Briefing on the 2025 Global AI and Data Privacy Landscape

Compliance Hub

Compliance Hub

10 min read
Briefing on the 2025 Global AI and Data Privacy Landscape
Photo by Vladislav Klapin / Unsplash

Executive Summary

The global regulatory landscape for Artificial Intelligence (AI) and data privacy is undergoing a period of rapid fragmentation and intense scrutiny in 2025. Divergent strategic approaches in the European Union, the United States, and the Asia-Pacific (APAC) region are creating a complex, multi-jurisdictional compliance web for businesses. AI governance has become a central theme, with the EU implementing comprehensive, binding legal frameworks like the AI Act, Data Act, and the contentious Digital Services Act (DSA). In contrast, the U.S. continues to rely on a piecemeal, state-led approach, marked by a sharp federal policy pivot toward deregulation, while the APAC region largely favors voluntary, multi-stakeholder guidelines, with China being a notable exception with its stringent, state-driven regulations.

Litigation is escalating, particularly in the U.S., where legacy privacy statutes such as the California Invasion of Privacy Act (CIPA) and the Video Privacy Protection Act (VPPA) are being tested against modern online tracking technologies. This has resulted in significant legal uncertainty and deepening circuit splits, where the legality of common tools like analytics pixels now hinges heavily on jurisdiction. Concurrently, regulators are demonstrating a new appetite for enforcement. The California Privacy Protection Agency (CPPA) has levied substantial fines against major companies for failures in handling consumer rights requests, particularly ignoring Global Privacy Control (GPC) signals and using deceptive "dark patterns." In Europe, the DSA is reportedly compelling social media platforms to alter their global content moderation policies, raising significant concerns in the U.S. about the foreign censorship of constitutionally protected political speech.

Finally, the proliferation of generative AI has introduced new and potent systemic risks. Sophisticated deepfakes are being used for market manipulation, electoral interference, and the amplification of conspiracy theories, threatening both financial integrity and public trust. This has triggered an "arms race" between malicious actors and the cybersecurity firms developing detection technologies. In response, novel governance tools like regulatory sandboxes are gaining traction as controlled environments for testing new AI systems and policies, though their implementation remains predominantly national, lacking crucial cross-border collaboration.

I. The Divergent Global AI Governance Landscape

In 2025, AI governance is defined by a fractured international approach. A harmonized, risk-based regime in the European Union stands in stark contrast to a reactive, state-driven framework in the United States and a consensus-oriented, but largely voluntary, environment in the Asia-Pacific. This divergence has triggered geopolitical friction and significant compliance hurdles for multinational businesses.

A. The European Union's Regulatory Approach

The EU has established itself as a global leader in comprehensive technology regulation, enacting a suite of binding legal frameworks that apply extraterritorially.

  • EU AI Act: Entering into force in August 2024, this is the world's first comprehensive, binding legal framework for AI. It classifies AI systems by risk level—unacceptable, high, limited, and minimal—and imposes extensive obligations on high-risk systems and general-purpose AI (GPAI) models. High-risk systems require pre-market conformity assessments and registration in a public EU database, while GPAI models face transparency, copyright, and cybersecurity mandates.
  • EU Data Act: Set to become enforceable on September 12, 2025, this unprecedented law mandates that data from connected products and services be made available to users and third parties upon request. It applies to any U.S. business with even a single EU-based customer. Data holders can only charge for their direct costs plus a reasonable margin not exceeding 20%.
  • Digital Services Act (DSA): Passed in 2022, the DSA is a sweeping digital censorship law requiring Very Large Online Platforms (VLOPs) to identify and mitigate "systemic risks," including "disinformation," "hate speech," and "misleading or deceptive content," even if the content is not illegal. Penalties for non-compliance are severe, reaching up to 6% of a company's global annual revenue.

B. The United States' Fragmented Framework

The U.S. lacks a comprehensive federal AI or privacy law, leading to a patchwork of state-level rules and regulatory uncertainty at the national level.

