Year: 2025

Opinion editors at Scientific American argue that AI deepfakes pose escalating risks to democracy and personal privacy, and point to Denmark’s proposed law granting people rights over their face and voice as a potential model for the US to follow. 

A new analysis from Georgetown Law’s Institute for Technology Law & Policy explains how existing U.S. consumer protection and privacy laws already apply to AI chatbots designed for kids and teens.

Bloomberg Law reports that California is finalizing a privacy-law specialization for attorneys. The proposed standards include continuing education requirements (45 hours to qualify for initial certification and 36 hours for recertification), proof of significant engagement in privacy matters, and options to qualify without a written exam if certain thresholds are met. 

On November 19, the European Commission proposed major reforms to Europe’s GDPR, AI Act, ePrivacy Directive and the Data Act, aiming to simplify digital regulations and encourage AI development. The changes would delay implementation of key parts of the AI Act, and would allow AI companies to use personal data for model training without user consent if in compliance with other GDPR requirements.

(compiled by Karinna Gerhardt)

Privacy Research Group News Roundup 11/12/25

The New York Algorithmic Pricing Disclosure Act took effect on November 10, 2025, requiring businesses to display a clear disclosure near prices stating that the price was set by an algorithm using personal customer data.

New research from the European Broadcasting Union and the BBC has found that four leading chatbots routinely generate flawed summaries of news stories.

At the 2025 Joint Mathematics Meetings, Meta’s AI Chief Yann LeCun said that even “a house cat has better intelligence than our most advanced AI systems.” He explained the Moravec paradox – “the observation that tasks difficult for humans are relatively easy for computers, while tasks that seem effortless to humans remain extraordinarily challenging for AI.” LeCun reportedly plans to leave Meta to build his own startup.

The European Commission is expected to unveil the “Digital Omnibus” reform package on November 19, which could roll back the General Data Protection Regulation, the AI Act, and many other privacy-related regulations.

A new opinion piece in The New York Times discusses whether chatbot conversations should be entitled to legal protections.

Several journalists offer think pieces on how New York City mayor-elect Zohran Mamdani might reform the surveillance state enforced by the New York Police Department, given his commitment to working with current Police Commissioner Jessica Tisch and his plan to divert some resources into creating a $1B Department of Community Safety.

(Compiled by Sarah Wang).

Florida’s novel lawsuit against Roku under its privacy law has been noticed by lawyers and industry insiders.

A new preprint suggests that AIs are trained to hallucinate through their training that rewards confidence and conversely disincentivizes “I don’t know” responses.

A new paper discusses a layer in AI industry that’s frequently not talked about: the human labor that goes into “collect[ing] and annotat[ing] data, monitor[ing] and maintain[ing] algorithmic systems, keep[ing] data centers running, and min[ing] rare earth minerals—not to mention the artists, translators, writers, and actors whose work fuels so-called generative AI”

A recent audit found that the continuing budget and staffing cuts at the CFPB has left major data security risks.

A network of global privacy regulators announced an enforcement sweep into digital services’ use of underage users’ data.

The Fifth Circuit heard a case, Computer & Comm. Ind. Ass’n v. Paxton, regarding Texas’ law that would require content filtering for minors, although it seemed wary of deciding it directly instead of remanding to the District Court.

A new bill introduced in the senate, the GUARD Act, would regulate the use of chatbots by minors.

The FCC will vote later this month to reverse a Biden-era policy that added cybersecurity requirements.

OpenAI has updated its terms of service to say its models cannot be used to provide legal or medical advice. OpenAI disclaimed this as “not a new change to our terms.”

More than a dozen states have filed a motion to submit an amicus brief in Huiskamp v. ZoomInfo Tech. LLC, arguing that selling peoples’ phone numbers should be treated as commercial speech.

(compiled by Tobit Glenhaber)

Meta’s new “smart glasses” raise similar issues to Google glass, with questions on whether privacy law is equipped to deal with the higher level of private surveillance they allow.

The Guardian and +972 report that Israel’s contracts with Amazon and Google provide for “unorthodox ‘controls’” in the deal. It creates a “winking mechanism” that requires the companies to secretly divulge the identity of foreign countries whose law enforcement has asked for Israeli data through coded payments. The contract also limits the ability for the companies to revoke Israel’s access to the cloud platforms even if they find Israel’s use of the technology violates their terms of service or non-Israeli law.

Reddit sued Perplexity for data scraping of its website. This follows a lawsuit filed against Anthropic earlier this year.

DHS has published a final rule providing for photographing all non-citizens at all border entries.

ICE and CPB have been using facial recognition technology in their enforcement raids.

Character AI has modified their terms of service to bar minors from using its chatbots.

