This Quarter in Privacy and AI: Top Updates for Q1 2025

Written By Kelly Thibault

Welcome to the Enlightened Privacy, PC “Quarter in Privacy and AI” recap! Here’s your recap for Q1, 2025.

What is the Quarter in Privacy Recap?

This is a quick summary of some of the key happenings in the world of data protection and privacy from the past quarter. While there’s always an abundance of news in privacy, we try to capture what we think may be of greatest interest or most relevant to those of you doing privacy day-to-day. Our intention with this recap is to provide thoughtful and helpful updates to keep you informed and maybe even a little entertained. Enjoy! And if you like the recap or have suggestions, please let us know! We’d love to hear your feedback.

As a reminder, our take-aways are Jackie’s thoughts on the updates and not intended to be legal advice.

Quarter in AI:

  • EU AI Act, here we go! In February, the first round of EU AI Act provisions went into effect, proving that time really does fly when you’re having fun. The newly effective provisions are those under Article 4 regarding AI literacy and Article 5 on prohibited AI. The next round of provisions go into effect in August; these include provisions regarding general purpose AI. Lucky for us, the EU Commission has issued guidelines on prohibited AI practices and guidelines on the definition of an AI system, in case you’re looking for more context. ***Take-away: Start planning for and implementing an AI literacy program and confirm you’re not at risk of running afoul of any of the prohibited categories of AI. One to watch for: use of an AI system to infer emotions in the workplace.

  • In a buzzer-beater miss, the state of Virginia nearly adopted legislation on high-risk AI. The VA legislature passed the bill in February, but the governor vetoed it on March 24 (the last day to sign it). In the veto explanation, the governor called the framework that the bill would have established “burdensome” and “rigid” and stated that such a framework would inhibit the growth and innovation of the AI industry. We’ll see if the VA legislature rebounds this bill, as several other state legislatures have done recently with AI bills that bounced off the rim. Meanwhile, other U.S. states continue to introduce or push ahead with AI-related bills. Texas HB1709 that we mentioned last quarter is still making its way through the legislature and is joined by several other bills. ***Take-away: While the VA bill didn’t become law, others like it are fast behind it in other states. As we said last quarter, be prepared for more state AI legislation in 2025. If developing or deploying any AI system that could be considered “high-risk,” start planning for compliance now.

  • Welcome to the DeepSeek danger zone. In Q1, it seemed we couldn’t go anywhere without hearing about DeepSeek. We would therefore be remiss if we didn’t touch on it in our Q1 recap. A few highlights (or lowlights?): On January 30, in Europe, the Italian Garante banned DeepSeek (or rather, limited its processing of personal data of data subjects located in Italy), on the grounds that the DeepSeek parent companies’ statement to the Garante (that they don’t operate in Italy and the GDPR doesn’t apply) was “entirely unsatisfactory.” The Garante cited violations related to lawfulness of processing, transparency, and security of processing. Meanwhile, back in the states, in February the Texas Attorney General launched an investigation into DeepSeek and banned it from all AG Office devices. The Texas AG cited concerns related to DeepSeek’s processing in China and claims that the DeepSeek platform violated the Texas privacy law. Could we see Italian and Texan regulators team up for a DeepSeek enforcement showdown? (I’d be game to see that, though I’m not sure about a Texas and Italian food fusion. Maybe stick to enforcement of privacy laws.) Note that DPAs in other geos have also taken action against DeepSeek, with many launching their own investigations. Maybe DeepSeek is abiding by the “no press is bad press” motto? ***Take-away: Consider how you want to address the use of DeekSeek and similar China-based AI tools in your AI governance program, including restrictions on inputs if it is used. Consider conducting relevant risk assessments if you do plan to allow its use.

  • As in previous quarters, the outpouring of AI-related guidance continues! Here’s a shortlist of some issued in Q1 that might be of particular interest: OWASP guide on Agentic AI; New Jersey AG’s Office guidance on algorithmic discrimination; OECD reporting framework for AI incidents; OECD’s report on intellectual property issues in AI trained on scraped data. ***Take-away: Take a run through the latest guidance to keep your AI governance program current and evolving with the latest regulatory and technical best practices. Solid guidance makes for good data to train your AI governance “model”!

