This month’s privacy news updates highlight growing expectations around data rights, AI, breach reporting and responsible data collection across global regions.
Europe
On June 19, the data complaints handling requirements of the Data (Use and Access) Act 2025 will come into force for organizations in the UK. The new law requires that organizations:
-
give people a clear way to raise a data protection complaint
-
acknowledge it within 30 days of receipt
-
take appropriate steps to investigate without undue delay
-
tell the complainant of the outcome
Separately, the UK ICO is developing guidance covering the use of AI, anonymization and automated decision-making technologies. The guidance is expected to require organizations to establish stronger visibility across their AI and analytics pipelines and source data.
The French and South Korean data protection authorities have published a public guidance poster to raise awareness of data protection for users of generative AI under the Memorandum of Understanding, October 2022, signed between the two authorities. The poster explains how individuals can protect their personal data before, during and after using generative AI services.
North America and Brazil
More than 300,000 Californians have signed up for the CCPA’s Delete Request and Opt-out Platform (DROP), which will require registered data brokers to process deletion requests through a new centralized service from August 1.
Meanwhile, Connecticut’s Senate Bill 4 introduces significant changes to the state’s Data Privacy Act. The changes include new rules for data brokers, a ban on selling precise geolocation data, expanded deletion rights, new privacy notice requirements, facial recognition transparency and stronger protections for genetic data. Further, lower applicability thresholds mean more businesses fall under the Connecticut Data Privacy Act, while the expanded definition of sensitive data brings more information types into focus.
Elsewhere, Canada’s privacy regulator published the results of its latest survey of Canadian businesses on privacy issues. While organizations report proactive measures to improve privacy practices, 16% of businesses that collected personal data of under 13s failed to obtain parental content.
Brazil’s privacy authority, the ANPD, continued its efforts to nurture global dialogue on the impacts of emerging technology on privacy. Last month, they published guidance addressing the main concepts of neurotechnology and the application of privacy legislation to the processing of neural data. This is relevant to organizations in healthcare, research, wearables and advanced analytics responsible for processing these emerging high-risk data types.
Middle East and Asia
Since the publication of India’s DPDP Rules 2025 last year, organizations have raised concerns about their impact on innovation. Around 75% claimed budgets would be diverted from digital growth initiatives to compliance-related tools and services. Meanwhile 83% expect operational disruption as “legitimate interest” and “contractual necessity” were excluded as legal bases for data processing – meaning that formal user consent is required for most data processing.
Singapore’s PDPC has clarified that personal data breaches must be reported to the regulator no later than three calendar days after identification. Under the PDPA guidance, when incidents occur, organizations need to identify affected personal data quickly, understand sensitivity and volume of affected information, and support notification decisions with evidence.
Australia
In Australia, the OAIC’s 2026 Australian Community Attitudes to Privacy Survey found that 87% of Australians are more concerned about privacy than they were five years ago. Trust in AI companies is especially low, with just 4% believing that AI companies are worthy of their trust.
At the same time, the OAIC issued updated guidance for collecting solicited personal information (APP 3). The guidelines include applying APP 3 principles to artificial intelligence and facial recognition technologies, and current practices like data scraping, tracking pixels and data brokering.
To find out how Ground Labs can help simplify your privacy compliance efforts, request a demo today.