As we step into 2025, it’s clear that 2024 has been a year of transformative progress in privacy and data protection. Across the globe, from sweeping reforms in Israel to groundbreaking developments in the European Union and the rapid surge of state-level laws in the United States, privacy has taken center stage, reshaping the regulatory landscape in unprecedented ways:
Israel – 2024 Significant Privacy Developments and a Look Ahead
As we close 2024, Israel’s privacy framework is undergoing significant advancements. Central to these changes is Amendment 13 to the Privacy Protection Law, becoming effective in August 2025. This amendment introduces key updates, aligning Israel’s privacy laws with global standards and granting the Privacy Protection Authority (PPA) enhanced enforcement powers, including the authority to issue fines and investigate non-compliance. Another key update is the mandatory appointment of a Data Protection Officer (DPO) for organizations meeting specified thresholds, reflecting global trends such as those in the GDPR.
Further solidifying Israel’s international data protection standing, the European Commission reapproved Israel’s adequacy status in January 2025. This decision confirms that Israel continues to provide a level of data protection comparable to that of the EU, enabling seamless data transfers from the European Economic Area (EEA) to Israel. The approval of Israel’s adequacy was based, among other things, on the Mediation Regulations, which impose EU-compliant requirements on EEA-origin data processed in Israel. Starting January 2025, these regulations will extend to all data in databases that include EEA-origin data, highlighting the need for comprehensive compliance strategies.
Additionally, the PPA’s Board of Directors Guidance, issued earlier this year, underscores the critical role of corporate boards in overseeing privacy and data security. Key responsibilities include adopting data protection policies, reviewing risk assessments, and ensuring organizational readiness to address privacy risks.
Other notable updates include PPA’s expansion of the log retention and monitoring requirements under Regulation 10(d), emphasizing robust system auditing and documentation, and recent PPA guidance regarding transfer of personal database ownership.
Looking ahead, discussions with the PPA indicate that the first half of 2025 will bring the release of new and updated guidance to clarify specific aspects of Amendment 13. With the enforcement date of August 2025 approaching, organizations are strongly encouraged to perform gap analyses and implement periodic audits to ensure full compliance and readiness ahead of this milestone.
EU – “Pay or OK,” AI Regulation, and Shaping the Digital Future
2024 marked a pivotal year for the European Union in its journey to harmonize digital laws and maintain its position as a global leader in technological regulation in general, and specifically in privacy and data governance.
Central to these efforts was the formal approval of the AI Act, a groundbreaking regulatory framework that imposes strict oversight on artificial intelligence systems, particularly those categorized as high-risk. This legislation reflects the EU’s commitment to ensuring transparency, accountability, and ethical AI practices, complementing its broader digital strategy.
Further advancing these goals, the European Data Protection Board (EDPB) issued an opinion providing crucial guidance on privacy implications in AI development. The opinion highlighted the importance of evaluating whether AI models truly anonymize data, carefully assessing the use of legitimate interest as a legal basis and avoiding reliance on unlawfully processed personal data.
At the same time, the EU’s regulatory attention turned to the AdTech industry and contentious practices surrounding user consent. Regulators intensified their scrutiny of cookie policies and the so-called “Pay or OK” models, which pressure users to consent to data processing or pay for access. The EU has made it clear that genuine consent must remain free of coercion, reaffirming its commitment to protecting individual autonomy in the digital economy.
These developments are part of a broader strategy to harmonize digital regulations under the EU’s expansive framework for the digital age. Laws such as the Digital Operational Resilience Act (DORA), NIS2 Directive, and Digital Services Act (DSA) underscore the EU’s vision of creating a unified and secure digital market. This integrated approach not only strengthens data protection but also fosters innovation and trust across industries.
