What changed in 2025 for privacy and AI governance compliance?

Written By Michael Adler

In 2025, privacy and Artificial Intelligence (AI) governance compliance became day-to-day operational work across the European Union (EU), United Kingdom (UK), and United States (US). Key shifts included EU AI Act guidance and a General-Purpose Artificial Intelligence (GPAI) Code baseline, General Data Protection Regulation (GDPR) scrutiny of model training data, UK Data (Use and Access) Act reform, and US state and agency enforcement shaping claims and transparency.

On This Page

Tools & Resources

Custom Trust Plan Compliance ROI Calculator Assess My Risk Where Should I Start?

2025 marked the year compliance moved from theoretical frameworks to operational reality, forcing organizations to navigate a collision of new EU enforcement, UK reform, and US federal volatility.

If 2024 was the year of "breathless anticipation" for AI regulation, 2025 was undoubtedly the year the rubber met the road. We moved rapidly from the high-level philosophy of "how should we regulate AI?" to the gritty reality of "how on earth do we document this specific training data set for a regulator in Dublin?"

Across the US, UK, and EU, the dominant theme was friction: the friction between innovation and individual rights, between national security and encryption, and arguably most visibly, between federal ambition and state-level enforcement. For privacy and governance professionals, the "wait and see" era officially ended. The "build and defend" era has begun.

Below is a comprehensive retrospective of the material developments that shaped our landscape in 2025.

How did the European Union Artificial Intelligence Act become a compliance burden in 2025? - From political victory to compliance burden

In 2025, the European Union Artificial Intelligence Act shifted from legislative milestone to day-to-day compliance work. The European Commission issued guidance in April 2025 on prohibited "unacceptable risk" practices, while the July 2025 General-Purpose Artificial Intelligence (GPAI) Code of Practice functioned as a de facto baseline for global compliance. The result was shorter "grace period" planning windows and a sharper split over prescriptive versus principles-based governance.

The EU AI Act’s operational reality began biting in 2025, with the European Commission clarifying prohibited practices and the General-Purpose AI (GPAI) Code of Practice becoming the de facto global compliance baseline.

2025 was the year the EU AI Act shed its abstract nature. Following its political passage, the focus immediately shifted to the practical machinery of governance. The "grace periods" we all noted in our project plans began to evaporate, replaced by hard deadlines and interpretative guidance that demanded immediate attention.

In April 2025, the Commission issued critical guidelines clarifying the scope of "unacceptable risk." This provided the granular definitions legal teams needed to assess biometric categorization systems and emotional recognition tools in the workplace. Simultaneously, the GPAI Code of Practice, published in July 2025, emerged as the year’s most contentious document. While positioned as a "compliance on-ramp," the Code effectively became a market standard, creating a growing transatlantic rift on whether governance should be prescriptive or principles-based.

Why did generative AI training data become the main General Data Protection Regulation battleground in 2025? - The primary GDPR battleground

In 2025, generative Artificial Intelligence (AI) training data became a frontline General Data Protection Regulation (GDPR) enforcement issue in Europe. Regulators treated Large Language Model (LLM) training as personal-data processing, with Irish Data Protection Commission (DPC) scrutiny of Meta’s training plans, an inquiry into X (formerly Twitter) and its Grok model, and interventions from Italy’s Garante. The outcome was tighter boundaries on consent, legitimate interest, and opt-outs for model training.

European regulators successfully re-framed Large Language Model (LLM) training as a core GDPR issue, launching high-profile enforcement actions to establish strict consent and legitimate interest boundaries.

The Irish Data Protection Commission (DPC) was at the center of this storm. The investigation into Meta’s AI training plans was a defining regulatory engagement, establishing that companies cannot vacuum up the social web without a robust, regulator-approved mechanism for opt-outs. Similarly, the investigation into X (formerly Twitter) regarding the training of its Grok model highlighted the risks of "retroactive" processing. Italy’s Garante also continued its crusade, reminding the market that AI governance is as much about protecting vulnerable data subjects from manipulation as it is about data safety.

What did the United Kingdom Data (Use and Access) Act 2025 change for privacy teams? - A Third Way for reform

In 2025, the United Kingdom Data (Use and Access) Act 2025 (DUAA) set a post-Brexit "third way" that kept core General Data Protection Regulation (GDPR) rights while reducing administrative friction. After receiving Royal Assent in June 2025, the DUAA introduced targeted flexibility for automated decision-making, created a "recognized legitimate interests" list, and restructured the Information Commissioner’s Office (ICO). The practical effect for privacy teams was dual-running: preparing for the new UK regime while maintaining GDPR alignment for EU operations.

The United Kingdom finally solidified its post-Brexit data regime with the enactment of the Data (Use and Access) Act 2025 (DUAA), balancing business-friendly flexibility with the retention of core rights.