Quarter in Privacy:

  • OK, which state privacy laws went into effect this quarter, you ask? Five U.S. state privacy laws went into effect in Q1 of 2025! These include Delaware, Iowa, Nebraska, New Hampshire, and New Jersey. The state privacy law roster continues to grow as we move through 2025, so be ready for more. What to watch for? Delaware includes the right to request a list of categories of third parties, Iowa lacks some of the elements we see in most of the others, and Nebraska follows the Texas approach. New Jersey published FAQs regarding its privacy law in February. ***Take-away: If you haven’t already done so, conduct your applicability and gap assessments to determine what changes you may need to implement to comply with the newly effective laws. If you’ve been complying with California, Texas, Colorado and Virginia, you’re likely in good shape to comply with these newly effective laws, though there are some subtle nuances to pay attention to, especially for New Jersey. We also recommend doing an annual true-up to see if anything has changed since you completed applicability assessments for the state laws that went into effect over the previous few years. It’s possible you could be crossing the applicability threshold of one or several now, even if you didn’t before.

  • In the realm of children’s privacy, the state of Utah adopted the App Store Accountability Act in March. The Act requires app stores to verify age and obtain parental consent for a minor to download an app or make an in-app purchase. It also creates a private right of action for parents to sue app stores for non-compliance. Some privacy advocates are concerned about requiring collection of personal information to conduct the required age checks. At least eight other states have proposed similar legislation. At the federal level, COPPA 2.0 was reintroduced in the U.S. Congress in March. ***Take-away: In the U.S., children’s privacy legislation continues to pick up momentum and expand in scope (beyond age 13). If you’re processing personal information of minors now or plan to in the near future, take a pro-privacy stance early and plan to comply with strong requirements, particularly for parental consent. Consider restricting your collection of personal information from minors where possible.

  • You may have found yourself asking, whatever happened to the ePrivacy Regulation? Sad news for those of you who were rooting for it. In February, the European Commission withdrew the ePrivacy Regulation, according to its 2025 Work Programme, citing lack of consensus. The ePrivacy Regulation was designed to replace and update the ePrivacy Directive, similar to how the GDPR replaced the EU Directive. The ePrivacy Regulation has been in limbo for years, and now its fate appears to be sealed. (I’m feeling mildly sentimental given how long we’ve been waiting for it to move forward.) RIP ePrivacy Regulation. ***Take-away: Have a flashback “moment of silence” and reflect on your fond memories talking about and analyzing the ePrivacy Regulation!

  • Upheaval and uncertainty in the U.S. government, particularly created by recent rounds of firings, are raising concerns about the continued validity of the EU-U.S. Data Privacy Framework. You may be thinking, we literally just got this thing settled, and now it might be falling apart?! Indeed. It seems these data transfer mechanisms are very fragile things, subject to the winds (or hurricanes?) of political change, as evidenced over the past several years. The core of the volatility resides in Trump’s firing of three members of the Privacy and Civil Liberties Oversight Board (“PCLOB”), which means the board lost its quorum, rendering it essentially non-operational. The PCLOB is a fundamental component of the DPF and oversees the government’s compliance with the safeguards underlying the DPF and the Data Protection Review Court. ***Take-away: If you’re self-certified under the DPF and relying on it for any processing activities, now’s the time to start planning to pivot and get a back-up plan ready if you don’t have one in place already (updated or fresh transfer impact assessments, perhaps?). The turbulence is likely to continue if not increase in the coming months. Wise planning now can help to navigate the uncertainty of the present and the possible erosion of the DPF going forward. While this seems like partly an echo from the past, this time it could be more serious and lead to a more prolonged period without a framework.

