Data Privacy News for May 2025

Alas, Justin Timberlake was right after all. It was ‘gonna be May.’ Because now it is.

What he probably didn’t see coming was all the privacy news that would be coming in this time of year. We got you covered, JT.

What’s new in privacy? 

Below are some of the most notable news in privacy from this month: 

1. Chrome fixes 20-year browser history privacy risk. After it  was reported 20 years ago, Chrome has finally fixed the issue that enabled websites to determine users’ browsing history through previously visited links. Learn more here.
2. Cisco releases data privacy benchmark study. The study has some interesting findings, with 96% of organizations stating that the benefits from privacy investment are greater than the cost, 95% of organizations stating that their customers will not buy from them if their data is not properly protected, and 90% of organizations stating that strong privacy laws make customers more comfortable sharing their data in AI applications. Read the study here. 
3. France fines Apple 150 million Euros over app tracking feature. France’s Competition Authority stated that the app tracking opt out feature leads to an excessive number of consent windows for third party apps, making the experience more cumbersome. The Authority also found that the system required users to opt out twice, rather than once. Lastly, the Authority stated that the approach disproportionately affected smaller publishers. Learn more here. 
4. NOYB files privacy complaint against Ubisoft. The privacy firm NOYB has filed a complaint against Ubisoft claiming that the company connected to external servers 150 times, including to Google and Amazon, within ten minutes of an individual booting up the game. NOYB claims that this practice violates GDPR as there is no explanation given as to why the data is being sent to external servers. Read more here. 
5. Shopify privacy lawsuit revived in California. A class action lawsuit against Shopify filed in 2021, claimed that Shopify extracted sensitive personal and financial data without his consent in violation of California privacy laws, using that data to compile and sell profiles of shoppers. While the lawsuit was previously dismissed, a Ninth Circuit panel ruled that the lawsuit can proceed as Shopify targeted customers in California, even though it is a Canadian business. Learn more here. 
6. Lawsuit claims Fairmont Hotels & Resorts violated CIPA. A recent lawsuit filed under the California Invasion of Privacy Act, alleges that Accor Management, through the Fairmont Hotels & Resorts, violated CIPA by allowing Facebook to access potentially personal information without the plaintiff’s consent. The plaintiff alleges that they then received targeted advertisements from Facebook. Read more here. 
7. Study finds that many retailers fail to follow privacy opt-outs. A study performed by Wesleyan University and Consumer Reports releases findings that examined the privacy practices of 40 online retailers. The study found that 30% of the companies appeared to be serving retargeted advertisements on other publisher websites despite receiving opt out requests. Learn more here. 
8. Californians receive $156 payments in Thomson Reuters privacy settlement. The settlement of $27.5 million was approved in October, resolving allegations that Thomson Reuters sold personal data through its CLEAR platform without user consent. Read more here. 
9. EU proposes rules for the storing of blockchain data. The European Data Protection Board has approved draft rules governing how personal data is stored and shared on blockchains. The new rules seek to limit access to stored information that comply with GDPR. Read more here. 
10. Two lawsuits filed against Trade Desk. The lawsuits allege that adtech giant The Trade Desk systematically tracks people online without their knowledge, builds out detailed user profiles, and monetizes consumer data without adequate disclosures or consent. Learn more here. 

What privacy bills are we tracking? 

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.

• Arkansas – AR SB258;
• Georgia – GA SB111;
• Hawaii – HI SB1037;
• Illinois – IL HB3385;
• Illinois – IL SB3517;
• Illinois – IL SB52;
• Illinois – IL HB3041;
• Maine – ME HB710/HB1088;
• Maine – ME HB799;
• Maine – ME HB1220;
• Massachusetts – MA SB33;
• Massachusetts – MA HB104;
• New York – NY S2277;
• New York – NY SB365;
• New York – NY SB3162;
• New York – NY AB4374;
• North Carolina – NC – HB462;
• North Carolina – NC – SB757;
• Oklahoma – OK H1012;
• Pennsylvania – PA HB78;
• Pennsylvania – PA SB112;
• Vermont – HB208;
• Vermont – SB93; and
• West Virginia HB2953

Events

Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

1. Hot Topic Privacy Roundtable – May 7, 2025; 
2. Tracking Technologies in Healthcare – May 20, 2025;  
3. Webinar: 5 Stories Around AI – May 23, 2025.

Conclusion

That’s it for this blog! We’ll see you next month. In the meantime, you can catch up on all our Privacy Lawls episodes (it’s growing fast).