Receiving Royal Assent in June 2025, the DUAA represents a pragmatic compromise. It introduced targeted flexibility in automated decision-making and formalized a "recognized legitimate interests" list to cut administrative burdens. Crucially, the Act restructures the Information Commissioner’s Office (ICO) while keeping core GDPR tenets intact to preserve the UK-EU adequacy decision. For privacy teams, 2025 was a year of "dual-running," preparing for the new UK regime while maintaining strict GDPR compliance for EU operations.

Why did the encryption debate reignite in 2025? - National security vs. privacy

In 2025, the encryption debate escalated as lawful-access demands collided with consumer privacy expectations. Apple’s withdrawal of end-to-end encryption for iCloud backups for United Kingdom (UK) users, after pressure under the Investigatory Powers Act, illustrated how national security policy can directly change product security features by jurisdiction. The outcome was a new governance risk: security posture and data sovereignty becoming residency-dependent, with potential implications for European Union (EU) adequacy and cross-border trust.

The collision between lawful access regimes and consumer privacy reached a breaking point in 2025, exemplified by Apple’s withdrawal of Advanced Data Protection features for UK users following government pressure.

In a move that stunned the cybersecurity community, Apple withdrew its end-to-end encryption for iCloud backups for UK users. This was a direct response to pressure under the Investigatory Powers Act. This event marks a watershed moment: we are moving toward a world where your security posture depends entirely on your residency, raising profound questions about data sovereignty and adequacy in the eyes of EU regulators.

How did United States federal AI governance swing in 2025? - Executive Orders and paralysis

In 2025, United States (US) federal Artificial Intelligence (AI) governance oscillated between executive action and legislative paralysis. The year opened with the rescission of the 2023 AI Executive Order (EO) 14110 in January 2025, followed by Executive Order 14179 reframing priorities toward "Removing Barriers to American Leadership in AI". By December 2025, the push for federal preemption of state AI laws created compliance whiplash and set the stage for a major constitutional showdown in 2026.

United States federal AI policy was defined by executive volatility, with the rescission of the 2023 AI Executive Order and the issuance of new directives creating a "whipsaw" effect for compliance teams.

The year began with the rescission of EO 14110 in January 2025. However, the vacuum was short-lived as EO 14179 was issued, reframing federal priority toward "Removing Barriers to American Leadership in AI." Most controversial was the late-year push for federal preemption in December 2025, where a new Executive Order took aim at the "patchwork" of state AI laws, setting up a massive constitutional showdown for 2026.

How did state attorneys general and the Federal Trade Commission enforce AI and privacy in 2025? - Filling the enforcement vacuum

In 2025, enforcement in the United States (US) shifted downward when federal legislation stalled and states and agencies acted. State attorneys general drove major privacy outcomes, including Texas’s $1.375 billion biometric-data settlement with Google, while the Federal Trade Commission (FTC) pursued "AI washing" cases to police claims about bias, capability, and professional substitution. The governance implication was simple: marketing claims needed traceable evidence, and privacy statutes at state level carried real financial exposure.

While Congress stalled, US regulators and State Attorneys General launched aggressive enforcement actions, with Texas securing a record-breaking settlement against Google.

The $1.375 billion settlement regarding biometric data was a staggering reminder of the power of state-level privacy statutes. Meanwhile, the Federal Trade Commission (FTC) cracked down on "AI washing." Their actions made it clear that "AI" is not a magic shield against consumer protection laws. If you claim your AI is "unbiased" or can "replace a lawyer," you must have the data and professional qualifications to prove it.

Why did California set the de facto national standard for algorithmic transparency in 2025? - The national regulator

In 2025, California moved from being a large state regulator to acting as a de facto national standard-setter for algorithmic transparency. The California Privacy Protection Agency (CPPA) finalized Automated Decision-Making Technology (ADMT) regulations requiring risk assessments and consumer opt-outs for "significant decisions", normalizing algorithmic impact assessments as operational practice. The CPPA’s work on the Delete Act also intensified pressure on the third-party data economy. For governance teams, California compliance became a baseline for nationwide programs.

The California Privacy Protection Agency (CPPA) finalized critical regulations on Automated Decision-Making Technology (ADMT), effectively establishing a national standard for algorithmic transparency.

Finalized in 2025, these rules require businesses to conduct risk assessments and offer consumers an opt-out for "significant decisions." Because California represents such a massive slice of the US economy, "algorithmic impact assessments" moved from academic ideas to standard operating procedures. The CPPA also began operationalizing the Delete Act, creating an existential threat to the third-party data economy.

