The Hintze team continuously tracks privacy and security updates around the world to bring you a regular update on the latest developments. Below is a snapshot of updates from mid-February 2026 to date. Please also check out our latest AI Global Legal Updates post.
US Privacy Updates
State Privacy Enforcement
CalPrivacy Settles with PlayOn Sports for $1.10M over Alleged CCPA Violations
On March 2nd, CalPrivacy announced a settlement with 2080 Media Inc (d/b/a PlayOn Sports), a sports ticketing platform widely used by schools, for allegedly violating the California Consumer Privacy Act (CCPA) by not offering effective opt-out options of sales and “sharing” or honoring the GPC (Global Privacy Control) opt-out signal. In addition to a $1.1M penalty, PlayOn must scan its websites and mobile apps at least quarterly to maintain an inventory of tracking technologies, complete CCPA risk assessments and have the Board of Directors review such assessments, and update its privacy notices for understandability by its student audience. See our blog post by Cameron Cantrell for more details.
CalPrivacy Settles with Ford for Alleged CCPA Do Not Sell/Share Violations
On March 5th, CalPrivacy announced a stipulated final order with Ford Motor Company relating to a discontinued practice of requiring consumers to confirm their email addresses before it processed do not sell and do not share requests. Consumers submitted a webform to make their requests, but Ford did not process the request until the consumer received a verification email and clicked a “confirm email” button in that email. Customers who did not do this did not have their requests processed. While this practice only impacted dozens of consumers during the time it was the process Ford followed, Ford agreed to pay a $375K penalty. See Sam Castic’s LinkedIn post for key takeaways.
CalPrivacy February Board Meeting
On February 27th, the CalPrivacy Board met to discuss DROP (Delete Request and Opt-Out Platform) and a petition for requirements for “essential consumer devices” (phones, laptops, wearables). DROP went live for consumers on January 1, 2026, and received 100K+ consumer requests, with plans to integrate the data broker registry, provide API documentation to assist in DROP access, and establish a sandbox to test DROP integration. CalPrivacy voted to deny a petition to start CCPA rulemaking for data minimization, purpose limitation, and the consent requirements for “essential consumer devices,” but to explore the feasibility and impacts of such concepts described in the petition.
Texas AG Actions Targeting Companies with Chinese Ties
In February, Texas Attorney General Ken Paxton filed five separate lawsuits against TP-Link, Anzu Robotics, Temu, Shein, and Lorex for violations of the Texas Deceptive Trade Practices Act (DTPA). While these companies operate in different sectors and product areas—including e-commerce, drones, baby monitors, and home networking devices—the lawsuits are part of a focused effort targeting companies with alleged ties to China. The lawsuits allege the companies misrepresented their products as “safe and secure” while concealing known ties to Chinese manufacturing and data processing. Furthermore, the complaints allege that the companies failed to disclose compelled data disclosure obligations under Chinese law that risked exposing American consumer data to foreign adversaries.
Connecticut Attorney General Enforcement Report
On February 5th, the Connecticut Attorney General issued its 2025 enforcement report. The report focused on privacy complaints for cookie banners and simplicity of opt-out, the data breach notification clock beginning at “awareness of suspicious activity,” and explanation of consumer rights in privacy notice. The report explained that key areas of focus and enforcement will be youth privacy, cookies and data sales, data brokers, treatment of consumer health data, healthcare, pharma, telecom, and ed-tech sectors; and use of AI for employment-related decisions and AI-assisted pricing.
Iowa AG Files Suit Against GM and OnStar
On February 26th, Iowa’s Attorney General filed a lawsuit against General Motors (GM) and OnStar, alleging that the companies engaged in deceptive business practices in violation of the Iowa Consumer Fraud Act (ICFA). Building on the allegations from the recent FTC settlement against GM and OnStar, see our blog post by Elizabeth Crooks and Susan Hintze, the Iowa complaint adds allegations that GM incentivized salespeople to use misleading and deceptive techniques to obtain customer consent to enroll in connected vehicle services that sold personal data to data brokers and third parties. The complaint highlights that one of the data brokers GM sold data to partnered with a Chinese data broker, underscoring a growing enforcement focus on U.S. companies that allow personal data to go to China or companies with perceived ties to China.
State Legislation Updates
New York Health Information Privacy Act Reintroduced
On Feb. 20th, an amended version of the NY Health Information Privacy Act (HIPA) was reintroduced by the bill's original sponsor, Liz Krueger (D). The 2026 version revises the definition of “Regulated Health Information” to more closely align with the Washington My Health My Data Act and similar laws, expands the scope of processing permitted without authorization to include "providing, maintaining, developing, improving, or repairing a specific product, feature, or service requested by such individual, or functionality thereof," removes the 24-hour waiting period for requests for authorization, and adds a definition of “verifiable" for agents’ exercise of data subject rights to address past security concerns. See Felicity Slater’s LinkedIn post for further analysis and our Health + Biotech Group’s post “A Few Current Trends in Health Privacy & AI.”
Virginia Legislature Passes Bill Banning Location Data Sales
Virginia’s legislature passed a bill that amends the state’s comprehensive privacy law to ban sales of precise geolocation data. If the governor signs this bill, Virginia will join Maryland and Oregon in banning the sale of precise geolocation data.
Children’s Privacy
FTC Issues COPPA Policy Statement Regarding Age Verification Technologies
On February 25, the FTC announced that it will not bring COPPA (“Children’s Online Privacy Protection Act”) enforcement actions against companies based on the collection children’s personal information for the purpose of age verification. The policy statement elaborates that since collection of such personal information without parental consent may be a violation of the COPPA Rule, non-enforcement is dependent on the company otherwise complying with the Rule, including purpose limitation and reasonable security measures. This policy statement follows concerns raised during the FTC age verification workshop and Chairman Ferguson’s opinion concurring with the Jan 2025 COPPA Rule amendments.
