The Ongoing War for Your Data
2025 was a year of dramatic swings in the corporate surveillance landscape. Privacy advocates scored landmark victories in courtrooms and legislatures, while tech giants quietly expanded their data collection in ways that often went unnoticed until it was too late. Here’s our scorecard of the year’s most consequential developments.
Wins for Privacy
The EU Forces Meta to Offer Genuine Ad-Free Options
After years of legal battles, the European Court of Justice upheld that Meta cannot require users to consent to behavioral advertising as a condition of using Facebook and Instagram. The ruling, combined with enforcement action from multiple European Data Protection Authorities, forced Meta to introduce a genuinely functional ad-free tier in Europe at a reduced price — and, crucially, to stop using non-consenting users’ data for ad targeting. While Meta’s US operations continue unchecked, the ruling established a powerful precedent: consent must be freely given, not coerced.
Why it matters: This is the strongest real-world demonstration that regulation can force Big Tech to change. It proves the “take it or leave it” model of data consent can be legally broken.
FTC Finalizes Commercial Surveillance Rules
The US Federal Trade Commission finalized its Commercial Surveillance and Data Security rulemaking, establishing federal baseline requirements for how companies handle consumer data. Key provisions include mandatory data minimization (companies can only collect data reasonably necessary for the service), opt-in requirements for sensitive data categories, and a prohibition on using dark patterns to manipulate consent. While industry groups immediately filed legal challenges, the rules took effect in Q3 2025 and have already prompted several major companies to preemptively update their practices.
Why it matters: The US has lacked comprehensive federal privacy law for decades. While these rules fall short of the EU’s GDPR, they represent a historic shift from the anything-goes approach that allowed the current surveillance economy to develop.
Brave Search Hits Critical Mass
Brave Search crossed 40 million daily queries in 2025, making it the first independent, privacy-respecting search engine to reach meaningful market share since DuckDuckGo. Unlike DDG, which relies on Bing’s index, Brave operates its own independent search index. The milestone matters because search is the gateway to the internet — controlling that gateway means controlling what information people can find and how their queries are profiled.
Why it matters: A viable, independent, privacy-first search engine breaks Google’s information monopoly in a way that regulation alone cannot.
Apple’s ATT Framework Survives Legal Challenge
Apple’s App Tracking Transparency framework — which requires apps to ask permission before tracking users across other apps and websites — survived a major legal challenge from the advertising industry. Courts upheld Apple’s right to implement the feature, which has resulted in the majority of users opting out of cross-app tracking. The advertising industry estimates ATT has cost them tens of billions in revenue, money that was previously extracted from user surveillance.
Why it matters: Whatever Apple’s motives, ATT proved that giving users a simple choice (“Allow Tracking” / “Ask App Not to Track”) devastates the surveillance advertising model. Most people, when actually asked, say no.
Losses for Privacy
Google’s Privacy Sandbox Becomes the New Tracking
Google finally killed third-party cookies in Chrome in 2025 — but replaced them with the Privacy Sandbox, a suite of APIs that, critics argue, simply moves tracking from third-party cookies to first-party browser-level surveillance. The Topics API categorizes users’ browsing interests directly in the browser and shares them with advertisers. The Attribution Reporting API tracks ad conversions. Google marketed these as “privacy-preserving,” but the Electronic Frontier Foundation and multiple researchers demonstrated that the system still enables extensive user profiling — now controlled entirely by Google rather than distributed among thousands of ad-tech companies.
Why it matters: Google framed the death of cookies as a privacy win, but the replacement may be worse: a tracking monoculture controlled by a single company with no real competitive pressure to minimize data collection.
Microsoft Recall Ships (and Expands)
Despite massive public backlash in 2024, Microsoft shipped its Recall feature in Windows 11 in 2025. Recall takes periodic screenshots of everything on your screen, processes them with on-device AI, and creates a searchable timeline of your computer activity. While Microsoft implemented some safeguards (DRM content excluded, sensitive fields filtered, data encrypted at rest), security researchers quickly demonstrated bypass techniques. More concerning, Microsoft began exploring Recall integration with its Copilot AI assistant, raising the prospect of an AI that has seen everything you’ve ever done on your computer.
Why it matters: Recall normalizes continuous screen surveillance as a “productivity feature.” It represents a fundamental shift: your computer watching you, rather than serving you.
The AI Training Data Grab Accelerated
2025 saw virtually every major tech company update their terms of service to grant themselves rights to use customer data for AI training. Google, Microsoft, Adobe, Zoom, Slack, and Grammarly all expanded their data usage policies. In many cases, the changes were retroactive — applying to data users had already uploaded under different terms. The pattern was consistent: bury the change in a terms update, make opt-out difficult or impossible, and present the change as an improvement to the service.
Why it matters: Billions of users discovered that years of photos, documents, emails, and creative work had been quietly conscripted as AI training data with no meaningful consent and no compensation.
Clearview AI Wins US Legal Battle
Facial recognition company Clearview AI, which scraped billions of photos from social media to build its surveillance database, won a significant US court battle when a federal court ruled that scraping publicly available photos does not violate the Computer Fraud and Abuse Act. While Clearview remains banned in several countries and restricted in parts of the EU, the ruling effectively legitimized mass biometric surveillance using publicly available imagery in the United States.
Why it matters: If public photos can legally be scraped to build facial recognition databases, then posting a photo of yourself online is functionally equivalent to enrolling yourself in a global surveillance system without consent.
The Bigger Pattern
Looking at the year as a whole, a clear pattern emerges: privacy wins tend to come from regulation and collective action, while privacy losses come from corporate unilateral action. Companies don’t voluntarily reduce surveillance — they expand it incrementally, betting that users won’t notice or won’t care enough to leave.
The lesson? Waiting for corporations to respect your privacy is a losing strategy. The most effective privacy protection remains the most direct one: minimizing the data you hand over in the first place — and removing data that’s already out there. Our free Data Purge tool helps you opt out of major data brokers that have been collecting and selling your personal information for years.
That means choosing services that are architecturally designed to protect your privacy — where encryption, data minimization, and user sovereignty aren’t marketing slogans but structural requirements.
It’s why we built I Am NOT The Product the way we did: Swiss-hosted, zero-knowledge encrypted, open-source. Not because privacy is a feature — because it’s the foundation.