What is the 2026 roadmap for defensible AI and privacy governance? - From waiting for clarity to defensible documentation

The 2026 governance roadmap requires moving from "waiting for clarity" to producing defensible documentation for regulators, buyers, and partners. The core mechanism is operational control over training-data lineage, opt-out implementation, and vendor governance, so that model inputs and downstream uses can be explained and reversed when required. The outcome is a modular compliance program that can handle European Union (EU), United Kingdom (UK), and United States (US) divergence while preventing over-claimed marketing promises.

To prepare for 2026, organizations must pivot from "waiting for clarity" to "defensible documentation," focusing on training data lineage and rigorous vendor management.

  • Map Your Training Data: You must know the provenance of every dataset.
  • Operationalize Opt-Outs: You need a "kill switch" for data in your models.
  • Prepare for Divergence: Build a modular compliance program for the UK, EU, and US.
  • Audit Your Claims: Ensure marketing claims match engineering reality.

Where can readers verify the primary sources behind these 2025 claims? - Primary sources

The primary sources for this 2025 review are official documents and enforcement materials from regulators and governments. The list includes European Commission publications on the European Union Artificial Intelligence Act and General-Purpose Artificial Intelligence (GPAI) Code of Practice, European Data Protection Board (EDPB) material, Ireland’s Data Protection Commission items, United Kingdom government guidance, Apple support notices, Federal Trade Commission orders, and White House documents. These references allow readers to verify dates, enforcement posture, and scope claims directly.

Frequently Asked Questions

Q: What did the European Commission clarify about "unacceptable risk" under the EU AI Act in 2025?
A: In April 2025, the European Commission issued guidance clarifying what counts as "unacceptable risk" under the European Union Artificial Intelligence Act. The clarification matters because it gives legal and compliance teams a basis to assess sensitive use cases like biometric categorization and workplace emotion recognition. This guidance turns abstract prohibitions into auditable requirements.
Q: Why did large language model training become a General Data Protection Regulation issue in 2025?
A: In 2025, European regulators treated Large Language Model training as personal-data processing under the General Data Protection Regulation. The enforcement focus was on whether companies had valid consent or legitimate interest and whether workable opt-outs existed. High-profile scrutiny of Meta’s training plans and X’s Grok model accelerated this framing.
Q: What was the practical impact of the UK Data (Use and Access) Act 2025 on privacy operations?
A: The Data (Use and Access) Act 2025 created operational change by adding flexibility around automated decision-making, formalizing a "recognized legitimate interests" list, and restructuring the Information Commissioner’s Office. The practical effect for teams was dual-running: adapting to UK reform while maintaining General Data Protection Regulation alignment for European Union activity. This reduced some burden without abandoning core rights.
Q: What did Apple’s Advanced Data Protection change signal for encryption governance in 2025?
A: Apple’s withdrawal of end-to-end encryption for iCloud backups for United Kingdom users signaled that encryption posture can become jurisdiction-specific under lawful access pressure. The governance implication is that residency can change security guarantees, which creates downstream questions about data sovereignty, cross-border trust, and European Union regulator expectations. This turns product design into a compliance variable.
Q: How did US enforcement shape AI marketing claims in 2025?
A: In 2025, enforcement pressure made it clear that "AI" claims did not override consumer protection rules. The Federal Trade Commission pursued "AI washing," and the text specifically warns that claims like "unbiased" systems or "replacing a lawyer" require evidence and professional qualifications. This forces tighter alignment between engineering reality, documentation, and marketing language.
Unlock Your Growth

What should readers explore next on privacy and AI governance? - Further reading

Featured
What changed in 2025 for privacy and AI governance compliance?

In 2025, privacy and Artificial Intelligence (AI) governance became operational through EU AI Act guidance, GDPR scrutiny of training data, and US enforcement.

Read More →
How do strategic security investments build investor confidence?

Strategic security investments are planned controls and attestations that reduce cyber risk, prove governance, and raise investor confidence.

Read More →
What is cybersecurity due diligence?

Cybersecurity due diligence is a pre-transaction review of security controls and risks that prevents hidden liabilities in deals and vendor decisions.

Read More →
Michael Adler

Michael Adler is the co-founder of Aetos Data Consulting, where he serves as a compliance and governance specialist, focusing on data privacy, Artificial Intelligence (AI) governance, and the intersection of risk and business growth. With 20+ years of experience in high-stakes regulatory environments, Michael has held roles at the Defense Intelligence Agency, Amazon, and Autodesk. Michael holds a Master of Studies (M.St.) in Entrepreneurship from the University of Cambridge, a Juris Doctor (JD) from Vanderbilt University, and a Master of Public Administration (MPA) from George Washington University. Michael’s work helps growing companies build defensible governance and data provenance practices that reduce risk exposure.

Connect with Michael on LinkedIn

https://www.aetos-data.com
Previous

The Entrepreneur’s Sorting Hat: Why Your Startup Needs a Hufflepuff in the C-Suite
Next

How does a proactive security posture drive business value and market trust?