5 Privacy Enforcement Trends to Watch Out For in 2025

Regulations matter, but until they’re enforced, they’re all just so many words (so, so many words) on paper. Businesses know that what really counts is whether, how, where, and when regulators enforce the law.  

We keep a pretty close eye on regulators—in fact, we track notable enforcement actions in our Enforcement Tracker and use our findings to inform both our own privacy program and how our solutions support our customers’ privacy programs.  

The one constant we’ve observed over the years is that enforcement is always changing. But that doesn’t mean there aren’t persistent, actionable patterns to track. Here’s what we’re seeing in 2025.

1. More Enforcement & Friendly Competition

Data privacy enforcement has been striking a larger profile than it has in previous years. The reason for that is simple: there’s been a heck of a lot more of it in 2025 than in the past. 

Several state privacy laws have come online recently (eight laws in total over the course of 2025). Regulators have been eager to enforce them and show that they’ve got the bite to match their bark. Notably, California and Texas have issued multiple enforcements this year. They almost seem to be in a game of one-upmanship—once one state issues a headline-grabbing enforcement, the other announces an enforcement of their own.  

But the headlines are just the tip of the iceberg. State regulators have been announcing investigations and sending notices of non-compliance out to multiple businesses, resulting in operational disruption even if they don’t always result in a penalty. 

This spells bad news for the businesses that put off investing in their data privacy program until they started to see enforcement. Now, they’re finding themselves on the back foot and forced to play catch up. 

The US has been a major source of enforcement, but the EU hasn’t been silent either. Enforcement from the usual players like Ireland and France has been continuing at pace (like Ireland’s €530 million fine against TikTok).  

But we’re also seeing smaller enforcement cases against small businesses originating from smaller jurisdictions in the bloc.

2. Death by a Thousand Paper Cuts

If you don’t watch privacy enforcement closely, you might be under the impression that only big tech is getting penalized, only in major jurisdictions, and the penalties are always multi-million dollar or euro fines. In reality, these cases are the minority. 

We’re seeing a ramp up in enforcement targeting small businesses, enforcement from smaller jurisdictions, and smaller financial penalties. For the average business, this is less desirable than when only a few major players would receive headline-grabbing penalties. All the average business had to do was not be Facebook.  

Now, anyone and everyone failing to maintain compliance could be a target. Even if your organization can weather a four-, five, or six-figure fine, the reputational damage is often more significant and can be an existential threat. 

Consider the enforcement coming out of Romania. Since the new year, the Romanian data protection authority has issued multiple penalties, many of which are €2,000 fines levied against companies with fewer than 50 employees. No healthy business is going under after a €2,000 fine—but nobody would welcome it either. What’s more, anybody who does their due diligence into those companies will ask about it for years to come.

3. Identity Verification Comes Under Scrutiny

It’s a common question—how do you handle data subject rights requests (SRRs) without collecting more personal information? If you’re going to act on an SRR, you need to at least know the identity of the requester, right? 

If only it were that simple. Regulators in California are making it clear that when it comes to CCPA compliance, verifying requesters’ identities isn’t compliant in certain cases. Several enforcement actions, including the recent Honda case, were based on the excessive collection of personal information to verify requesters’ identities. 

Specifically, businesses should not verify identities when the requester submits one of these two SRRs under the CCPA: 

• Requests to opt out of the sale or sharing of personal information 

• Requests to limit the use of personal information 

For all other requests, businesses should collect only the minimum data they need to process the request—often, that’s just an email address.

4. Investigators Are Looking at Outward-Facing Signs of Compliance First

Recent enforcement actions are showing that investigations are starting with the systems and processes that consumers interact with. Under-the-hood compliance activities like your assessments process, data inventory, privacy-by-design workflow, and so on are important, but regulators aren’t investigating businesses at random in the hopes of finding a non-compliant assessment workflow. 

Honda’s excessive identity verification in their subject rights portal is a good example. Additionally, Allstate’s enforcement action under the Texas Data Protection and Security Act (TDPSA) started over widespread consumer complaints that its actual data collection practices didn’t match its disclosures. 

Businesses should prioritize these visible aspects of their privacy program. A functioning, clear notice and consent mechanism, regularly updated and accurate privacy policies, and compliant subject rights processes are key. 

5. Wiretap and VPPA Cases Continue to Roll In, But the Momentum Is Shifting

Cold War-era laws continue to be repurposed to apply to modern data tracking use cases, but the tides may be turning. 

Lawsuits under the Video Privacy Protection Act (VPPA) at the federal level, the California Invasion of Privacy Act (CIPA), and other state wiretap laws are regularly being tested in court. But some states, like Massachusetts, are denying the applicability of wiretap laws to website tracking pixels, and other states may take a cue from that. 

As of this writing, the California Senate is advancing Senate Bill 690, which would amend CIPA to carve out an exception for the use of tracking technologies for commercial purposes. 

As for the VPPA, the NFL recently filed an amicus brief (essentially a plea from an outside party not involved in the case in question) asking the Supreme Court to hear a VPPA case involving the NBA. Depending on whether the Court will weigh in or not and what it concludes, it could be the end of a major source of headaches for businesses with video content on their websites. 

Individually, it appears that all these wiretap and VPPA cases are proceeding through the tangle of the court system. But collectively, they signal a growing sense of frustration that these old laws, designed in a pre-digital world, aren’t the right solution for consumer privacy rights. 

What Should You Take Away from These Trends? 

Knowing that enforcement is ramping up and that it’s not just aimed at Big Tech should be a big wakeup call for businesses. But if your organization hasn’t been paying attention to data privacy before, where should it start? 

Fortunately, these trends lay out a clear roadmap to reducing privacy risk.  

Regulators are looking at businesses that don’t have visible indicators of their compliance—so, businesses should focus on building out those visible indicators. That includes a regularly updated privacy policy on their websites (even if you maintain multiple sites), a functional subject rights workflow, and transparent consent management mechanisms that don’t rely on dark patterns. 

For your SRR workflow, be sure to follow California’s standards for identity verification if you’re subject to the CCPA. And make sure that the process actually works without causing undue effort on your part—submit a few test requests and consider the impact that processing dozens of requests a month might have on your organization. 

Most importantly, don’t do this alone. If you need to research and build out all of these workflows yourself, not only will it become a months-long project (or years-long), there’s a good chance the process won’t be compliant with all of the privacy laws it needs to. There are many privacy laws out there, and they’re constantly in flux. 

Software solutions can help reduce the burden. Osano bakes compliance guidance into the platform, guiding you away from decisions that might put your organization out of compliance. Plus, you can always consult the privacy team in-app to get insight into the nitty-gritty details of how privacy regulations apply in your specific circumstances. If any of these SRR trends caught your eye, consider scheduling a demo to chat through them with one of our experts.