Looking ahead to 2025, the European Commission has signalled further advancements, including the implementation of the Data Act, aimed at enabling secure data sharing across sectors while maintaining privacy safeguards. Furthermore, the EDPB has announced that its 2025 Coordinated Enforcement Action will focus on the implementation of the right to erasure (“right to be forgotten”) under Article 17 of the GDPR. This action will evaluate how controllers implement this frequently exercised right, comparing practices and identifying both challenges and best practices. This reflects the EU’s ongoing commitment to ensuring that digital rights are respected and upheld. Additionally, the EDPB has announced a coordinated enforcement framework focusing on AI and digital ecosystems, underlining the EU’s determination to ensure compliance across its member states.
The continued rollout of those digital regulatory framework, lead by the GDPR, AI Act and DSA, will deepen the EU’s influence in shaping global digital standards, ensuring that technological progress aligns with ethical and regulatory principles.
US – The Patchwork of State Laws and Emerging Privacy Frontiers
2024 saw a remarkable surge in state-level privacy legislation in the United States, filling the void left by delayed federal action on a comprehensive privacy framework. With Congress unable to reach consensus, individual states have taken the lead, introducing a patchwork of privacy laws that aim to protect residents’ data across various domains. By year’s end, twenty states had enacted comprehensive data privacy legislation (Learn more here and here), reflecting a growing urgency to address privacy risks in the absence of federal oversight.
This year’s legislative focus extended beyond general consumer privacy, delving into specialized areas such as children’s privacy, health data, biometrics, and artificial intelligence. States like California, Florida, and Connecticut spearheaded efforts to strengthen online protections for minors, imposing stricter requirements on platforms targeting children. Simultaneously, health data emerged as a critical area of concern, with new state laws enhancing safeguards around sensitive medical information, mirroring some of the objectives of HIPAA while addressing gaps in its applicability.
Biometric privacy also gained traction, with states building upon frameworks like Illinois’ Biometric Information Privacy Act (BIPA) to introduce laws governing the collection, use, and storage of biometric identifiers such as fingerprints and facial recognition data. Meanwhile, artificial intelligence became a focal point for emerging legislation, as states recognized the potential risks associated with AI systems that process sensitive personal information or make automated decisions impacting individuals’ lives.
Another area that dominated regulatory and enforcement actions in 2024 was the sale of personal data. Decisions at both state and federal levels underscored growing scrutiny over data brokers and businesses engaged in selling consumer information. Enforcement actions such as the Federal Trade Commission’s settlement with Avast highlighted deceptive practices in the sale of browsing data, while states introduced specific provisions targeting the sale of sensitive data categories like health and biometric information.
This issue was further emphasized in the OCR bulletin, which clarified obligations under HIPAA when using online tracking tools that could involve protected health information. The bulletin stressed that even de-identified data might carry risks, pushing healthcare providers and tech vendors to rethink their data-sharing practices. These developments illustrate how regulatory attention is shifting toward specific data types and processing activities and specific industries and fields, that pose heightened privacy risks.
As 2024 concludes, the fragmented nature of U.S. privacy law presents both challenges and opportunities for businesses. The state-driven model fosters innovation in regulatory approaches but also creates compliance complexities that may ultimately necessitate federal intervention. For now, organizations must remain vigilant, tailoring their data practices to align with the evolving requirements of each state while addressing the broader societal concerns driving these changes.
Closing Summary: Staying Ahead in a World of Privacy Rules
As 2024 draws to a close, it is clear that privacy and data protection have become more critical than ever, driven by a global surge in regulatory activity. From the sweeping reforms in Israel with Amendment 13 to the Privacy Protection Law, to the European Union’s groundbreaking AI Act and the expansive digital framework that includes the DSA, NIS2, and beyond, to the United States’ patchwork of state-level laws filling the federal void—the regulatory landscape has never been more complex.
At APM, we excel at addressing general privacy concerns and tackling niche areas like children’s data, health information, and biometrics. Our expertise extends to critical priorities such as the right to erasure and AI governance, enabling businesses to adopt thoughtful, risk-based strategies and stay ahead in this ever-evolving regulatory landscape.
Wishing you, our dear customers, a Happy new Year!
APM Privacy, Technology and Regulation Team.
This document is intended to provide only a general background regarding this matter. It should not be regarded as setting out binding legal advice but rather as a practical overview based on our understanding.
