The Hintze team continuously tracks privacy and security updates around the world to bring you a regular update of the latest developments. Below is a snapshot of updates from late December 2025 to February 16, 2026.
US Privacy Updates
Data Broker Regulation
Implementing Regulations of the California DELETE Act take Effect
On January 1, 2026, the regulations for California’s DELETE Act officially took effect. These regulations significantly broaden the scope of the state’s data broker laws by narrowing the definition of what constitutes a “direct relationship” with a consumer. By excluding certain businesses from this definition, the law now captures a much wider array of entities as data brokers. Consequently, these newly classified companies were required to register with the California Privacy Protection Agency (CPPA) as a data broker by the January 31 deadline.
CalPrivacy Data Broker Enforcement Actions
On January 8, 2026, the California Privacy Protection Agency (CPPA) fined two data brokers for failing to register as required by the Delete Act. Datamasters (Rickenbacher Data LLC) was fined $45,000 for failing to register as a data broker after alleged inadequate screening out of California residents (despite Datamasters asserting that it did so). S&P Global was fined $62,000 for failing to register on time due to an administrative oversight. You can read Jennifer Ruehr’s Linked In post on these actions here.
FTC PADFAA
The FTC recently sent letters reminding a number of data brokers of their obligations under the Protecting Americans’ Data From Foreign Adversaries Act. PADFAA prohibits data brokers from selling, releasing, disclosing, or allowing access to personally identifiable sensitive data (which is very broadly defined—inclusive of things like web browsing data) about Americans to any foreign adversary, including North Korea, China, Russia, and Iran, or any entity “controlled by” those countries (with control being determined based on factors like where the company is incorporated, based, its ownership structure, etc.).
Children’s Privacy
Disney Pays 10M for COPPA Settlement
On December 31st, 2025, the FTC announced that a federal judge approved a $10 million dollar settlement with Disney for alleged violations of the Children’s Online Privacy Protection Rule (COPPA Rule). The settlement centers on allegations that Disney allowed personal data to be collected from children under 13 who viewed kid-directed videos on YouTube without notifying parents or obtaining their consent as required by COPPA. For further analysis and key takeaways, see our blogpost.
South Carolina Enacts AADC
On February 5, 2026, South Carolina enacted its Age-Appropriate Design Code Act which took effect immediately. The law applies to companies that do business in South Carolina and provide websites, apps, and other online services that are "reasonably likely to be accessed" by minors (people younger than 18). While there is no age assurance or verification requirement, the “likely to be accessed” standard includes online services directed to children as defined in COPPA, and those with users who are known to be minors (including both actual knowledge, and knowledge based on inferences that users are minors). Netchoice is challenging the law.
Oregon OCPA Amendments Add Child and Geolocation Restrictions
On January 1st, 2026, amendments to the Oregon Consumer Privacy Act (HB2008) entered into effect. The amendments increase the age for the sale/advertising/profiling prohibition from under 13 to under 16 and add a prohibition on the sale of precise geolocation data.
Washington State Attorney General Introduces New Social Media Legislation
On January 12, 2026, the Washington attorney general introduced legislation (HB 1834 and SB 5708) that would prohibit addictive feeds for minors and place time limitations on push notifications. While this bill is still in its early stages, this one is worth keeping an eye on as AG‑requested legislation in Washington often gets an extra push (for example, the MHMDA was an AG-requested bill). If passed, Washington would join the growing list of states with social media laws focused on kids and teens.
TX App Store Age Verification Law Blocked
On December 23, 2025, a federal court blocked the Texas App Store Accountability act from being enforced. This came just days before the law was set to take effect on January 1, 2026. The court held that the law is content-based and failed to satisfy strict scrutiny. While it is a preliminary injunction at this stage, the judge indicated that the law was unlikely to withstand pending constitutional challenge. With the Attorney General currently appealing the ruling, the act’s future remains legally uncertain.