Quarter in Enforcement:

  • It’s been a California enforcement party in Q1. In March, the California Privacy Protection Agency (“CPPA”) announced a settlement with American Honda Motor Co. for violations of the CCPA. Honda is required to pay a $632,500 administrative fine and change its business practices. Key violations cited by the CPPA include (a) requiring Californians to provide excessive personal information to exercise their data rights, particularly the rights to opt out of sale/sharing and to limit use of sensitive personal information, (b) failure to provide symmetry of choice in advertising cookie management, and © sharing personal information with ad tech companies without contracts containing terms to protect privacy. CPPA is particular in its standards, you’ve been warned via this decision! ***Take-away: Review the data elements you request to verify identity and determine whether you may be requesting excessive personal information for this purpose. We’ve seen the CPPA focus on this in other cases as well, and they’re likely to continue to enforce on this point. Review your cookie banner and cookie management tools and ensure that you provide a “reject all” button if you’re providing an “accept all” button. Also, review your contracts with third parties and be sure you have contracts and those contracts include privacy protective provisions in line with the CCPA’s requirements. If you’ve told yourself that regulators would never pay attention to your contracts, think again!

  • The Delete Act also made an appearance at the CA enforcement party in Q1 (maybe we should coin another new CA privacy-related acronym-a “CAEP”?!). The CPPA has been actively engaged in an investigative sweep of data broker registration compliance under the requirements of the Delete Act since Q4 of last year. In February, the CPPA brought an enforcement action seeking a $46,000 fine against a Jerico Pictures, Inc., d/b/a National Public Data for failure to register. Also in February, the CPPA reached a settlement with Background Alert, Inc. for failure to register. As part of the settlement, Background Alert is shutting down operations for three years and is subject to a fine of $50,000 if it fails to comply. ***Take-away: If you are or could possibly be a data broker under the delete act, be sure you’ve registered and paid the annual fee. You could be subject to fines and possibly be compelled to shut down operations for failure to do so. The CPPA is shutting down non-compliance, quite literally!

  • Last but not least, another guest at the CA enforcement party was the CA Attorney General who announced an investigative sweep of the geolocation data industry. The sweep focuses on how companies in this industry honor consumers’ right to opt out of the sale and sharing of personal information and limit the use of their sensitive personal information. The CA AG’s announcement cited particular concern related to immigrant communities and reproductive and gender-affirming care. ***Take-away: If you are operating in the geolocation data space, review your compliance practices related to honoring consumer data rights and ensure you’ve documented your mechanisms for compliance. Take into consideration other AG and CPPA enforcement activities and advisories when evaluating your own compliance measures.

  • What about Texas, y’all? Given its recent enforcement track record, we know Texas has been up to something in Q1. The Texas AG sued TikTok for deceptively marketing its app as safe for minors despite showing them inappropriate material. ***Take-away: This points back to the increasing emphasis and enforcement activity regarding children’s data and the focus on social media apps’ processing of children’s information. If you have children users, pay attention to how you market your services as well as how you handle children’s data and the content made available to them.

  • But what about Max Schrems, you ask? Where is Max Schrems for Q1? Not to fear, we have your Schrems/NOYB update here! In January, NOYB filed complaints against TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi across five different DPAs for violating GDPR by making unlawful transfers of personal data to China. The NOYB stated in its press release that because China is an “authoritarian surveillance state,” EU user data cannot be protected from government access. The complaints requested the DPAs to immediately suspend data transfers to China and to fine the companies, as well as require the companies to come into compliance with the GDPR. In March, NOYB filed another complaint against OpenAI, this time in Norway, for violation of the GDPR’s accuracy principle. The complaint was related to a ChatGPT output that falsely said a user was a convicted murderer of his children. Creepy plot twist–the false story spun by ChatGPT did include some true and accurate information about the user, including his home town. ***Take-away: Maybe don’t ask ChatGPT to provide information about you. Or if you do, have NOYB on standby. OK, in all seriousness, this underscores the recurring theme that just because you may be outside of a jurisdiction or creating popular and innovative apps, you’re not outside the scope of privacy laws in those jurisdictions.

Want to know more? Need help figuring out how these developments impact you? We’re here to help! Just reach out to Jackie or info@enlightenedprivacy.com.

Looking for a refresher of last quarter’s highlights? Click HERE for Quarter 4, 2024 highlights.

Kelly Thibault
Next

This Quarter in Privacy and AI: Top Updates for Q2 2025