even if a website doesn’t specifically target those regions, aligning Microsoft with broader privacy standards in the industry. Read more

The Belgian Court of Appeal has upheld a decision that the Transparency and Consent Framework (TCF), widely used in online advertising, fails to comply with the General Data Protection Regulation (GDPR) due to insufficient transparency and consent mechanisms. Read more

The European Commission has introduced the ‘Omnibus’ reform package aimed at simplifying the General Data Protection Regulation (GDPR) to reduce unnecessary bureaucracy for businesses, particularly small and medium-sized enterprises, while maintaining data protection standards. Read more

A German court has dismissed an injunction seeking to prevent Meta from using publicly available Facebook and Instagram posts to train its AI models. The court found the data use aligns with Meta’s “legitimate interest” under GDPR and noted that users can opt out. Read more

Legislators in Massachusetts and New York have introduced bills aimed at establishing comprehensive consumer privacy protections. The proposed laws would grant residents rights over their personal data and impose obligations on businesses regarding data handling and transparency. Read more

Google has agreed to pay $1.375 billion to settle allegations by the Texas Attorney General that it unlawfully collected and used Texans’ personal data, including geolocation and biometric information, without proper consent. This marks the largest state-level settlement for data privacy violations in the US. Read more

Privacy group NOYB, led by Max Schrems, has filed 11 complaints across EU countries and sent a cease-and-desist letter to Meta, opposing its plan to use European users’ personal data for AI training. NOYB argues that Meta’s reliance on ‘legitimate interest’ under GDPR is unfounded and calls for an opt-in consent model. Read more

A coalition of 89 experts, including organizations like Mozilla, Proton, and the Electronic Frontier Foundation, has urged the European Commission to rethink its ProtectEU strategy. They warn that proposed changes could weaken end-to-end encryption and jeopardize EU residents’ privacy and security. Read more

California Assembly Bill 1355, also known as the California Location Privacy Act, would mandate businesses to obtain clear, opt-in consent before collecting or sharing users’ precise location data, aiming to enhance digital privacy protections for consumers. It is currently under review in the state legislature. Read more

The UK’s Information Commissioner’s Office (ICO) has published case studies demonstrating the practical application of privacy-enhancing technologies (PETs), such as differential privacy and synthetic data, to help organisations protect personal data while enabling data sharing and analysis. Read more