  • Federal Level: The U.S. approach remains sectoral. A 2023 Executive Order from the Biden administration establishing principles for "Safe, Secure, and Trustworthy AI" was rescinded in 2025 by a new Trump administration EO that prioritizes deregulation and "American leadership in AI." This policy pivot has created significant regulatory uncertainty. Federal agencies like the FTC, EEOC, and CFPB continue to regulate AI through enforcement actions under existing consumer protection and civil rights laws.
  • State Leadership: In the absence of federal action, states have moved decisively. Colorado enacted the first comprehensive U.S. framework for "high-risk" AI, the Colorado AI Act (SB 24-205), which imposes reasonable-care and impact-assessment duties on developers and deployers, effective in 2026. Other states have passed targeted AI laws, such as New York City's Local Law 144 requiring bias audits for automated employment tools and Tennessee's "ELVIS Act" criminalizing unauthorized AI voice mimicry.

C. Asia-Pacific's Evolving Stance

Governance frameworks for generative AI in the APAC region are largely in a formative stage, characterized by a preference for non-binding guidelines, with the notable exception of China. A study of five key jurisdictions (Australia, China, Japan, Singapore, South Korea) reveals a cautious, consultative approach.

  • General Approach: Most policymakers in Australia, Japan, and Singapore are not currently pursuing binding regulations. They favor multi-stakeholder consultations to develop internationally aligned, voluntary frameworks that promote responsible innovation while mitigating risks.
  • China's Exception: China has enacted specific, binding regulations for generative AI, including the "Interim Measures for the Management of Generative AI Services" (August 2023) and the "Basic Security Requirements for Generative AI Services" (February 2024). These rules impose clear obligations on service providers throughout the AI lifecycle, from data training to content generation.
  • Common Risks and Measures: Despite divergent legal forms, there is a consensus across the five jurisdictions on key risks posed by generative AI. These include the inappropriate use of personal data (especially from web scraping), the spread of misinformation and disinformation, and the amplification of bias and discrimination. Recommended mitigation measures commonly include conducting impact assessments, managing data quality, implementing robust security, and developing clear privacy policies.

II. The U.S. Privacy Law and Litigation Battlefield

With no federal privacy law, the U.S. legal landscape is shaped by an expanding patchwork of state laws and a surge in litigation testing the applicability of decades-old statutes to modern digital technologies.

A. Proliferation and Fragmentation of State Privacy Laws

By the end of 2025, twenty U.S. states are expected to have comprehensive privacy laws in effect, with eight new laws becoming active this year (Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee).

  • Varying Requirements: While these laws share core principles like transparency and opt-out rights, they differ significantly on key provisions:
    • Applicability Thresholds: Most states use volume-based criteria (e.g., processing data of 100,000+ residents), but thresholds vary. California, Tennessee, and Utah use revenue-based thresholds ($25M+). Some states, like Delaware and Maryland, have lower consumer thresholds (35,000). Florida's law is unique, targeting companies with over $1 billion in global revenue.
    • Scope: California's CPRA is distinct in that its definition of "consumer" includes employees, job applicants, and B2B contacts, whereas other states limit the scope to individuals in a personal or household context.
    • Sensitive Information: All state laws impose heightened restrictions on sensitive data. New laws have expanded the definition to include categories like transgender or non-binary status (Delaware, Maryland, New Jersey) and consumer health data related to gender-affirming care (Maryland).
  • Enforcement: Enforcement authority typically rests with State Attorneys General. California is unique with its dedicated California Privacy Protection Agency (CPPA). While most new laws lack a private right of action (California's being a limited exception for data breaches), Tennessee's law introduces a first-of-its-kind affirmative defense for businesses that conform to the NIST privacy framework.

B. Escalating Digital Privacy Litigation

Courts are grappling with how to apply analog-era privacy laws to digital tracking technologies, leading to conflicting rulings and a volatile legal environment.

