Hello Friends,
The window for public comments on the draft Digital Personal Data Protection Rules, 2025 has closed, ending a two-month consultation wherein the government sought feedback from various stakeholders. The Centre will now review the comments and will reportedly release the finalized rules in the next eight weeks or so. As per a MeitY official doubts around consent management, authority in control, data localisation, parental control and verifiable parents have been addressed.
By proactively addressing DPDPA compliance, we not only mitigate legal risks but also reinforce trust and credibility with our customers.
"Given the urgency of this matter, we propose starting the compliance process by taking up privacy assessments today to know the organizational gaps and expedite your efforts in aligning with DPDPA requirements. Taking immediate action will help you to be on the path towards compliance.”
Enjoy reading!
Privacy Enforcement
USA: FTC ORDERS Avast to pay a fine for the sale of browsing data for advertising purposes.
The FTC alleged in a February 2025 complaint that Avast deceived users by claiming that its software would protect consumers’ privacy by blocking third-party tracking, but it failed to adequately inform consumers that it would collect and sell their detailed, re-identifiable browsing data. The FTC alleged Avast sold that data to more than 100 third parties through its subsidiary, Jumpshot. The FTC will require Avast to pay $16.5 million and prohibit the company from selling or licensing any web browsing data for advertising purposes to settle charges that the company and its subsidiaries sold such information to third parties after promising that its products would protect consumers from online tracking. The Federal Trade Commission is sending claim forms to consumers who bought deceptively marketed antivirus software from Avast.
USA: OCR fines Warby Parker $1.5M for HIPAA security rule violations.
On February 20, 2025, the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) imposed a $1.5 million fine on Warby Parker, an eyewear retailer based in New York City, for violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The penalty followed a breach report indicating that unauthorized third parties accessed 197,986 customer accounts through "credential stuffing" attacks, compromising personal information such as names, addresses, email addresses, payment card details, and eyewear prescriptions. OCR's investigation identified Warby Parker's failure to conduct a thorough risk analysis, implement adequate security measures, and regularly review system activity, leading to enforcement action.
Arkansas: AG files a lawsuit against General Motors for unlawful collection and sale of drivers' private data.
Arkansas Attorney General Tim Griffin has filed a lawsuit against General Motors LLC and OnStar LLC for allegedly violating the Arkansas Deceptive Trade Practices Act by unlawfully collecting and selling drivers' private data. The lawsuit claims GM monitored and sold customer driving data, including vehicle speed, distance, and location, to third-party data brokers for over a decade without proper consumer consent. GM is accused of using dark patterns in its onboarding process, obscuring its data-sharing practices, and failing to inform consumers about the sale of their data or the existence of data exchanges that assign driving scores and allow resale to insurance companies.
Data Breach
Hackers expose personal data, including Social Security numbers of over 3 million.
The personal details of over 3.3 million people were exposed when a leading US employee screening company suffered a major data breach. DISA Global Solutions, which provides background checks and drug testing services to some of the US' largest corporations, confirmed the breach in a recent filing with the Maine Attorney General’s office. The breach exposed highly sensitive personal data including social security numbers, credit card and financial account details, and government-issued identification documents. It remains unclear who was behind the cyberattack or how the company’s systems were compromised.
Korea fines BusinessOn and NHN for personal data breaches totaling 200 million won
On February 27, 2025, South Korea's Personal Information Protection Commission (PIPC) imposed fines totaling 200 million won on BusinessOn Communication and NHN for personal data breaches. BusinessOn Communication was fined 150 million won for failing to encrypt sensitive information, leading to unauthorized access to 700,000 individuals' data. NHN received a 50 million won fine for inadequate security measures, resulting in the exposure of 300,000 users' personal information. The PIPC emphasized the importance of robust data protection practices to prevent such incidents.
Privacy in Spotlight
UK: Apple pulls data protection tool after UK government security row.
Apple has decided to discontinue its Advanced Data Protection (ADP) feature for UK users following a demand from the UK government for backdoor access to encrypted iCloud data. The Home Office, under the Investigatory Powers Act, required Apple to provide access to fully encrypted materials. In response, Apple has removed the ADP feature in the UK, expressing disappointment over the government's stance. This decision has sparked criticism from privacy advocates and concerns from US officials about potential violations of international data agreements. The situation underscores ongoing tensions between tech companies and governments over privacy and data access.
Google makes it easier to delete personal information from Search results.
Google has enhanced its "Results about you" tool to simplify the removal of personal information from search results. This tool allows users to monitor and request the removal of sensitive data, such as addresses and phone numbers, directly from search pages. Users can register their information for monitoring and receive notifications if their data appears online, enabling prompt removal requests. Previously, accessing this tool was challenging, but Google has now made it more visible and user-friendly. Currently available in select countries, there are plans to expand its availability further.
IAMAI Raises Concerns Over DPDP Rules' Impact on Startups and MSMEs.
The Internet and Mobile Association of India (IAMAI) has warned that the proposed Digital Personal Data Protection (DPDP) Rules could disadvantage startups and MSMEs, forcing them to divert resources from growth to compliance, unlike larger corporations with dedicated legal and IT teams. It criticized the unclear classification of "Significant Data Fiduciaries" (SDFs) and urged that companies be allowed to present their case before designation. IAMAI also opposed strict child data verification rules and restrictions on cross-border data transfers, citing increased costs and reduced global competitiveness. A key concern is Rule 22, which grants the government access to sensitive business information, potentially harming innovation. To mitigate these challenges, IAMAI advocates for a 24-month transition period and clearer compliance guidelines.
Regulations
California: CPPA launches 2025 Data Broker Registry
On February 26, 2025, the California Privacy Protection Agency (CPPA) announced, via LinkedIn post, that it launched the 2025 Data Broker Registry. The CPPA explains that California residents can visit the registry to view registered data brokers and submit requests directly to the company to exercise their rights under the California Consumer Privacy Act (CCPA). Additionally, the CPPA highlights that from January 2026, California residents will be able to submit a single request to the CPPA to delete information from all registered data brokers.
Malaysia PDP publishes guidelines on DPO appointment and data breach notifications.
Malaysia's Department of Personal Data Protection issued guidelines on February 25, 2025, detailing the appointment of data protection officers (DPOs) and data breach notifications. The guidelines specify when DPOs must be appointed, their qualifications, and their responsibilities, including risk assessment and acting as a contact point for data subjects. They also outline what constitutes a data breach, the definition of 'significant harm' and 'significant scale,' notification timeframes, and the process for notifying the PDP and affected data subjects. Additionally, the guidelines include requirements for data breach management plans, data processors' obligations, and maintaining records of data breaches, complemented by a flowchart summarizing the notification process.