Contact Clay Venetis, cvenetis@cspi.org, if you are interested in diving into the MTA’s alcohol ad policy change.

(Compiled by Tobit Glenhaber)

Representatives in the Michigan state legislature have proposed a ban on VPNs as a part of a larger bill that aims to ban online pornography in the state. 

Mother Jones recently published an article detailing how a secretive surveillance firm called First Wap exploits telecom network loopholes to track, intercept, and surveil phones worldwide—including those of public figures, politicians, and dissidents—often without legal oversight. Lighthouse Reports has also published an investigatory report on First Wap’s activities.

The U.S. Privacy Consortium, a bipartisan collective of U.S. regulators that collaborates on the implementation and enforcement of their states’ data privacy regimes, recently welcomed the attorneys general of Minnesota and New Hampshire as the group’s newest members.

CA Governor Gavin Newsom signed a bill that requires social media companies to make canceling an account straightforward and clear, ensures that cancellation triggers full deletion of the user’s personal data, and provides additional data protections for Californians.

Scouting America, formerly known as the Boy Scouts, announced two new badges that scouts can earn: one in artificial intelligence, and another in cybersecurity.

Federal law enforcement has arrested a suspect in connection with starting what became the Palisades blaze that killed 12 people in early 2025. Among the evidence cited is an AI image of a burning city that the suspect allegedly generated with ChatGPT.

(Compiled by Audrey Kim)

Meta has announced it will incorporate data from user interactions with its AI products to sell targeted ads starting December 16th. More than a billion users engage with Meta AI each month, and the company hopes to monetize this data to better refine its advertisements across a user’s accounts. This includes data gathered from Meta’s Ray-Ban smart glasses and its AI-video programs. Users may not opt out, but company officials say AI conversations involving controversial topics will not be incorporated into a user’s ad feed. 

The 2025 Esports World Cup brought in hundreds of millions of viewers, highlighting the surging popularity of this once-niche hobby. As the field expands, Esports participants must increasingly comply with local consumer privacy laws, especially as they advertise to viewers and collect their data. Competitors themselves must obtain affirmative consent from users and companies must avoid falling afoul of unfair competition or deceptive business practice regulations.. Stakeholders throughout the industry must conduct extensive due diligence to avoid liability, whether it be event organizers, team managers, players, or sponsors, a burden which will only grow as the sport continues its meteoric growth.

The Supreme Court recently upheld Texas HB 1181, narrowly approving age verification for sexual content online in apparent contravention of online privacy. The need to submit ID exposes adult users to data breaches, to say nothing of intentional sale or surveillance. Recent data breaches at major companies and their partners indicates these fears may be warranted.

The Supreme Court also allowed President Trump to fire a commissioner of the FTC, which enforces consumer protection and antitrust laws. This decision signals a willingness to overturn Humphrey’s Executor v. US, a 1935 decision restricting the President’s power to remove the leaders of independent regulatory agencies. By extension, this would threaten the ability of the FTC and similar agencies to regulate data usage and privacy in the US.

While the US tries to maintain a lead in the AI space, a black market in GPUs increasingly brings these high-demand products to China despite American regulations. The American government rarely approves exports of these goods, but unofficial channels salvage GPUs and clandestinely smuggle them from Taiwan and the US to Chinese companies. In the meantime, the US government has been working with semiconductor companies NVIDIA and AMD to compensate them for any revenue lost due to restrictions on exports to China.

(Compiled by David Gonzalez)

Brazil has passed a new child protection law – the ECA Digital. The law requires online services likely to be used by children to build in protections for privacy, safety, and children’s best interests by default, including banning profiling and behavioral advertising targeting kids. It takes effect in March 2026 and includes penalties for non-compliance, such as fines (up to 50 million reais or 10% of revenue in Brazil), suspension or bans, and is being enforced by Brazil’s data protection authority.

Tech Policy published a piece arguing that recent Supreme Court rulings erode longstanding protections by allowing states to impose age-verification mandates online, thereby undermining users’ First Amendment rights and privacy. The piece claims that requiring individuals to submit personal identifiers to access content risks surveillance, data exposure, and chilling effects on online speech for both minors and adults.

The United Kingdom rolled out their proposal for a digital ID. The plans faced criticism from across the political spectrum. The proposal has been pushed by the Tony Blair Institute, who is funded almost exclusively by Oracle. 

Recently, the U.S. Supreme Court granted a stay allowing President Trump’s removal of FTC Commissioner Rebecca Kelly Slaughter and agreed to review the FTC’s structure under the separation-of-powers doctrine. Slaughter, dismissed in March 2025 along with Commissioner Alvaro Bedoya, had been reinstated by the D.C. Circuit based on Humphrey’s Executor v. United States (1935), which upheld “for-cause” protections for FTC commissioners.