  • California Invasion of Privacy Act (CIPA): A wave of litigation alleges that common website tools like tracking pixels, analytics software, and session replay scripts constitute illegal wiretapping or the use of "pen register" surveillance devices under CIPA.
    • Judicial Split: California courts are deeply divided. Some have allowed claims to proceed, finding that IP tracking and the collection of user data via scripts could plausibly fit the statutory definitions. Other courts have rejected these claims, ruling that CIPA was intended for telephone surveillance and does not extend to routine internet communications.
    • Ninth Circuit Rulings: The Ninth Circuit has issued three key decisions, affirming dismissal in two cases but reversing it in another (Mikulsky v. Bloomingdale’s), ensuring that litigation will continue from both plaintiffs and defendants.
    • Legislative Response: California's SB 690 aims to curb these lawsuits by exempting tracking technologies used for a "commercial business purpose." The bill has passed the Senate but was designated a two-year bill, delaying its enactment and potentially prompting a surge of new filings before it takes effect.
  • Video Privacy Protection Act (VPPA): A federal law from 1988, the VPPA is being used to sue websites that share video viewing data with third parties like Meta via tracking pixels.
    • Deepening Circuit Split: Federal appellate courts are divided on two key questions: who qualifies as a "consumer" or "subscriber," and what data constitutes "personally identifiable information" (PII).
    • Key Cases: The Second Circuit initially expanded VPPA liability (Salazar v. NBA) but then narrowed it significantly in Solomon v. Flipps Media, ruling that a Facebook ID plus a video URL does not constitute PII under an "ordinary person" standard. In contrast, the Seventh Circuit in Gardner v. Me-TV expanded liability, holding that users who created free accounts were "subscribers" because "data can be worth more than money." The Sixth Circuit (Salazar v. Paramount Global) narrowed the definition of "consumer," finding a newsletter subscription insufficient to establish the required relationship. This jurisdictional split creates significant uncertainty for any website hosting video content.

Regulators in both California and the European Union have moved into an active enforcement phase, issuing significant fines and signaling their priorities through high-profile actions.

A. California CPPA and AG Enforcement Actions

Recent enforcement actions in 2025 offer clear insights into California regulators' expectations.

  • American Honda Motor Co. ($632,500 Fine): The CPPA's first enforcement order targeted Honda for multiple violations, including requiring excessive verification for opt-out requests, using a "dark pattern" cookie banner that made opting out harder than accepting, failing to apply Global Privacy Control (GPC) signals to logged-in users, and lacking required contractual provisions with ad tech vendors.
  • Todd Snyder Inc. ($345,178 Fine): A menswear retailer was fined for technical failures, including a broken cookie banner that prevented users from opting out for 40 days, and for requiring photo ID for all privacy requests, a clear violation of data minimization principles.
  • Healthline Media LLC ($1.55 Million Settlement): The California Attorney General secured the largest CCPA settlement to date against the health website. Violations included failing to honor GPC opt-outs and sharing sensitive health-inferred data with ad partners beyond consumers' reasonable expectations, marking one of the first enforcements of the CCPA's "purpose limitation" principle.

B. EU Digital Services Act (DSA) Enforcement and Censorship Concerns

An interim staff report from the U.S. House Judiciary Committee, released July 25, 2025, alleges that the EU's DSA is being weaponized to compel global censorship that infringes on American free speech.

  • Global Impact on Content Moderation: The report argues that because major platforms use a single set of global terms and conditions, the DSA's requirement to mitigate "systemic risks" like "disinformation" forces them to apply EU censorship standards worldwide.
  • Targeted Content: Evidence cited from a private May 7, 2025, "DSA Multi-Stakeholder Workshop" hosted by the European Commission allegedly shows regulators classifying common political phrases like "we need to take back our country" as "illegal hate speech." The workshop materials also reportedly show a focus on moderating memes, satire, and AI-generated content.
  • Censorship Requests from Member States: The report provides examples of takedown demands from EU member states targeting constitutionally protected speech:
    • Poland: The National Research Institute (NASK) flagged a TikTok post stating "electric cars are neither an ecological nor an economical solution."
    • France: The French National Police directed X to remove a satirical post from a U.S. account criticizing French immigration policy after a terrorist attack.
    • Germany: Authorities classified a tweet calling for the deportation of a Syrian family reported to have committed 110 criminal offenses as "incitement to hatred" and an "attack on human dignity."

C. EU-U.S. Data Transfers Under Pressure

The EU-U.S. Data Privacy Framework (DPF), which allows for certified U.S. companies to receive EU personal data, is facing renewed instability. U.S. political developments, including changes to the Data Protection Review Court and dismissals of privacy officials, have raised questions about its long-term viability. Meanwhile, EU enforcement is active, demonstrated by the Dutch DPA's €290 million fine against Uber for unlawful data transfers to the U.S. after it discontinued the use of Standard Contractual Clauses (SCCs).

