As we approach the end of the year, here are the top 5 privacy posts on the Debevoise Data Blog in 2025.
- Takeaways for Large Firms from the SEC’s Reg S-P Webinar (September 28, 2025)
On September 25, 2025, the SEC held a webinar on Regulation S-P, which governs how covered institutions protect customer information. In this post, we highlight key takeaways from the webinar, including the expanded scope of customer information under the 2024 amendments (which took effect earlier this month), the amended Regulation’s applicability to private funds and their advisers and the new incident-response notification requirements.
- Privacy Enforcement: Shift Toward Cookie Consent? (April 24, 2025)
On March 12, 2025, the California Privacy Protection Agency (the “CPPA”) announced a decision and stipulated final order stemming from its investigation of the American Honda Motor Company’s data privacy practices. State regulators have been increasingly scrutinizing cookie banners and cookie management tools, and the CPPA’s decision exemplifies privacy regulator concerns over cookie non-compliance with state consumer privacy law. Some states now require clear cookie opt-out mechanisms, and in California businesses must also provide a “symmetry of choice” in the cookie banner. In this post, we unpack how Honda fell short of this requirement—resulting in a $632,500 fine—and how businesses can refine their cookie-consent practices to strengthen compliance with consumer privacy law.
- EU Data Act – Key Provisions and What You Need to Know (October 9, 2025)
On September 12, 2025, the main provisions of the EU Data Act took effect, establishing rules on who can access and use data generated by connected devices and related services. Aimed at creating a common European data space, the Act is expected to have a significant impact on multinational businesses by requiring them to share data with customers and competitors.
- CPPA Adopts Long Awaited Rulemaking Package (July 25, 2025)
On July 24, 2025, the California Privacy Protection Agency approved a major rulemaking package that adds new requirements for cybersecurity audits and the use of automated decision-making tools. Businesses processing large quantities of personal information will face independent cybersecurity audit obligations. Businesses using automated tools to make significant decisions will be required to provide disclosures and opt-out rights absent an exemption. In this post, we explain what these changes mean and how businesses can prepare for the upcoming compliance timelines.
- Maturing Compliance with Bulk Sensitive Data Rule (Data Security Program) before July 8, 2025 Safe Harbor Expires (May 28, 2025)
On July 8, 2025, the civil enforcement safe harbor for the DOJ’s sweeping Bulk Sensitive Data Rule expired. The Rule limits transfers of large volumes of sensitive data to certain foreign entities deemed threats to national security. Organizations holding significant amounts of sensitive or government-related data should assess their cross-border data flows, and review the DOJ’s guide for good-faith compliance to prepare as enforcement begins.
Summarized by Melyssa Eigen, Ella Han, and Linh Tang. We used ChatGPT to help generate first drafts of the summaries. The cover art for this blog was generated by Gemini 3 Nano Banana Pro.
To subscribe to the Debevoise Data Blog, please click here.