The Supreme Court’s stay blocks her return while it considers whether those protections are constitutional and whether Humphrey’s Executor should be overruled.The outcome could significantly alter the FTC’s independence and its role in privacy and consumer protection enforcement. A ruling narrowing removal protections would weaken the agency’s autonomy, while affirming them would preserve its authority. For privacy law, the decision introduces major uncertainty for ongoing and future FTC enforcement actions

(Compiled by Anthony Perrins)

Sen. Cruz introduced a new bill that would provide for a “regulatory sandbox” for AI companies.

A new product, “friend,” raises some privacy concerns.

In a follow-up to the DOGE data access litigation from the spring, it appears that there was a data breach with the DOGE access to social security information.

An ex-meta employee has filed a whistleblower lawsuit against Meta over “systematic cybercecurity failures.” The suit alleges that the whistleblower alerted Meta to security failures, but was rebuffed and retaliated against.

A California law attempting to limit minors’ exposure to “addicting algorithms” was upheld against a First Amendment challenge in the Ninth Circuit. (opinion here)

Anthropic has settled its class action complaint brought against it by a group of authors for $1.5 billion.

Warner Bros has jumped on the bandwagon of suing Midjourney AI for alleged copyright infringement.

The MTA is updating its advertising guidelines.

A growing amount of states are attempting to protect neural data as PII

Apologies for the delayed post this week; was still trying to figure out wordpress

News

Attorney General William Tong of Connecticut recently recommended a strengthening of privacy protections in the state, including additional defenses for data of minors and a data minimization requirement.

Google Analytics has added features to enhance marketing capabilities in light of consumer data privacy settings, specifically around the aggregation of location data, data labeling, and assessment of data quality.

A recent lawsuit against Accor Management alleges the company’s website transferred tracking pixels to Facebook in a manner unauthorized by website visitors.

Just Security has been tracking lawsuits filed against the Trump administration, including alleged violations of the Privacy Act for mishandling of government employee data and matters related to birthright citizenship.

(Compiled by Student Fellow Cooper Aspegren)

News

In a letter dated 31 March 2025, the Federal Trade Commission (FTC) expressed its concerns and interests to the Office of the US Trustee relating to the bankruptcy proceedings involving 23andMe Holding Company. 23andMe came into prominence over the past few years due to its genetic testing services that allowed it to accumulate millions of sensitive personal information of its consumers, including genetic information, health information, ancestry and genealogy information, payment information, among others. The FTC claims that any bankruptcy-related sale or transfer involving 23andMe users’ personal information should be subject to the representations made by the company, including commitments to data privacy and protection, and data security. Further, the purchaser of the data assets should expressly agree to adhere to and be bound by such commitments.

Kenya recently launched its national AI strategy roadmap for 2025-2030 that focuses on several core pillars: AI digital infrastructure, data and AI governance, AI research, innovation and commercialization. Aimed at making Kenya a regional leader in AI research and development, the strategy reflects Kenya’s mission of being “architects of [their] digital destiny” instead of being a mere spectator. In the strategy, Kenya also plans on building infrastructures, such as data centers and semiconductor manufacturing facilities, to support the five-year plan.

As a result of OpenAI’s release of a new image generator, powered by GPT-40, social media platforms have been inundated with images that uses a filter reminiscent of the works of Studio Ghibli, a Japanese animation company co-founded by animator and filmmaker Hayao Miyazaki. Studio Ghibli and Miyazaki have won many accolades for their animated works. The trend is especially controversial given Miyazaki’s apparent abhorrence over generative AI and his passionate belief in the power of art created by humans. In a video uploaded years ago and have been recirculated in response to the social media trend, Miyazaki felt that machine-generated art “is an insult to life itself.”

Immigration and free speech advocates have raised concerns over the proposal by US immigration officials to collect social media handles from people applying for citizenship, green cards and other benefits. The advocates claim that the proposal seeks to cover people already in the US legally and have already been vetted extensively. The immigration officials, on the other hand, argue that the purpose of the proposal is to “strengthen fraud detection, prevent identity theft, and support the enforcement of rigorous screening and vetting measures.” However, the proposal comes on the heels of recent events where the administration is detaining people and revoking student visas for joining and participating in campus protests.

NYU is facing at least 10 class action lawsuits after it has been the subject of a data breach wherein a hacker leaked files claimed to show personal information of past university applicants. The complaints claim that NYU failed to comply with the national standards for cybersecurity which resulted in the mishandling of personal information of the students, which could potentially expose the applicants to risk of identity theft, among others.   

(Compiled by Student Fellow Reeneth B. Santos)