FTC Workshop on Age Assurance
On January 28th, the FTC held a workshop discussing age verification technologies. Commissioners and staff expressed strong support for expanding the use of age‑verification technologies. They acknowledged that the shifting legal landscape and the wide range of verification methods create complexity for companies and noted that different levels of assurance may be appropriate depending on risk. The FTC also highlighted that COPPA could pose a barrier, since many verification methods require processing a child’s age before obtaining parental consent. Chairman Ferguson indicated that new guidance is coming, saying the workshop will inform future policy statements and potential COPPA rule amendments.
State Comprehensive Privacy Laws
California AG Reaches $2.75M CCPA Settlement with Disney for Do Not Sell/Share Issues. The California AG announced a CCPA settlement with Disney relating to allegations that it violated “sale” and “sharing” (for cross-context behavioral advertising) opt-out rights in violation of the CCPA and California’s unfair competition law, arguing Disney’s streaming service opt-out methods were ineffective, deceptive, and incorporated dark patterns, see our blog post.
Florida Targets Companies with Ties to China The Florida AG created a unit to focus on companies with ties to China. Its focus will include data privacy as well as other topics. Its first action was to issue a sweeping subpoena to Shein requesting an expansive list of documents and information about Shein business practices, including on a number of topics related to its data privacy and data security practices. This illustrates the continued focus from regulators on companies with ties to China. Chinese companies and other companies with ties to China should consider the increasing focus state and federal regulators are dedicating to them when making risk decisions about their efforts to comply with state and federal privacy laws.
Indiana Comprehensive Law
Indiana’s comprehensive privacy law, the Indiana Consumer Data Protection Act (ICDPA) took effect on January 1, 2026.. Indiana’s law largely mirrors the Virginia Data Protection Act.
Minnesota Consumer Data Privacy Act Cure Period Ends
The cure period for the Minnesota Consumer Data Privacy Act ended on January 31, 2025. This means the Attorney General is no longer required to provide 30 days notice before bringing an enforcement action.
DOJ Rule
Lenovo Lawsuit Alleges DOJ Rule Violations.
On February 5, 2026, a class action lawsuit was filed against Lenovo alleging federal ECPA claims and California statutory and common law claims for Lenovo’s alleged practice of using tracking technologies on its website and transmitting customer data to its China-based parent company. The complaint in the case (Christy v. Lenovo (United States) Inc., Case No 3:26-cv-01133 (N.D. Cal)) makes a number of allegations about how the practices are a violation of the DOJ Rule on Access to U.S. Sensitive Personal Data and Government-Related Data By Countries of Concern or Covered Persons. While there is no private right of action under the DOJ Rule, there have now been a few lawsuits alleging that violations of the DOJ Rule support federal and state law claims. You can see the complaint in Sam Castic’s Linked In post here.
FTC / Connected Cars
FTC Finalizes Connected Cars / Location Data Settlement with GM and OnStar
On January 14, 2026, the Federal Trade Commission (FTC) finalized a settlement order with General Motors (GM) and OnStar regarding the collection and disclosure of driver behavioral and location data. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), including the collection, use, and disclosure of such data without notice to consumers and without consumers’ informed consent. For further analysis and key takeaways, see our blogpost.
SCOTUS / VPPA
SCOTUS to Consider Definition of "Consumer" Under VPPA
On January 26, 2026, the Supreme Court granted a petition (Salazar v. Paramount Global) that could decide whether the VPPA applies more broadly to modern digital services and not just traditional video subscriptions. The Court is taking up a circuit split over whether someone becomes a VPPA “consumer” simply by subscribing to any product or service from a company that provides video, even if the subscription itself is for something dissimilar (such as a newsletter). If the Court adopts a broader interpretation, the VPPA could apply more widely in modern digital contexts, including to sites that blend video with newsletters, memberships, or accounts.
International Updates
Children’s Privacy
India proposes AI bill and DPDPA Amendments for Child Protections
On January 15th, the EDPB adopted a cooperative procedure establishing an informal framework among EEA supervisory authorities to authorize ad hoc contractual clauses and the adoption of SCCs to facilitate data transfers across EU member states.
