Key Themes From the 2025 IAPP Global Privacy Summit

Skadden Publication / Cybersecurity and Data Privacy Update

William E. Ridgway David A. Simon Susanne Werry Dana E. Holmstrand Lisa V. Zivkovic

On April 23 and 24, 2025, regulators, industry leaders and data privacy leaders from across the globe convened in Washington, D.C. for the 2025 International Association of Privacy Professionals (IAPP) Global Privacy Summit.

Below, we outline key themes and takeaways from the event.

1. Cross-Regulator Coordination Is Increasing

Regulators from the European Union, United Kingdom and United States emphasized growing cross-sector and cross-jurisdiction collaboration on data privacy and artificial intelligence (AI) regulation. Panels throughout the summit highlighted both formal and informal collaboration efforts.

  • U.K. Digital Regulation Cooperation Forum. Representatives from the U.K. Information Commissioner’s Office (ICO) pointed to the Digital Regulation Cooperation Forum (DRCF) as a model for real-time collaboration among U.K. regulators — including the ICO and Competition and Markets Authority (CMA) — particularly in the rapidly evolving digital economy.
  • Germany’s Digital Cluster Bonn. German authorities have described the Digital Cluster Bonn as a voluntary collaboration among agencies (like the “Bundesbeauftragte für den Datenschutz und die Informationsfreiheit,” “Bundesanstalt für Finanzdienstleistungsaufsicht” and local data protection authorities) to foster ongoing dialogue and share understanding on issues relating to tech and data-related issues, including competition.
  • U.S. Consortium of Privacy Regulators. Representatives from the Connecticut, Colorado and Oregon state attorneys general (state AG) offices and the California Privacy Protection Agency (CPPA) explained that the Consortium of Privacy Regulators was recently created to formalize the previously informal coordination on investigations and enforcement efforts, and the sharing of information and resources (such as access to expertise of technologists).

On both sides of the Atlantic, the fragmented approach to regulation is likely to continue, but regulators are increasingly communicating with each other on shared priorities.

2. US State Regulators Are Sharpening Their Focus

As new U.S. state data privacy laws take effect, organizations must adapt their compliance programs to meet nuanced requirements. Representatives from the CPPA and Connecticut, Colorado and Oregon state AG offices offered insights into regulator priorities for the coming year and all stressed that regulatory inquiries often stem from consumer complaints.

  • CPPA is looking to establish precedent. CPPA Deputy Director Michael Macko stated that the agency aims to establish enforcement precedents under the California Consumer Privacy Act (CCPA) through targeted actions. He also emphasized that, while it is helpful to use new data privacy compliance technology vendors, overreliance without critical implementation is problematic, as the business is ultimately responsible for compliance. Deputy Director Macko explained that recent enforcement activity was previewed by the CPPA’s previous public advisories and guidance on relevant topics, and urged companies to monitor such advisories and other agency statements.
  • Colorado underscored the importance of honoring universal opt-out mechanisms. Colorado’s First Assistant AG Stevie DeGroff stated the AG’s office expects organizations to honor universal opt-out mechanisms as a well-established requirement.
  • Oregon suggested that Colorado’s regulations apply. Given the Oregon Consumer Privacy Act’s (OCPA) alignment with Colorado’s framework, Oregon’s Senior Assistant AG Kristen Hilton advised that organizations should refer to Colorado’s regulations when interpreting overlapping or ambiguous requirements.
  • Connecticut stated that vague responses to inquiries will lead to follow-up. Colorado’s Deputy Associate AG Michele Lucan explained that vague responses to inquiries from the AG’s office will inevitably lead to follow-up and additional scrutiny.

3. Data Privacy Documentation Is Critical

Data privacy compliance documentation should be prepared with an external audience in mind and be clear, complete and regulator-ready.

