10 GDPR news to remember in September 2025
In September 2025, GDPR news was marked by record sanctions from the CNIL, the entry into force of the Data Act, the validation of the Data Privacy Framework and new obligations for companies in terms of data, AI and transparency.
In September 2025, the regulation of personal data is being strengthened all over the world. Record sanctions from the CNIL, the entry into force of Data Act, the clarifications on EU—US transfers and media affairs like disney show the importance of staying compliant. Discover the 10 key GDPR news and practical advice for DPO, CISO and managers.
CNIL sanctions Google: 325 million euros for advertising and cookies
The CNIL has imposed a fine on Google of 325 million euros to have:
- Displayed from ads between emails Gmail users without their prior consent
- Deposited from cookies when creating Google accounts, without obtaining valid consent from French users
This sanction is part of the continuity of the CNIL's actions to regulate non-compliant practices in the monitoring and targeting of Internet users.
The Data Act comes into force: impacts on IoT and cloud
The Data Act is now in force, requiring a equitable access to data generated by connected products and cloud services.
Key points:
- User access to the data of their connected objects
- Fair sharing data between companies to promote innovation
- Cloud interoperability to facilitate the simultaneous change or use of services
- Protection againstillegal access by third governments
Practical implications:
- Review supplier contracts to integrate data sharing
- Establishing transparency and governance mechanisms
CJEU ruling: pseudonymized data is not always personal
The Court of Justice of the European Union (CJEU) has issued a landmark ruling concerning the qualification of pseudonymised data. It confirmed that this data may, depending on the circumstances, lose its character as personal data, in particular when the recipient does not have reasonably accessible means to re-identify the individuals concerned.
This decision nuances the previous approach, in which all pseudonymized data was consistently considered personal.
Shein sanctioned: 150 million euros for illegal cookies
The CNIL condemned Shein to a fine of 150 million euros for having placed advertising cookies before obtaining the consent of users on the site “shein.com”. This decision highlights the importance for e-commerce sites of:
- Get a explicit consent prior to any data collection
- Set up cookie management mechanisms compliant with the requirements of the RGPD
Disney settles a case over children's data
La FTC announced that disney Will pay $10 million to address allegations about the unlawful collection of children's personal data on YouTube. Businesses operating in the children's sector must:
- Strictly comply with the Children's Online Privacy Protection Act (COPPA)
- Set up privacy policies adapted and get the verifiable parental consent
EU court confirms the Data Privacy Framework
The General Court of the European Union dismissed the appeal against the Data Privacy Framework (DPF), thus validating data transfers between the EU and the United States. Businesses should:
- Verify that their standard contract terms are up to date
- Ensuring a continuous monitoring compliance with data protection standards
EDPB publishes guidelines on DSA and RGPD
The EDPB has adopted guidelines clarifying the interaction between Digital Services Act (DSA) And the RGPD. Digital platforms must:
- Reconciling the obligations of content moderation with the requirements of data protection
- Set up internal processes guaranteeing compliance with both regulations
Sharing personal data with the United States: the EDPS requires strengthened guarantees
The European Data Protection Supervisor (EDPS) Emphasizes that everything sharing personal data with the United States, including biometrics, must be accompanied by solid guarantees to protect the rights of individuals.
Key points:
- Necessity and proportionality : data should only be processed if necessary
- Exclusion of massive transfers : in particular for migration and asylum
- Transparency and information : individuals need to be informed and have access to legal remedies
This framework agreement could become the first large-scale exchange of personal data between the EU and a third country, strengthening the protection of fundamental rights..
CNIL sanctions La Samaritaine for hidden cameras
La CNIL imposed a fine of €100,000 unto SAMARITAINE SAS for having installed hidden cameras in reserves, also recording the sound, without informing the employees. This practice violates the RGPD and the principle of transparency to the staff.
EU consultation on the transparency of AI systems
La European Commission launched a public consultation to develop guidelines and a code of practice on the obligations of transparency systems ofAI, in accordance withSection 50 Of the regulation AI Act. Providers should clearly inform users when interacting with AI systems, including by tagging content generated or manipulated by AI.