Alabama Enacts App Store Age Verification Law
On February 17th, Alabama joined Texas, Utah, Louisiana and California in enacting laws that require mobile app stores to verify user age information and to make it available to app developers. The law takes effect on January 1, 2027 (although some requirements don’t take effect until October 1, 2027). It imposes obligations on both app store providers and app developers, including specific requirements for developers once they receive age data. Similar laws have faced constitutional challenges: the Texas law has been enjoined and the Utah law is currently being challenged.
Utah App Store Age Verification Act Lawsuit
On February 5, 2026, the Computer & Communications Industry Association (CCIA) sued Utah to block SB142, the App Store Accountability Act. The lawsuit alleges that the law violates the First Amendment for being overly broad in the affected apps and insufficiently tailored for the stated goal of child protection.
DOJ Rule
Google Lawsuits Allege DOJ Rule Violations
Following the February 5th lawsuit against Lenovo, three new class action lawsuits were filed against Google alleging that its use of tracking technologies on other companies’ websites, and subsequent sharing of data with Chinese companies, violates the DOJ Rule on Access to U.S. Sensitive Personal Data and Government-Related Data By Countries of Concern or Covered Persons. While the DOJ Rule does not have a private right of action, plaintiffs claim that the practices that allegedly violate the DOJ Rule help establish claims under the federal Electronic Communications Privacy Act (ECPA) and state statutes and torts. The cases were each filed in the U.S. District Court for the Northern District of California, and are: McGrath v. Google LLC, Nadeu v. Google LLC, and Jenkins v. Google LLC. See Sam Castic’s LinkedIn commentary on state claims relating to the DOJ rule.
Google ReCAPTCHA
Change to ReCAPTCHA Processing Role
Google announced that it is updating its terms for its ReCAPTCHA service to reflect a change in Google's processing role. Previously, Google took the position that it was a controller with respect to the service. Starting April 2, 2026, Google will take the position that it is a processor and subject to Google's Cloud Data Processing Addendum. Customers are instructed to remove references to Google's Privacy Policy and Terms of Use from their website (likely in a privacy statement) to the extent they are placed there in connection with use of ReCAPTCHA.
International Updates
Children’s Privacy
UK ICO Fines Reddit £14.47m for Children’s Privacy Failures
On February 24th, the UK ICO (Information Commissioner’s Office) announced that it fined Reddit £14.47m for alleged children’s privacy failures citing the ICO’s Age Appropriate Design Code (AADC) - also known as the “Children’s Code”. The ICO alleged, among other things, that Reddit had terms preventing users under 13, but no age verification measures to check ages, had no lawful basis for U13 personal data, and had not performed a DPIA on the risk of using children’s personal data. Notably, the ICO indicated that self-declaration was not a sufficient form of age verification given risks posed by Reddit. The fine was based on the number of U13s impacted, the degree of the potential harm, duration of the failing, and global revenue. Reddit has announced plans to appeal.
UK ICO Fines Imgur Owner MediaLab £247,590 for Children’s Privacy Failures
On February 5th, the ICO fined MediaLab (owner of Imgur) £247,590 for failing to use children’s personal data lawfully. The ICO concluded that MediaLab breached the UK GDPR by failing to implement any measures to check the age of users, processing the personal data of children under 13 without parental consent or any other lawful basis when offering online services, and failing to carry out a data protection impact assessment to identify and reduce privacy risks to children. The fine was based on the number of U13s impacted, degree of potential harm, duration of failing, global revenue, and acceptance of the provisional findings and commitment to address the allegations.
Brazil’s Digital Statute of Child and Adolescents Enters into Effect March 17th
On March 17th, six months after its September 17th publication, Brazil’s Digital Statute of Child and Adolescents (Digital ECA) (Law 15.211) enters into effect. The law can be described as combination of COPPA and various AADC laws in and applies to internet applications, app stores, operating systems, games, and online services likely to be accessed by children and adolescents. Its requirements include setting privacy settings to a high level of protection by default, prohibiting techniques for targeted advertising at minors and techniques for profiling minors, prohibiting dark patterns and loot boxes, establishing parental tools, requiring content filtering and harmful or illegal content removal procedures, and completing risk assessments for children.
Spain DPA Fines Age Verification Provider Yoti Ltd €950,000 For Biometric Data and Consent Failures
On March 10th, the Spanish Data Protection Agency (AEPD) fined Yoti for a total of €950,000 across three violations of the GDPR. For its digital ID app, Yoti requires users to confirm their age and consent to a facial scan to create an age token, arguing that the facial scan was for authenticating users. First, the AEPD disagreed and found that the scan is biometric data for the purpose of uniquely confirming individuals with 1:1 matching operations. Since this processing of special information was not justified under Article 9.2, the AEPD issued a €500,000 fine. Second, Yoti provided a prefilled checkbox for the processing of biometric data for internal research purposes instead of obtaining opt-in consent under Article 7, resulting in a €200,000 fine. Finally, Yoti retained personal data for longer than necessary for the purpose of its collection, specifically retaining live-video recordings of individuals after verifying that the recorded persons were real and retaining fraudulent official identification documents for training. The AEPD held that such retention violated Article 5.1(e), resulting in a €250,000 fine. Yoti has indicated that it intends to appeal the decision to the Spanish High Court.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on data protection including AI, privacy, and data security. Hintze attorneys and data consultants support technology, advertising, media, fintech, health, biotech, ecommerce, and mobile industries.