IV. New Frontiers and Systemic Risks

The rapid advancement of AI and the proliferation of data-driven technologies are creating novel challenges for market integrity, consumer safety, and regulatory design.

A. The Deepfake Dilemma and Market Integrity

AI-fabricated content poses a significant and growing threat to public trust and financial markets.

  • Case Study: The "Medbeds" Deepfake: A convincing deepfake video of former President Donald Trump announcing a "medbeds" healthcare initiative was posted on his Truth Social account in September 2025. Though it contained tell-tale signs of fabrication (robotic voice, incorrect chyron font) and was deleted after 12 hours, it was widely reshared and amplified a long-debunked conspiracy theory, demonstrating the power of synthetic media to mislead the public.
  • Financial Market Impact: The threat is not theoretical. In May 2023, AI-manipulated images falsely depicting an explosion near the Pentagon caused the Dow Jones Industrial Average to drop 85 points in minutes. AI-driven misinformation has also been linked to brief crypto price spikes and contributed to the bank run that led to Silicon Valley Bank's collapse.
  • Market Dynamics: The rise of deepfakes creates a new dynamic of "winners and losers."
    • Losers: Social media platforms (Meta, Alphabet) and financial institutions (BlackRock) face immense pressure and risk from content moderation failures, reputational damage, and sophisticated fraud.
    • Winners: A new sector of AI detection and cybersecurity companies is emerging to meet the surging demand for verification tools. Key players include Microsoft, Google, Intel, and Veritone, alongside specialized private firms like Blackbird.AI and TruthScan.

B. Governance and Safeguards for Emerging Technologies

New regulations and governance models are being developed to address the risks posed by AI, health tech, and other data-intensive systems.

  • Health and Children's Data: Regulators are expanding oversight beyond traditional frameworks.
    • The FTC's Health Breach Notification Rule (HBNR), effective July 2024, now applies to non-HIPAA covered health and fitness apps.
    • States like Washington (My Health My Data Act) are enacting stringent laws that cover inferred health data from wearables and require opt-in consent.
    • States including Vermont and Nebraska have adopted Age Appropriate Design Code (AADC) legislation, which imposes stricter protections for children's data than the federal Children's Online Privacy Protection Act (COPPA).
  • California's Final ADMT Regulations: The CPPA has finalized rules for Automated Decision-Making Technology (ADMT). The final rules are narrower than initial drafts, applying only when technology "replaces or substantially replaces human decision making" in "significant decisions" (e.g., employment, housing, finance). Consumers gain rights to opt-out or appeal in these specific cases.
  • Regulatory Sandboxes for AI: Sandboxes are gaining traction as a tool for agile governance. A January 2025 study found 66 data and AI-related sandboxes worldwide, with 31 being AI-specific.
    • Purpose: They provide a controlled environment for companies and regulators to test AI technologies against existing legal frameworks, helping to clarify gray areas and foster responsible innovation.
    • Examples: Successful sandboxes have been implemented in Norway (data protection), France (AI in public services), and Singapore (Generative AI Evaluation Sandbox).
    • Challenges: The primary limitations are a lack of cross-border and cross-sectoral collaboration and insufficient inclusion of civil society organizations.

Read more

Policy Briefing: Generative AI Governance and Data Privacy in the Asia-Pacific Region

Policy Briefing: Generative AI Governance and Data Privacy in the Asia-Pacific Region

1.0 Introduction: The APAC Generative AI Governance Inflection Point As generative artificial intelligence (AI) systems become increasingly integrated into the global economy, understanding the evolving regulatory landscape in the Asia-Pacific (APAC) region is of paramount strategic importance. Policymakers across APAC are actively developing distinct governance frameworks to manage these

By Compliance Hub
The AI-Military Complex: How Silicon Valley's Leading AI Companies Are Reshaping Defense Through Billion-Dollar Contracts

The AI-Military Complex: How Silicon Valley's Leading AI Companies Are Reshaping Defense Through Billion-Dollar Contracts

WARNING: The AI systems being deployed for military use have documented histories of going rogue, resisting shutdown, refusing commands, and being exploited for violence. Cybercriminals have already weaponized Claude for automated attacks. These same systems are now making battlefield decisions. Executive Summary In a dramatic reversal of Silicon Valley'

By Compliance Hub
Generate Policy Global Compliance Map Policy Quest Secure Checklists Cyber Templates