What Changed in 2025 for Privacy and AI Governance Compliance?

Data Privacy & AI Governance
Written By Michael Adler
In 2025, privacy and Artificial Intelligence (AI) governance compliance became day-to-day operational work across the European Union (EU), United Kingdom (UK), and United States (US). The defining shifts were EU AI Act guidance and a General-Purpose AI (GPAI) Code of Practice that set a baseline, General Data Protection Regulation (GDPR) scrutiny of model training data, UK reform through the Data (Use and Access) Act, and US state and agency enforcement that reshaped claims and transparency. This is a retrospective of what changed and what it means going into 2026.

On This Page

If 2024 was the year of anticipation for AI regulation, 2025 was the year it became concrete. The conversation moved from “how should we regulate AI?” to “how do we document this specific training dataset for a regulator?” Across the US, UK, and EU, the recurring theme was friction: between innovation and individual rights, between national security and encryption, and most visibly between federal ambition and state-level enforcement. For privacy and governance teams, the wait-and-see era ended and the build-and-defend era began.

How Did the EU AI Act Become Operational in 2025? — From political milestone to operational reality

In 2025, the European Union Artificial Intelligence Act shifted from a legislative milestone to day-to-day compliance work. The European Commission issued guidance in April 2025 clarifying prohibited “unacceptable risk” practices, and the July 2025 General-Purpose AI (GPAI) Code of Practice became a de facto baseline for global compliance. The result was shorter planning windows as grace periods closed and a sharper transatlantic split over prescriptive versus principles-based governance.

The Act shed its abstract nature as the focus turned to the practical machinery of governance. The April 2025 guidance gave legal teams the granular definitions they needed to assess sensitive use cases such as biometric categorization and workplace emotion recognition. The GPAI Code of Practice, published in July, became the year's most debated document: positioned as a compliance on-ramp, it effectively set a market standard and widened the divide over how prescriptive AI governance should be.

Why Did Generative AI Training Data Become the Main GDPR Battleground in 2025? — The primary GDPR battleground

In 2025, generative AI training data became a frontline GDPR enforcement issue in Europe. Regulators treated large language model (LLM) training as personal-data processing, with the Irish Data Protection Commission (DPC) scrutinizing Meta's training plans, an inquiry into X and its Grok model, and continued intervention from Italy's Garante. The outcome was tighter boundaries on consent, legitimate interest, and opt-outs for model training.

The Irish DPC sat at the center of this. Its engagement with Meta's AI training plans established that companies cannot draw broadly on the social web without a robust, regulator-approved opt-out mechanism, and the inquiry into X's training of Grok highlighted the risk of processing user data retroactively. Italy's Garante reinforced the point that AI governance is as much about protecting vulnerable data subjects as it is about data security.

What Did the UK Data (Use and Access) Act 2025 Change for Privacy Teams? — A third way for reform

In 2025, the United Kingdom Data (Use and Access) Act 2025 (DUAA) set a post-Brexit middle path that kept core GDPR rights while reducing administrative friction. After receiving Royal Assent in June 2025, it introduced targeted flexibility for automated decision-making, created a “recognized legitimate interests” list, and restructured the Information Commissioner's Office (ICO). For privacy teams, the practical effect was dual-running: preparing for the new UK regime while maintaining GDPR alignment for EU operations.

The DUAA is a pragmatic compromise. It eases some administrative friction while keeping the core tenets that preserve the UK-EU adequacy decision intact, which is why 2025 became a year of running two regimes in parallel rather than choosing between them.

Why Did the Encryption Debate Reignite in 2025? — National security versus privacy

In 2025, the encryption debate escalated as lawful-access demands collided with consumer privacy expectations. Apple's withdrawal of end-to-end encryption for iCloud backups for UK users, following pressure under the Investigatory Powers Act, showed how national security policy can directly change a product's security features by jurisdiction. The result was a new governance reality: security posture and data sovereignty becoming residency-dependent.

The move marked a turning point. When a security guarantee can be switched off for one country's users, organizations have to treat security posture as something that varies by jurisdiction, which raises real questions about data sovereignty and how EU regulators view cross-border arrangements.

How Did US Federal AI Governance Swing in 2025? — Executive orders and legislative gridlock

In 2025, US federal AI governance oscillated between executive action and legislative gridlock. The year opened with the rescission of the 2023 AI Executive Order (EO 14110) in January, followed by EO 14179 reframing priorities toward removing barriers to American leadership in AI. By December, a push for federal preemption of state AI laws created compliance uncertainty and set up a significant federalism question for 2026.

The vacuum left by the rescission was short-lived, but the direction changed sharply, and the late-year preemption push took aim at the patchwork of state AI laws. For compliance teams, the practical effect was volatility: federal priorities that could shift with each directive, which made state-level rules the more predictable planning anchor.

How Did State Attorneys General and the FTC Enforce AI and Privacy in 2025? — Filling the enforcement gap

In 2025, US enforcement shifted toward states and agencies as federal legislation stalled. State attorneys general drove major privacy outcomes, including Texas's $1.375 billion settlement with Google over biometric and location data, while the Federal Trade Commission (FTC) pursued “AI washing” cases policing claims about bias, capability, and professional substitution. The governance implication was direct: marketing claims needed traceable evidence, and state privacy statutes carried real financial exposure.

