Privacy Day 2025 is a fitting moment to reflect the key developments in global privacy legislation throughout 2024 and look ahead to what’s coming in 2025. Over the past year, significant shifts in privacy laws, regulations, decisions, and interpretations have shaped the landscape, with legislatures introducing new frameworks and authorities tightening enforcement. As we moved into 2025, organizations must remain updated and proactive, as privacy regulations continue to evolve, with emerging trends and new legislation poised to have a lasting impact.
To help you catch up, we have explored the major milestones of 2024 and offer insight into what businesses can expect as the global privacy environment continues to transform.
ISRAEL
Amendment 13. In August 2024, the Knesset approved the proposed Amendment 13 to the Israeli Protection of Privacy Law. Effective as of August 2025, this comprehensive Amendment imposes new obligations and stricter penalties on businesses. The Amendment revises key terms, introducing “Personal Data” and “Highly Sensitive Data,” which encompass a wider and broad range of information, such as medical records, biometric identifiers, and electronic networks traffic data; “processing” which is now defined as broad set of operations related to personal data, including the storage, disclosure, access and transfer; and “holder” which, aligned with the GDPR, will now apply to any party involved in the processing of personal data. The Amendment further minimized the scope of the obligation to register databases, however introduced a new obligation of “reporting” a database (where such includes Highly Sensitive Data on more than 100,000 individuals).In addition, public bodies, data brokers and organizations processing Personal Data or Highly Sensitive Data on a “large scale”, or systematically monitoring individuals, will now be required to appoint a Data Protection Officer, with similar obligations and responsibilities as set forth under the GDPR. The Amendment significantly expands the enforcement powers of the Israeli Privacy Protection Authority, including the ability to issue financial sanctions (where fines can reach millions of NIS depending on the severity of the violation, number of affected individuals) and statutory damages for violations related to privacy and data protection.
PPA Guidance: The Role of the Board of Directors in Carrying out Data Security Corporate Obligations. In September 2024, the PPA issued the final version of new guidelines and position regarding the Board of Directors responsibilities in fulfilling corporate obligations under the Israeli Protection of Privacy Law and the Privacy Protection (Data Security) Regulations. The Privacy Protection Authority’s position is that in companies in which the processing of personal data is at the core of the activity or the activity creates an increased risk to privacy, the performance of certain supervisory duties, imposed under the Regulations on a company as a database controller or processor – should be carried out by the company’s board of directors, which are further obligated to apply supervision and monitoring mechanism for the fulfillment of the requirements by those responsible, and to make policy decisions regarding the way personal data are used by the company, and other material decisions on data administration. Such include, among others, approval of the Database Definition Documents (i.e., data and processing mapping documentations), approval of the main principles of the company’s data security procedure; holding a discussion on the results of the risk assessment and penetration tests; holding a discussion on data breaches that occurred in the company, etc.
The EU Commission Reaffirmed Israel’s Data Protection Adequacy Recognition. In January 2024, the European Commission released its report on adequacy decisions adopted, which among other, concluded that Israel continues to provide an adequate level of protection for personal data that is transferred from outside of the European Union. Accordingly, as set forth under the GDPR, entities in Israel that receive personal data from the EEA are now able to continue doing so based on the adequacy decision with no additional mechanism (such as Standard Contractual Clauses). The renewal and recognition are of great importance to the Israeli economy, as it allows for easy and convenient transfer of personal data, strengthens trade relations, and reduce costs for businesses and organizations.
Expansion of the Scope of Privacy Protection Regulations Regarding Data Transferred to Israel. Starting from January 1, 2025, the Privacy Protection Regulations (Provisions Regarding Data Transferred to Israel from the European Economic Area), 2023, will also apply to personal data stored or processed in Israel or other countries, such as the United States and the United Kingdom, if these databases also contain personal data transferred from the EEA. The implication is that once a database in Israel or another country contains personal data transferred from Europe, all personal data in the database—including local data or data from other countries—will be required to comply with the regulations, applying disclosure obligations and expended individual rights.
PPA Guidance: Logs Retention. In September 2024, the PPA published the guide to log file retention in databases with medium and high-security levels. The guide clarifies the duties of organizations managing databases subject to such security levels, to retain log files documenting database access (by authorized third parties or software components) for a minimum period of 24 months, in accordance with Article 10 under the Privacy Protection (Data Security) Regulations.
What to expect for 2025?
In 2025, companies and organizations operating in Israel will face greater exposure to violations of privacy and data protection requirements. The increased exposure stems from the implementation of Amendment 13 and increase PPA authority powers and penalties , the full enforcement of regulations regarding personal data transferred to Israel from EEA, and new guidance issued, and more are expected to be issued, by the PPA. Organization should review and update their personal data processing practices, policies, and documentations, to ensure compliance with both existing obligations and new obligations under Amendment 13.
