May 2025 Privacy Pulse: Key Data Privacy Updates

Monthly Newsletter
May 2025 Edition

This month brought significant developments in the privacy landscape, with major data broker breaches exposing hundreds of thousands of consumer records and continued expansion of state privacy regulations across the United States. The LexisNexis breach affecting over 364,000 individuals highlights the ongoing vulnerabilities in data broker security practices, while eight new state privacy laws taking effect in 2025 demonstrate the growing momentum for consumer privacy protections. Additionally, federal agencies continue refining existing privacy frameworks, including updated COPPA regulations and increased CCPA penalties, creating a dynamic environment that requires proactive consumer protection measures.

Latest Data Breach News and Privacy Law Updates

Major Data Broker Breaches Impact Hundreds of Thousands

The most significant privacy incident this month involved LexisNexis Risk Solutions, one of the largest data brokers in the United States, which disclosed a breach affecting 364,333 individuals[1][2]. The breach occurred when an unknown threat actor accessed the company's GitHub account on December 25, 2024, but LexisNexis only discovered the incident on April 1, 2025[1][13]. The compromised data included highly sensitive personal information such as names, phone numbers, email addresses, home addresses, Social Security numbers, driver's license numbers, and dates of birth.

What makes this breach particularly concerning is the delayed discovery and disclosure timeline. Security experts have criticized LexisNexis for the significant delay between the incident occurrence in December 2024, detection in April 2025, and public disclosure in May 2025[1][2]. This timeline raises questions about data broker security practices and their ability to detect unauthorized access to sensitive consumer information.

The breach highlights broader issues with data broker practices, as LexisNexis has faced significant scrutiny for its data sharing relationships with various organizations and its role in collecting and selling sensitive information about consumers, including driver behavior and reproductive health data[18]. The company confirmed that while no financial or credit card information was affected, the exposed data could enable identity theft and fraud[1][13].

Another significant incident involved SL Data Services, where a non-password protected database exposed more than 600,000 sensitive files containing comprehensive personal information including full names, family members, home addresses, employment details, social media accounts, court records, and criminal history records[4]. This breach demonstrates the continuing vulnerabilities in data broker security infrastructure and the extensive nature of personal information these companies collect and store.

State Privacy Law Expansion Continues

The privacy regulatory landscape expanded dramatically in 2025, with eight new state privacy laws taking effect throughout the year[6][14]. Delaware, Iowa, Nebraska, New Hampshire, and New Jersey implemented their privacy laws on January 1, 2025, while Tennessee's law becomes effective July 1, Minnesota's on July 15, and Maryland's on October 1[14][17]. This brings the total number of states with comprehensive privacy laws to 20, creating an increasingly complex compliance environment for businesses operating across state lines[17].

The California Privacy Protection Agency also announced increased penalties for CCPA violations, with civil damages ranging from $107 to $799 per consumer per incident, and administrative fines up to $2,663 for standard violations and $7,988 for intentional violations[8]. These increases reflect inflation adjustments and demonstrate the growing financial risks for companies that fail to comply with privacy regulations.

Federal Privacy Developments

At the federal level, the Federal Trade Commission finalized significant changes to the Children's Online Privacy Protection Rule (COPPA), requiring parental opt-in consent for targeted advertising and other third-party disclosures of children's personal information[10]. These changes address emerging concerns about how children's data is being collected, shared, and monetized by online platforms and service providers.

The Department of Justice also issued new compliance guidance for its data security program rules designed to protect Americans' sensitive data from foreign adversaries, providing a 90-day limited enforcement policy through July 8, 2025, for entities demonstrating good faith compliance efforts[5]. Meanwhile, efforts to advance federal privacy legislation continue, though progress remains incremental compared to state-level initiatives[7].

Essential Privacy Actions for Subscribers

Register with the FTC Do Not Call Registry

Protecting your phone number from unwanted sales calls should be your first step in reducing data exposure. The National Do Not Call Registry is a free service that tells legitimate telemarketers not to call registered numbers. To register your home or cell phone number, visit DoNotCall.gov or call 1-888-382-1222 from the phone you want to register. 

If you register online, you'll receive an email with a confirmation link that must be clicked within 72 hours to complete registration. Your number will appear on the registry the next day, but it can take up to 31 days for sales calls to stop. Importantly, your registration never expires and will remain active unless your number is disconnected and reassigned. While the registry won't stop illegal scam calls, it significantly reduces legitimate telemarketing calls and helps protect your phone number from being widely circulated among data brokers.

Implement Credit Freezes at All Major Credit Agencies

Given the increasing frequency of data breaches exposing Social Security numbers and other identity-enabling information, placing security freezes on your credit reports is essential. Credit freezes restrict access to your credit report, preventing creditors from approving new accounts in your name, whether fraudulent or legitimate.

You must contact each of the three major credit reporting agencies separately to place or lift freezes:

  • Equifax: Visit equifax.com or call their automated system

  • Experian: Access services through experian.com or by phone

  • TransUnion: Use transunion.com or their telephone service

All three agencies must process freeze requests within one business day if submitted online or by phone, or within three business days if submitted by mail[12]. When you need to apply for legitimate credit, you can lift the freeze temporarily or permanently, with online and phone requests processed within one hour[12]. Credit freezes are completely free and provide the strongest protection against identity theft and fraudulent account opening.

Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) provides critical additional security beyond passwords, requiring a second form of verification to access your accounts. Enable MFA on all digital services that offer it, particularly financial accounts, email, social media, and any service containing personal information.

For the strongest security, use an authenticator app like Google Authenticator, Microsoft Authenticator, or Authy rather than SMS-based verification, which can be vulnerable to SIM swapping attacks. These apps generate time-based codes that work even without internet connectivity and provide superior protection against unauthorized access attempts.

Set up MFA immediately for your most critical accounts, then systematically enable it across all other digital services. The few extra seconds required for authentication provide invaluable protection against account compromise, especially important given the frequency of data breaches exposing login credentials.

mePrism Privacy Service Update

As data breaches continue affecting millions of consumers and privacy regulations evolve rapidly across multiple states, the importance of comprehensive privacy protection has never been clearer. Our mePrism Privacy service remains committed to helping you navigate this complex landscape and protect your personal information from unauthorized access and misuse.

We encourage all subscribers to visit the mePrism Privacy Blog regularly for the latest updates on privacy threats, regulatory changes, and practical protection strategies. Our blog provides timely analysis of major data breaches, step-by-step guides for implementing privacy controls, and expert commentary on emerging privacy trends that affect consumers.

Thank you for choosing mePrism Privacy as your trusted partner in personal data protection. Your continued subscription enables us to maintain our comprehensive privacy monitoring services and provide you with the tools and information needed to stay ahead of evolving privacy threats. Together, we're building a more secure digital future where personal privacy is protected and respected.

Ready to try mePrism yourself?

At mePrism, we help you take back control of your personal data. Our service scans the web for your exposed personal information—like your name, address, and contact details—and removes it from data broker sites that sell it without your consent. Whether you're protecting your privacy, reducing spam, or guarding against identity theft, we make the process simple, secure, and effective. Ready to clean up your online footprint?

Click here to create your Free Basic account.
 

Explore more from Our Team

Browse more posts written by our team to help you stay in control.

Be Part of the Conversation


 
Previous
Previous

Mindmasters: A Must-Read on Data Privacy and Personal Autonomy

Next
Next

Data for Dollars: How the Government Buys Your Data