As of September 1, 2025, two key federal laws (No. 156-FZ and No. 233-FZ) have come into effect, fundamentally changing the regulations on personal data processing. The updates primarily address two areas: the procedure for obtaining consent to data processing and the legalization of working with anonymized data. These changes present both new opportunities and increased compliance obligations for companies.
The legislator’s goal is to strike a balance between protecting citizens’ privacy and fostering an environment conducive to technological advancement and big data analytics. Businesses must promptly adapt their internal processes to leverage these new opportunities while minimizing the risk of substantial fines.
Consent as a Separate Document: Stricter Rules
Amendments introduced by Law No. 156-FZ explicitly prohibit including consent to personal data processing within other documents, such as contracts, offers, or applications.
Practical implications: Companies need to audit all data collection points (website, contracts, forms) and develop new, isolated consent forms. Non-compliance may result in fines under Article 13.11 of the Administrative Offenses Code of the Russian Federation—up to 700,000 RUB for legal entities and up to 1.5 million RUB for repeat offenses.
Anonymized Data: New Opportunities and Obligations
Law No. 233-FZ introduced Article 13.1 to Federal Law 152-FZ, establishing a legal framework for handling anonymized data.
Practical implications: Anonymization is no longer optional but often mandatory at the end of the data lifecycle or before data transfer. Companies need to:
Business Impact: Immediate Actions
The new rules set two key directions for organizations:
Recommended steps:
The legislator’s goal is to strike a balance between protecting citizens’ privacy and fostering an environment conducive to technological advancement and big data analytics. Businesses must promptly adapt their internal processes to leverage these new opportunities while minimizing the risk of substantial fines.
Consent as a Separate Document: Stricter Rules
Amendments introduced by Law No. 156-FZ explicitly prohibit including consent to personal data processing within other documents, such as contracts, offers, or applications.
- Before: It was possible to "hide" consent as clauses within other documents.
- Now: Consent must be executed as a separate, standalone document. Each data processing purpose (core activities, marketing mailings, third-party transfers) requires separate consent.
Practical implications: Companies need to audit all data collection points (website, contracts, forms) and develop new, isolated consent forms. Non-compliance may result in fines under Article 13.11 of the Administrative Offenses Code of the Russian Federation—up to 700,000 RUB for legal entities and up to 1.5 million RUB for repeat offenses.
Anonymized Data: New Opportunities and Obligations
Law No. 233-FZ introduced Article 13.1 to Federal Law 152-FZ, establishing a legal framework for handling anonymized data.
- Processing without consent: The key innovation is that properly anonymized data can now be processed without the data subject’s consent. This enables analytics, machine learning, and data sharing with third parties for research and commercial use.
- Mandatory reporting to the government: Operators may be required to provide anonymized data sets to the government information system (EIP NSUD) upon request from the Ministry of Digital Development. However, creating such sets from biometric data is prohibited.
- Stricter requirements for methods: Anonymization must be irreversible. It is forbidden to store anonymized data alongside original data or disclose anonymization methods to third parties. Roskomnadzor has updated the requirements for anonymization techniques such as pseudonymization, data alteration, decomposition, and shuffling.
Practical implications: Anonymization is no longer optional but often mandatory at the end of the data lifecycle or before data transfer. Companies need to:
- Develop and approve internal anonymization regulations.
- Implement technical solutions for reliable anonymization.
- Ensure separate storage of anonymized and personal data.
- Appoint responsible personnel to liaise with the EIP NSUD government system.
Business Impact: Immediate Actions
The new rules set two key directions for organizations:
- Protection and compliance: The tightened consent rules require an urgent audit and revision of all data collection processes. Meanwhile, liability for improper anonymization has increased.
- Growth opportunities: Legalizing anonymized data handling paves the way for new business models based on big data analytics, AI product development, and secure data exchange with partners.
Recommended steps:
- Conduct an audit of personal data processing to comply with the new consent requirements.
- Develop separate consent forms for different processing purposes.
- Begin implementing regulations and technologies for proper data anonymization.
- Update the Personal Data Processing Policy and other internal documents accordingly.
Implementing the new 152-FZ requirements is a complex task requiring close collaboration among legal experts, information security specialists, and data analysts. Mistakes during process setup can lead to systemic violations and significant financial losses.
The ACSOUR team has deep expertise in personal data legislation compliance. We offer comprehensive solutions to align your operations with the latest requirements, including legal audits, document development, and consulting on technical anonymization processes.
This material is based on publicly available information and does not constitute legal advice. Please consult professionals for recommendations tailored to your specific situation.