EUROPE
Digital Services Act (DSA) and Digital Marketing Act. The DSA’s general date of applicability is 17 February 2024, however certain obligations on VLOP and online platforms were enforced February 2023. Both instruments aim to establish fair and open digital environments while ensuring the safety and rights of users online. Currently, the most interesting case to follow is the Commission’s investigation of X platform and the measures it has taken. In February 2024, the Commission opened formal proceedings against TikTok, investigating its compliance with provisions on risk management of addictive design and harmful content, protection of minors, transparency of advertising, and access to data. Further proceedings against TikTok investigate whether the launch of the TikTok Lite rewards program, which allows users to earn points while performing certain tasks on the platform, is in breach of the DSA because it was launched without due diligence risk assessment. TikTok committed to withdrawing the feature from its applications offered within the EU.
EU AI ACT enters into force. The European AI Regulation officially came into force on August 1, 2024. This regulation is the world’s first and most comprehensive legal framework to regulate the development, deployment, and placing AI systems on the market across EU Member States. The regulation classifies AI systems into several risk levels and tailors the legal requirements for each system based on its assigned risk. Throughout 2025, several chapters of the regulation, including those addressing prohibited technologies and high-risk technologies, will come into effect (meaning they will be applicable and enforceable). Non-compliance with these provisions can lead to enforcement actions, including significant fines reaching tens of millions of euros. Understanding the obligations under the AI Act and determining their applicability to your organization is crucial for ensuring compliance with the regulation.
EDPB Opinion 08/2024 on “Pay or OK”. The EDPB released guidelines on valid consent in the context of “Consent or Pay” models (i.e., pay for use or let the platform collect data and display ads), implemented by online platforms. The opinion deals with “consent or pay” models in behavior-based advertising, where users are required to choose between giving consent to personal data processing or paying for access to services. The EDPB determines that in most cases these models do not meet GDPR requirements for free and valid consent, due to possible harm to user rights, power imbalance, and lack of equivalent alternatives. The opinion emphasizes that platforms should avoid situations where privacy protection becomes a “paid right” and ensure equal access to services. The EDPB recommends offering free alternatives without behavior-based advertising or ensuring that payment for ad-free versions is reasonable and low enough to enable free choice. Additionally, maintaining transparency, specificity, and non-conditioning on actions not necessary for service delivery is required. This opinion builds on the principles established by the CJEU in its rulings against Meta, which highlighted the limitations of consent in contexts of power imbalance and behavioral advertising.
EDPB Opinion 28/2024 on data protection related to personal data use in AI models. The EDPB released an opinion on certain data protection aspects related to processing personal data in the context of AI models. This opinion focuses on central issues in personal data processing in the context of the development and operation of artificial intelligence models. The opinion provides specific tests for determining when legitimate interests can suffice as a legal basis for processing personal data in the context of AI models, without requiring the consent of data subjects. The opinion emphasizes the need for careful examination of anonymization processes, clarifies documentation requirements, and emphasizes the importance of information provided to data subjects. This document is essential for organizations seeking to develop and implement AI models while complying with GDPR requirements.
What to expect for 2025?
In 2025, companies and organizations should anticipate increased interaction between privacy laws and AI regulations, requiring organizational adjustments. Organizations should expect stricter requirements related to AI compliance, including the need to ensure transparency, accountability, and adherence to privacy principles during the development and deployment of AI models. To stay ahead, organizations should proactively assess their policies, operational frameworks, and documentation to ensure they are equipped to navigate the intersection of privacy and AI regulation effectively.
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA“), came into effect on 17 January 2025. DORA aims to achieve a high common level of digital resilience and sets a number of requirements concerning the security of network and information systems supporting the business processes of financial entities. Although the DORA requirements do not apply to Information and Communication Technology (“ICT“) service providers directly (unless defined as a critical ICT) the requirements will end up applying to ICT service providers, to the extent that they enter into contractual agreements with EU financial entities (broadly defined). The contracts will be subject to much more scrutiny than before and need to be reopened. Article 30 of DORA sets out all obligations which financial entities would apply to such service providers, which include, security and BCP obligations, auditing obligations, etc.
Further, in response to increased exposure to cyber threats, Directive 2022/2555, also known as NIS2, replaced its predecessor (i.e., NIS or Directive 2016/1148). NIS2 raises the EU common level of ambition on cyber-security, through a wider scope, clearer rules, and stronger supervision tools. It requires Member States to enhance their cybersecurity capabilities, while introducing risk management measures and reporting requirements to entities from more sectors and setting up rules for cooperation, information sharing, supervision, and enforcement of cybersecurity measures. Under NIS 2, essential and important entities must adopt appropriate, proportionate technical, operational, and organizational measures to manage cybersecurity risks. These measures aim to protect network and information systems, as well as to prevent or minimize the impact of incidents on service recipients and interconnected services.
The EDPB recent guidelines on pseudonymization which is raising some concerns as the EDPB definition of anonymization and pseudonymization, moreover the EDPB broadened the ability to re-identify de-identified or anonymized data to unreasonable means which could lead to the conclusion that data just cannot be anonymized. Stay tuned to updates on this matter which we expect to have follow up decisions and discussions.