  • Privacy notices should be clear and easily accessible. Privacy notices should promote a clear understanding of data processing practices, rights granted to individuals and how to easily exercise them. For instance, though privacy notices do not need to list all the U.S. states with comprehensive privacy laws (other than California), they cannot omit certain state laws if choosing to list the state laws that the business is subject to.
  • Comprehensive documentation can mitigate scrutiny. Representatives from the Colorado and Oregon AG offices stressed that well-documented decision-making processes and risk analyses can demonstrate good faith compliance and mitigate enforcement risks related to ambiguous requirements. Similarly, in-house leaders noted the value of conducting unified assessments across overlapping EU regimes, such as the General Data Protection Regulation (GDPR), AI Act, Digital Services Act (DSA) and Online Safety Act (OSA). A Digital Data Impact Assessment (DDIA) can create a clear, risk-based picture for both internal teams and external oversight.

4. Engage Proactively With Regulators

Proactive engagement with regulators is essential — not only for compliance but to minimize risk during investigations. Regulators from multiple jurisdictions, including the U.K., EU and U.S., noted that collaborative communication from the beginning of an investigation can provide the necessary context for regulators and thus help mitigate scrutiny.

5. Legal Certainty Is Essential for Innovation

EU and U.K. regulators emphasized that ongoing legal uncertainty is one of the biggest obstacles to innovation in data privacy and AI. They called on lawmakers to act to deliver urgently needed legislative frameworks that are clear and consistent.

6. AI and Ad-Tech Regulatory Developments in Europe

EU and U.K. regulators provided key updates on emerging AI laws and governance frameworks.

  • EU AI Liability Directive. Brando Benifei, co-rapporteur of the EU AI Act, expressed hope that the pause on the EU AI Liability Directive is temporary. He reiterated that the AI Act aims to harmonize legal approaches to the technology, reducing uncertainty rather than creating new barriers.
  • U.K. AI regulation. U.K. Information Commissioner John Edwards noted that while there were attempts to codify AI-specific provisions in the U.K.’s new data protection law, the decision was made to develop an AI code of conduct instead of legislating. The ICO plans to collaborate with other regulators within the U.K. to build a flexible, agile framework for AI governance.
  • Ad-tech pay or consent model. Bertrand du Marais, of France’s Commission nationale de l’informatique et des libertés (CNIL), and Des Hogan, of Ireland’s Data Protection Commission (DPC), stressed the European Data Protection Board’s recent guidance that the pay or consent model for large-scale online platforms does not offer consumers a valid choice. But the U.K. ICO’s Stephen Almond noted that it can depending on the circumstances (and pointed to the ICO’s recent guidance on the matter).

7. Regulatory Developments Across the Asia-Pacific

Significant regulatory activity is underway across the Asia-Pacific (APAC), particularly concerning data privacy and AI governance. Data privacy professionals highlighted the importance of tailoring compliance to local requirements, proactively updating localized incident response plans, and monitoring emerging laws and regulations. For instance, Australia amended its federal privacy law in December 2024, including to allow the Office of the Australian Information Commissioner to issue penalty notices, with additional reforms expected in 2025. Japan also anticipates amending the Act on the Protection of Personal Information in 2025 to introduce administrative fines, among other changes.

8. CPPA and UK ICO Announce New Cooperation Pact

The CPPA announced a new agreement with the U.K. ICO to formalize existing collaboration between the offices in order to further foster joint research, the exchange of investigative techniques and shared strategies for addressing emerging data protection challenges. This move reflects the CPPA’s broader strategy to strengthen international and domestic alliances — building on similar agreements with South Korea’s Personal Information Protection Commission, France’s CNIL and the formation of the new U.S. state privacy enforcement consortium. As the CPPA continues expanding its regulatory reach and enforcement footprint, companies operating across jurisdictions should be prepared for more harmonized, coordinated enforcement and heightened compliance expectations.

What Should Organizations Be Doing?

Organizations should consider working with outside counsel to:

  • Update compliance frameworks to emphasize clarity, documentation and proactive regulatory engagement.
  • Prepare for evolving requirements across the U.S., Europe and APAC by staying informed and agile.
  • Adopt a DDIA approach to streamline assessments and risk management across privacy regimes.
  • Design AI governance strategies aligned with anticipated codes of conduct and legal expectations.
  • Provide training to enhance organization-wide understanding and communication of technical and legal risks.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.

BACK TO TOP