From EU reform plans to new US enforcement signals, November reshaped the privacy landscape. Here are the top stories to know.

01

CalPrivacy: California’s privacy regulator gets a rebrand

The California Privacy Protection Agency (CPPA) has rebranded itself as CalPrivacy, marking a strategic shift toward clearer communication, consumer-focused guidance, and stronger visibility as a standalone privacy authority. Read more

02

EU’s leaked “Digital Omnibus” hints at major privacy law overhaul

A leaked draft of the European Commission’s Digital Omnibus package proposes consolidating GDPR, the ePrivacy Directive, Data Act rules, and parts of the AI Act. Privacy advocates warn it could weaken critical protections around consent, tracking, and automated decision-making. Read more

03

New CCPA rules may put responsibility on named executives

California is considering CCPA amendments that would make individual leaders such as privacy, AI, and cybersecurity officers, personally accountable for compliance failures. If adopted, this would mark a major shift in U.S. privacy enforcement, extending liability beyond companies to the people who direct their data practices. Read more

04

EU begins work on AI content transparency code

The European Commission has kicked off a 7-month process to draft a Code of Practice for labeling AI-generated content, laying the groundwork for upcoming AI Act requirements on synthetic media disclosure. Read more

05

Spain fines Carrefour €2.5M for weak security in major data breach

Spain’s AEPD fined Carrefour Financial Services €2.5 million for inadequate security measures that led to exposure of ID numbers, financial information, and contact details. The agency cited failures in monitoring and breach preparedness. Read more (Spanish)

06

$5.1M ed-tech settlement escalates student-data enforcement

Attorneys general from Connecticut, California, and New York reached a $5.1 million settlement with Illuminate Education over failures to protect student data. The case underscores growing scrutiny of companies processing minors’ data. Read more

07

Latvia issues guidance to simplify cookie consent withdrawal

Latvia’s Data Protection Authority published new guidance urging websites to make cookie consent withdrawal easier, emphasizing that non-essential cookies require freely given consent and must include clear withdrawal interfaces. Read more (guidance in Latvian)

08

Hungary enacts a national AI law with new enforcement powers

Hungary passed comprehensive AI legislation establishing a Market Surveillance Authority and AI Council, with fines up to €33M. The law aligns with the EU AI Act but adds domestic oversight and penalties, making Hungary one of the first EU states with its own national AI governance framework. Read more

09

Global regulators launch sweep on children’s data protection

The Global Privacy Enforcement Network (GPEN), representing more than 30 national data authorities worldwide, has launched its annual children’s privacy sweep. Regulators from the FTC, CalPrivacy, the UK ICO, and EU DPAs will assess how apps and websites used by minors collect, share, and secure personal data. Read more

10

EDPB issues key opinion on Brazil’s adequacy decision

The European Data Protection Board has endorsed the European Commission’s draft decision to grant data-transfer adequacy status to Brazil, finding the LGPD largely aligned with GDPR requirements though with several gaps flagged around law-enforcement access and DPIAs. Read more