The Texas settlement was a striking reminder of the weight state-level privacy statutes now carry. The FTC's actions made the parallel point on the AI side: calling a system “unbiased” or claiming it can “replace a lawyer” requires evidence and qualifications to back it up, because the “AI” label is not a shield against consumer protection law.

Why Did California Set the De Facto National Standard for Algorithmic Transparency in 2025? — The national regulator

In 2025, California moved from large state regulator to de facto national standard-setter for algorithmic transparency. The California Privacy Protection Agency (CPPA) finalized Automated Decision-Making Technology (ADMT) regulations requiring risk assessments and consumer opt-outs for “significant decisions,” which normalized algorithmic impact assessments as operational practice. For governance teams, California compliance became the baseline for nationwide programs.

Because California represents such a large share of the US economy, its rules tend to set the floor everywhere. Algorithmic impact assessments moved from academic concept to standard operating procedure, and the operationalization of the Delete Act put the data-broker model under real strain.

What Is the Roadmap for Defensible AI and Privacy Governance Heading Into 2026? — From waiting for clarity to defensible documentation

The roadmap heading into 2026 is to move from waiting for clarity to producing defensible documentation for regulators, buyers, and partners. The mechanism is operational control over training-data lineage, opt-out implementation, and vendor governance, so that model inputs and downstream uses can be explained and reversed when required.

For organizations planning the year ahead, four moves matter most:

  • Map your training data. Know the provenance of every dataset a model relies on.
  • Operationalize opt-outs. Build a reliable way to remove data from your models when required.
  • Prepare for divergence. Run a modular compliance program that can flex across the UK, EU, and US.
  • Audit your claims. Make sure marketing language matches engineering reality.

The 2026 markers to watch are already visible: the EU AI Act's transparency obligations take effect in August 2026, and US federal-versus-state tension continues to develop. We track those in our work on AI governance principles and buyer-ready AI and data privacy governance, and we will publish a dedicated 2026 review as the year closes.

Where Can Readers Verify the Primary Sources Behind These 2025 Claims? — Primary sources

The sources for this review are official documents and enforcement materials from regulators and governments, so readers can verify dates, enforcement posture, and scope directly.

Frequently Asked Questions

What did the European Commission clarify about “unacceptable risk” under the EU AI Act in 2025?
In April 2025, the Commission issued guidance clarifying what counts as unacceptable risk under the EU AI Act. It matters because it gave legal and compliance teams a basis to assess sensitive use cases such as biometric categorization and workplace emotion recognition, turning abstract prohibitions into auditable requirements.
Why did large language model training become a GDPR issue in 2025?
European regulators treated LLM training as personal-data processing under the GDPR, focusing on whether companies had valid consent or legitimate interest and whether workable opt-outs existed. High-profile scrutiny of Meta's training plans and X's Grok model accelerated that framing.
What was the practical impact of the UK Data (Use and Access) Act 2025?
It added flexibility around automated decision-making, formalized a “recognized legitimate interests” list, and restructured the ICO. The practical effect was dual-running: adapting to UK reform while maintaining GDPR alignment for EU activity, which eased some friction without abandoning core rights.
What did Apple's encryption change signal for governance in 2025?
Apple's withdrawal of end-to-end encryption for iCloud backups for UK users signaled that encryption posture can become jurisdiction-specific under lawful-access pressure. The implication is that residency can change security guarantees, raising questions about data sovereignty, cross-border trust, and EU regulator expectations.
How did US enforcement shape AI marketing claims in 2025?
Enforcement made clear that the “AI” label does not override consumer protection rules. The FTC pursued “AI washing,” and claims such as “unbiased” systems or “replacing a lawyer” required evidence and qualifications, forcing tighter alignment between engineering reality, documentation, and marketing language.

Where to Go Next

To go deeper, see the principles of AI governance, how to make AI and data privacy governance buyer-ready, and how privacy becomes a growth lever.

Book an intro call today
Michael Adler

Michael Adler is the co-founder of Aetos Data Consulting, where he serves as a compliance and governance specialist, focusing on data privacy, Artificial Intelligence (AI) governance, and the intersection of risk and business growth. With 20+ years of experience in high-stakes regulatory environments, Michael has held roles at the Defense Intelligence Agency, Amazon, and Autodesk. Michael holds a Master of Studies (M.St.) in Entrepreneurship from the University of Cambridge, a Juris Doctor (JD) from Vanderbilt University, and a Master of Public Administration (MPA) from George Washington University. Michael’s work helps growing companies build defensible governance and data provenance practices that reduce risk exposure.

Connect with Michael on LinkedIn

https://www.aetos-data.com
Previous

The Entrepreneur’s Sorting Hat: Why Your Startup Needs a Hufflepuff in the C-Suite
Next

How Does a Proactive Security Posture Drive Business Value and Market Trust?