2025 Data law trends

Digital intermediaries have long been subject to general laws and an assortment of targeted obligations. However, the EU Digital Services Act and the UK Online Safety Act reflect first attempts at the comprehensive regulation of online harm, as well as various other perceived risks and challenges arising from digital intermediaries related to transparency and accountability. They come at a time when lawmakers and regulators are also keenly focused on competition and consumer issues in digital ecosystems, with reforms such as the EU Digital Markets Act and UK Digital Markets, Competition and Consumers Act imposing parallel obligations on so-called digital ‘gatekeepers.’

Adopting the lexicon of Australia’s 2021 Online Safety Act – an early, industry-led framework passed by federal lawmakers in Australia – many jurisdictions are increasingly framing the issue of digital risk as a question of online safety, especially that of children.

In the US, the Kids Online Safety Act – a sweeping Bill passed by the Senate that would impose a duty of care on covered platforms, along with various safeguarding, disclosure and transparency requirements – reflects mounting bipartisan efforts at a federal level to regulate in this space. Despite uncertainty as to whether it has the necessary traction to pass the House, the law signals the intent with which many lawmakers are confronting the issue.

US state lawmakers have been more successful in passing various narrower online safety reforms, with an increasing number of states adopting laws requiring age verification to access online pornography and requiring age verification and parental consent for minors to access social media. However, constitutional challenges have halted the enforcement of many such laws. In July 2024, the US Supreme Court decided to hear a challenge to a Texas law requiring age verification to access online pornography, potentially set to bring some certainty to the future of such requirements in 2025.

A free speech challenge has also halted the enforcement of the California Age-Appropriate Design Code Act ahead of its July 2024 effective date. The law, which is modelled on the UK’s Age-Appropriate Design Code, requires businesses to prioritize children’s privacy and protection when designing digital products or services likely to be accessed by under-18s.

Despite constitutional uncertainty surrounding age-gating and age-appropriate design requirements in the US, such laws are gaining traction elsewhere. The UK Online Safety Act and draft Codes of Practice issued by the online safety regulator, Ofcom, seek to impose potentially sweeping requirements to enforce highly effective age assurance to prevent children accessing pornographic and other harmful content. Jurisdictions elsewhere in the world are looking to the UK’s design-focused Age Appropriate Design Code as a model. For example, the Singaporean privacy regulator this year adopted Advisory Guidelines for Children’s Personal Data that mirror many of its requirements. Likewise, the EU Digital Services Act requires online platforms to introduce measures to ensure a high level of privacy, safety and security of minors, with the European Commission planning to issue detailed guidelines outlining specific expectations in 2025.

Looking forward, the debate around the costs and benefits of such laws, especially how they may impact the free speech and other interests of adult users, looks set to intensify.

A common thread in the legislative efforts canvassed above are increasing requirements to provide user transparency around content moderation rules and outcomes, along with the operation of recommender systems on platforms. In various jurisdictions around the world, a lack of transparency is also increasingly being used as a hook by regulators and private litigants in privacy and consumer cases targeting online platforms.

In the US, the concept of ‘dark patterns’ has been formalized in several state consumer privacy laws, including prohibitions on the use of dark patterns to obtain consent. Additionally, the Federal Trade Commission has continued to express its keen interest in dark patterns through several actions, public workshops and a staff report titled Bringing Dark Patterns to Light, which argues that dark patterns are an unfair or deceptive business practice that may be subject to enforcement action.

This emphasis on transparency is also apparent in the EU’s AI Act, which imposes transparency obligations aimed at enabling users to understand that they are interacting with an AI system and to detect synthetically generated content and deepfakes, and deployers to understand the AI systems’ design and be informed of their use. This allows accountability for AI-based decisions made by companies and public authorities and ensures additional risk management and transparency of training data for very capable and impactful AI models.

Mounting transparency expectations are also apparent in more traditional contexts, such as the enforcement of privacy laws, with many privacy regulators emphasizing the importance of transparency when issuing guidance on the development and deployment on AI systems.