Netherlands launches DSA investigation into Roblox over child safety
The Dutch competition and consumer authority, ACM (Netherlands Authority for Consumers and Markets), launched a formal investigation into the Roblox on January 30, 2026, specifically focusing on compliance with the EU's Digital Services Act (DSA) regarding the protection of minors. It is examining whether the gaming platform, which has tens of millions of daily users, 40% under age 13, complies with the EU Digital Services Act's requirements to protect minors from violent/sexual content, inappropriate contact, and dark patterns that manipulate children into purchases.
UK ICO fines Imgur for processing children’s data in violation of UK GDPR
On February 5, 2026, the ICO fined MediaLab (owner of Imgur) £247,590 for failing to use children’s personal information lawfully. The ICO concluded that MediaLab breached the UK GDPR by failing to implement any measures to check the age of users, processing the personal information of children under 13 without parental consent or any other lawful basis when offering online services, and failing to carry out a data protection impact assessment to identify and reduce privacy risks to children. The ICO’s press release further emphasized that online platforms must tailor age checks to their specific risk levels or face similar enforcement.
Regulatory Enforcement and Audits
The Office of the Australian Information Commissioner (OAIC) Privacy Compliance Sweep.
As of January 1, 2026, the Office of the Australian Information Commissioner (OAIC) has commenced its first privacy compliance sweep. This initiative reviews the privacy policies of businesses that collect personal information in person, specifically targeting the rental, pharmaceutical, hospitality, automotive, and second-hand dealer sectors. The audit will evaluate compliance with APP 1.4 requirements regarding mandatory policy content. In tandem with the sweep, the OAIC has also updated its official APP 1 guidance.
French CNIL fined Mobius Solutions 1 Million Euros for failing to comply with its GDPR obligations[CD5]
On December 11, 2025, France’s CNIL fined Mobius Solutions €1 million for GDPR violations while acting as a non-EU processor for a music-streaming platform. The authority asserted jurisdiction under Article 3(2) because Mobius monitored EU users’ behavior to build audience segments. Specifically, Mobius failed to delete data post-contract, used controller data for its own purposes without authorization, and neglected to maintain a Record of Processing Activities (ROPA).
Austrian DPA orders Microsoft to stop tracking students[CD6] [HL7]
On January 21, 2026, the Austrian data protection authority DSB found that Microsoft had been allegedly tracking students by installing advertising and analytics cookies through Microsoft 365 Education without consent or a valid legal basis. The Austrian DPA ordered Microsoft to stop using all cookies that are not technically necessary in the product within four weeks and to cease processing data collected from these cookies.
Italian DPA to probe Amazon workplace monitoring
On February 9th, the Italian Data Protection Authority (the Garante) in partnership with Italy's National Labour Inspectorate announced that they had launched a joint supervisory inquiry into Amazon's collection and processing of worker personal data and use of video surveillance systems in its main Italian logistics hubs. Italy's Worker's Statute requires covered entities to take specific steps in conjunction with their use of video surveillance systems. The press release indicates that these regulators believe Amazon may not have taken these steps. The Garante's states that the inquiry aims, "to ensure effective institutional supervision...where the impact of monitoring systems and data processing processes is particularly significant, in order to ensure adequate protection of workers' rights."
European Commission preliminarily finds TikTok's design in breach of the DSA
On February 6th, the EC announced that it preliminarily found TikTok in breach of the Digital Services Act for design features including infinite scroll, autoplay, push notifications, and its highly personalized recommender system. The investigation, launched on February 19, 2024, indicated allegations that TikTok did not adequately assess how the design features could harm its users, including minors and vulnerable adults or implement adequate risk mitigation measures, citing the low friction and easy dismissal of existing screentime management and parental control tools.
International Data Transfers & Cooperation
EDPB adopts cooperative procedure for ad hoc and standard contractual clauses
On January 15th, the EDPB adopted a cooperative procedure establishing an informal framework among EEA supervisory authorities to authorize ad hoc contractual clauses and the adoption of SCCs to facilitate data transfers across EU member states.
Brazil EU adequacy
On January 28, 2026, the EU Commission and Brazil adopted mutual adequacy decisions. The decisions cover both the private and public sector and will greatly facilitate the personal data flow between the EU and Brazil.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on data protection. Hintze attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy, and data security