USA
FTC Enforcement. The Federal Trade Commission (FTC) continued to exercise its enforcement powers over data privacy and cybersecurity violations, with particular scrutiny on companies’ claims about their AI capabilities and other AI uses deemed “unfair.” Protecting sensitive data remained a key priority for both the FTC and the Department of Justice (DOJ)—the FTC concentrating on data brokers’ collection of genetic, consumer web, and location data, while the DOJ focused on national security concerns and issues related to US data transfers to “countries of concern” (also known as the TikTok Law). Important cases by the FTC in 2024 resolve claims of unlawful collection, sale, and use of precise location information, X-Mode will be prohibited from sharing or selling any “sensitive location data”—location data that identifies visits to sensitive locations such as medical facilities, religious organizations, and other locations that allow potentially sensitive inferences. The FTC’s action reflects the FTC’s continued focus on location data, particularly that reflects potentially sensitive information, and right after X-Mode case, the FTC settled claims against In-Market, the FTC’s complaint against InMarket is grounded on InMarket’s use of location data to show targeted ads, including by creating audience segments which advertisers could use to target ads to consumers. Following which, last December, the FTC prohibited data broker Mobilewalla, Inc. from selling sensitive location data, including data that reveals the identity of an individual’s private home, to settle allegations the data broker sold such information without taking reasonable steps to verify consumers’ consent, and is taking action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.
Ongoing Growth in State Comprehensive Data Privacy Laws. In 2024, similar to 2023, we saw a surge in state legislative activity on privacy. The year began with twelve states having “comprehensive” data privacy laws, and by the end of the year, that number had risen to nineteen. New Jersey led the way by passing its data privacy law in January. As the year progressed, states like New Hampshire, Kentucky, Nebraska, Maryland, Minnesota, and Rhode Island also introduced new privacy legislation. These laws generally expanded consumer rights, including access, deletion, and portability of personal data, and required businesses to conduct data protection assessments to mitigate risks associated with activities like targeted advertising, profiling, data sales, and processing sensitive data. Similar to the FTC, state legislatures increasingly focused on the handling of sensitive data, introducing specific provisions around its processing. State privacy laws that became effective in 2024 includes the Montana Consumer Data Privacy Act (MTCDPA); Florida Digital Bill of Rights (FDBR); Texas Data Privacy and Security Act (TDPSA); Oregon Consumer Privacy Act (OCPA); Delaware Personal Data Privacy Act (DPDPA).
CCPA. The California Privacy Protection Agency (CPPA) released its first-ever enforcement advisory, reinforcing data minimization as a core principle of the CCPA and reminding businesses that this principle should guide all their data processing practices. The Agency also oversaw the rulemaking process, which included a notice-and-comment period and a public hearing, aimed at establishing additional regulations for data brokers. While these new regulations won’t take effect until January 1, 2025, the CPPA initiated its focus on data brokers with a public investigative sweep in the fall of 2024 to assess compliance with these regulations. Further, the new data broker registry has been affected in preparation of the upcoming Deletion Act.
Washington’s My Health My Data Act (“MHMDA”). Effective as of March, 2024, this groundbreaking law is the first comprehensive state regulation to protect “consumer health data” beyond the scope of HIPAA. It is enforceable by the Washington Attorney General and through a private right of action under the state’s consumer protection law. The private right of action could result in civil penalties of up to $7,500 per violation and may expose companies to class action risks. Companies should remain vigilant and continue to assess their compliance practices, specifically for the broad definition of “health data”, essentially, assuming such websites have dropped third-party cookies, any user browsing a pharmacy website or hospital visiting hour webpage, would be considered health data which requires very specific consents.
What to expect for 2025?
In 2025, state regulators will remain proactive, with eight new comprehensive consumer privacy laws set to take effect in 2025 (in Delaware, Iowa, Maryland, Minnesota, Nebraska, New Hampshire, New Jersey, and Tennessee), adding to the eight laws already in place. We anticipate continued focus on issues such as children’s privacy, online safety, AI, automated decision-making, and potentially enforcement action under the Washington My Health My Data Act. Additionally, states are likely to concentrate on transparency requirements, restrictions on targeted advertising and data “sales,” and data security measures.
We assume the FTC and California attorney general will continue to regulate and provide standings for data protection and law interpretation. Further, CIPA claims and lawsuits are on the rise and we assume this will continue in 2025 as well as decisions under the CCPA specifically concerning adtech, data brokers (web browsing data specifically) and fingerprinting.
We will also stay tuned to the DOJ decision on transferring data from the US to concerned countries.
On this Privacy Day, we encourage organizations to take a moment to reflect on the importance of complying with privacy and data protection laws in an increasingly evolving framework. It is crucial to stay informed and proactive. We wish you a successful year, and you can always reach out to our experienced team at Shibolet for a great advice and assistance in navigating these changes and complexed legislative eco-system.
Happy Privacy Day!
