Privacy laws and regulations have been in a state of rapid growth across the world for several years, and that trend is continuing in 2025. The focus is particularly on laws related to AI governance, data subject rights, cross-border transfers, cybersecurity, breach notification, and—in the case of the U.S.—an increase in state-level privacy laws. As more countries enter a state of maturity with their privacy laws, also expect to see an increase in enforcement actions.
With new laws coming into force, coupled with more mature data protection authorities, the stakes for compliance have never been higher—and arguably, compliance has never been more challenging. With a global patchwork of regulations, it can be tough to know which ones apply to an organization and even more difficult to know how to comply with multiple complex requirements.
Key Laws Taking Effect in 2025
United States
In the U.S. alone, this year brings eight new privacy laws. In January, new legislation took effect in Delaware, Nebraska, New Hampshire, New Jersey, and Iowa. These laws all contain provisions for data minimization, purpose limitation, and confidentiality. Privacy laws in Tennessee, Minnesota, and Maryland will take effect on July 1, July 31, and October 1, 2025, respectively.
Australia
Australia’s Privacy and Other Legislation Amendment Act took effect on December 10, 2024, when it received Royal Assent. Various amendments will be introduced gradually, with some effective dates yet to be determined. That said, the Act will strengthens the powers of the Office of the Australian Information Commissioner (OAIC), charges the OAIC to develop a code addressing children’s online privacy, will require greater transparency around automated decision making, and will introduce a new tort for serious invasions of privacy.
China
China’s Network Data Security Management Regulations took effect on January 1, 2025, and aim to clarify compliance, address cross-border data transfers, and impose stricter enforcement.
Malaysia
Malaysia amended its Personal Data Protection Act. The amendments will be implemented in stages over the course of 2025, expanding the definition of “sensitive personal data” to include biometric data, and will also address security compliance and cross-border data transfer rules.
Peru
Major changes will also be introduced in Peru when the Data Protection Law takes effect on March 30, 2025. It will address, among other things, international data transfers and data breach notification mandates and will establish a right to data portability. It will require the appointment of data processing representatives in Peru and, in due course, the designation of data protection officers in certain cases.
European Union
While the EU AI Act entered into force in 2024, certain requirements will begin to apply over time. On February 2, 2025, provisions on prohibited AI practices and requirements and AI literacy requirements took effect. From August 2, 2025, additional provisions will apply, including those regarding AI governance, and penalties will be introduced.
Proposed and Pending Changes
There are moves to implement data protection legislation in Pakistan and Bangladesh. India’s Digital Data Protection Act is expected to become fully effective in 2025, with comments on the draft Digital Personal Data Protection Rules, 2025 currently being considered. Organizations operating in these countries will need to establish baseline privacy standards and also pay particular attention to data transfer and localization requirements.
Other countries are contemplating enhanced data protection for their residents. Japan, Chile, Colombia, and Argentina all intend to enact legislation that would enhance individual privacy rights. There is a focus on more stringent enforcement, notification requirements, and transparency to data subjects. New Zealand’s Privacy Amendment Bill is currently being considered by the House of Representatives. If passed, it will, among other things, provide additional requirements to inform data subjects of data collection from third parties.
Brazil is expected to finalize an AI bill in 2025. Other countries seeking to develop AI regulations in 2025 include the UK, Australia, the Philippines, and China, as well as various states in the U.S.
What’s Next for Organizations
2025 signals a clear trend toward strengthening of protections for personal data and maturation of existing privacy regulations. As these new or expanded laws come into force, it will be critical for organizations to quickly evaluate their applicability and develop a risk-informed roadmap to compliance. Updating privacy policies, ensuring employees are trained in the changes, and implementing robust data governance measures are key steps for companies who want to ensure consumer and regulator trust.
Is your organization struggling with your privacy compliance obligations amidst the rapidly changing regulatory landscape? Contact us for a free consultation to see how VeraSafe can help.
You may also like:
An Introduction to the EU AI Act
Understanding Korean PIPA: A Guide for Foreign Businesses
Ensure Your Business Complies with California Privacy Law: Practical Tips for Handling Privacy Rights Requests
Related topics: EU Privacy Laws, US Privacy Laws, Other Privacy Laws
