New policy trends running to catch up with the algorithms

Social media companies and others gain in-depth understanding of individuals’ lifestyles and run algorithms offering them more of what they are interested in, expressed by their taps and clicks. People give their personal data to enjoy free or low cost goods and services while companies seek to monetise this data.

An aim of data regulation is to require organisations to make this type of transaction more transparent to consumers when they actively or passively give up their personal data.

The EU’s Digital Omnibus regulation package published in November contains some new policy strands in its efforts to simplify the GDPR and the AI Act. It allows more flexibility for companies with a broader interpretation of legitimate interest as a legal basis for processing. But consumer organisations fear an erosion of individuals’ rights for the training of AI systems.

Regulation is also increasing in the US with 19 states now following California with state privacy laws often with a focus on children’s issues. Fewer states pay attention to the collection and use of biometric data. Illinois has a long established lead, now followed by Texas and Washington State, we learned at our US-EU conference on 4 November.

There is no consensus on new privacy regulation at the federal level but there has been enforcement action by the FTC involving hundreds of millions of dollars in relief and monetary penalties in settlements with leading online companies Epic Games, Amazon and Microsoft. The FTC reported that it had obtained an order against edtech company Edmodo, Inc. for “collecting personal data from children without obtaining their parent’s consent and using that data for advertising, in violation of the [Children’s Online Privacy Protection Act] COPPA Rule, and for unlawfully outsourcing its COPPA compliance responsibilities to schools.”

Algorithmic disgorgement

Another US enforcement technique is algorithmic disgorgement in which the FTC’s settlement with Rite Aid for “algorithmic unfairness” has involved “algorithmic disgorgement” of data, models, or algorithms developed using facial recognition images.

Compensation payouts in Australia

Australia’s Privacy Commissioner, Carly Kind, from a civil rights background, has recently pursued a more active use of the Commission’s sanctioning powers. In addition, company modest payouts (when shared between the many people affected by a data breach) to individuals for data breaches is now a more frequent occurrence in Australia.

Different approaches in the Asia-Pacific region

Asian countries follow different regulatory models. Consumer and privacy advocates in the Asia-Pacific region discuss co-ordination but the region is so large and diverse and their agendas are so wide-ranging that it was difficult for them to make an impact even when the Global Privacy Assembly was held in Korea in September.

Meet the PL&B Report Correspondents in 2026

Publication of this December edition of PL&B International Report comes just before our 3 December first Meet the UK Correspondents event in London. It is free to attend for subscribers and we are considering organising in 2026 a similar event for Meet the International Report Correspondents. Let us know if you like this idea.

As always, I thank the PL&B Editorial Team led by Laura Linkomies, Editor and we look forward to continuing to provide the information service which so many of you appreciate. We always welcome new commendations and enjoy deploying our human intelligence rather than AI to provide you with PL&B Reports.

Regards,

Stewart Dresner
Publisher, Privacy Laws & Business

December 2025