Privacy Roundup: Top 10 Stories of September 2025

Regulators didn’t blink this month. The EU is full steam ahead with the AI Act, California passed three headline privacy and AI bills, and the Commission is eyeing cookie consent fatigue again. Here’s what matters.

Despite industry pressure, the European Commission says there’ll be no moratorium on the AI Act’s rollout. Yvo Volman, Director for Data, confirmed the focus is on making enforcement practical, not slower, meaning compliance deadlines and high-risk system obligations still stand. Read more

The Commission is exploring changes to the ePrivacy Directive to reduce repetitive cookie popups. Proposals include browser-level consent settings and more exemptions for low-risk cookies, a move that could reshape how CMPs manage recurring consent. Read more

The Opt Me Out Act (AB 566) passed, requiring browsers to build in support for the Global Privacy Control (GPC). This enforces a universal opt-out across sites, reducing reliance on individual consent banners, and effectively standardizing GPC as a baseline privacy signal. Read more

California’s SB 7 bans employers from relying solely on AI for decisions like hiring, firing, or discipline. If signed, it takes effect Jan 1, 2026, marking one of the first state-level constraints on algorithmic workplace management. Read more

The California Privacy Protection Agency fined Tractor Supply Co. a record $1.35 million for mishandling job applicant data, the first CPPA case involving employment information. It’s a clear warning that CCPA enforcement now extends beyond consumer data. Read more

Civil liberties groups allege that San Francisco Police shared license plate reader data with ICE and anti-abortion states, violating state law and endangering sensitive communities. The case underscores how automated surveillance often outpaces local data protections. Read more

Governor Newsom signed SB 53, requiring large AI developers to disclose safety protocols, enable whistleblower protections, and report model-related safety incidents. It’s the first U.S. state law to directly regulate frontier AI developers. Read more

Over 80 Spanish media groups are suing Meta, alleging systematic GDPR violations between 2018–2023 that gave it an unfair edge in digital ad sales. If successful, the case could open the door for collective publisher actions across the EU. Read more

The EU Data Act applies from September 12, imposing strict obligations on how companies share, access, and port IoT and cloud data. It also introduces mandatory data-sharing frameworks for businesses and governments, a major interoperability push across sectors. Read more

Under a US-China framework, TikTok’s US arm will form a new entity, with Oracle, Silver Lake, and Andreessen Horowitz controlling about 80%. The US government will have a designated board seat, signaling partial data sovereignty, but not full decoupling. Read more