The Hintze team continuously tracks privacy and security updates around the world to bring you a regular update on the latest developments. Below is a snapshot of updates from mid-March to date. Please also check out our latest AI Global Legal Updates post.
US Privacy Updates
Federal Privacy Enforcement
FTC Files Stipulated Order Against OkCupid
On March 30, 2026, the FTC announced a stipulated order against Humor Rainbow (owner of OkCupid) and its parent company, Match Group, for alleged violations of Section 5 of the FTC Act for deceptive practices. The complaint alleges that while OkCupid’s privacy policy stated it shared personal information only with affiliates, service providers, and business partners, or where users were given an opportunity to opt out, the company provided the profile images and personal data of nearly 3 million users to a facial recognition startup, without a formal business relationship, contract or binding restrictions on data use and users were not given an opportunity to opt-out of sharing. Furthermore, OkCupid founders were financially invested in the data recipient and allegedly arranged for the transfer to help the startup. Once discovered, Match allegedly denied, misled, and obfuscated to users and the media the nature of the sharing. Under the proposed order with a twenty-year term, OkCupid is enjoined from misrepresenting its data processing or the functionality of its privacy controls and along with 10-year recordkeeping and compliance obligations. Notably, the order applies only to OkCupid or its successor services, rather than the entirety of Match Group.
NetChoice v. Bonta
On March 12th, 2026, the 9th Circuit Court of Appeals vacated portions of the preliminary injunction preventing enforcement of the California Age-Appropriate Design Code Act (CA AADC), which applies to business that offer an online service likely to be accessed by children (under 18). The ruling addressed parts of the injunction related to (1) the coverage definition (“likely to be accessed by children” and related factors), (2) age estimation requirements, and (3) data use and dark patterns restrictions. While portions of the CA AADC were enjoined, many obligations are still in effect, including the coverage definition, age estimation (but remanded for further consideration), default privacy settings, obvious location tracking signal, enforcement of terms and policies published by business, limited processing of location information, privacy tools for children and parents, etc. For an in depth analysis of the decision see our blog post by Hansenard Piou.
State Legislation Updates
Oklahoma Enacts Comprehensive Privacy Law
On March 20, 2026, Oklahoma SB 546 was signed into law. It is the first comprehensive consumer privacy statute enacted since 2024. While the law follows the Virginia-style framework and is largely aligned with the business‑friendly enforcement models of Utah and Iowa, it features several notable distinctions: the “sale” of personal data is limited to monetary consideration only, there is no authorized agent framework for submitting consumer rights requests, and there is no requirement to recognize opt‑out preference signals (GPC). The law takes effect January 1, 2027, and will be enforced exclusively by the AG with a 30 day right to cure violations and civil penalties of $7,500 per violation.
Virginia Governor Signs Amendment to Comprehensive Privacy Bill
April 14, 2026, Virginia’s governor signed into law an amendment to the Virginia Consumer Data Protection Act. The amendment would require consent to process sensitive personal data (including biometric data), and prohibit a controller from selling or offering for sale a consumer’s precise geolocation regardless of consent (except for children with parental consent and with a location tracking signal presented to the child). Virginia joins Oregon and Maryland in restricting the sale of precise geolocation data.
Kentucky Governor Signs Bill Amending the KCDPA
On April 13, 2026, Kentucky’s governor signed into law HB 692 amending the Kentucky Consumer Data Protection Act (KCDPA) to require consent for the collection of “automatic content recognition data.” “Automatic content recognition data” is defined as data collected by smart TVs or monitors that identifies content viewed in real time using audio/video fingerprinting and defines “smart monitor” as standalone digital displays with internet connectivity and the ability to stream media independently. The provisions are set to take effect on July 1, 2027.
New Jersey "Privacy Protection Act" Covering Health Care Facilities Enacted
On March 25, 2026, New Jersey enacted the "Privacy Protection Act." The Act has privacy obligations for government entities and health care facilities. The provisions for health care facilities include:
Prohibiting the collection of information relating to a patient's "immigration status, citizenship status, place of birth, social security number, or individual taxpayer identification number," except when necessary to ensure the safe and appropriate delivery of health care services, as applicable by law, or to provide a requested public service, benefit, or program.
That any record relating to such information used for health care service not be considered a governmental record or disclosed under specific exceptions; and
This prohibition does not apply to the disclosure of any record "when the patient to whom the record or information pertains has knowingly provided written consent for the disclosure;"
o "The Department of Health, in consultation with the Attorney General, shall develop and make publicly available a standardized written consent form."
South Dakota Passes Genetic Privacy Law
On March 23, 2026, South Dakota enacted SB 49, which applies to direct-to-consumer genetic testing companies and their service providers. The law takes effect July 1, 2026. The law requires direct-to-consumer genetic testing companies to provide notice regarding genetic data collection and processing, and when a consumer’s de-identified data may be shared with or disclosed to a third party for research purposes. Furthermore, it requires express consent before collecting, disclosing, or using a consumer’s genetic data, including separate consents for data transfers, secondary purposes, retention beyond initial testing, and marketing, along with informed consent to research use. It also requires mechanisms to revoke consent and honor them within 30 days. Additionally, companies must maintain security programs and fulfill consumer requests for data access, deletion, or sample destruction. Service providers are subject to the same confidentiality obligations as the direct-to-consumer genetic testing company. The AG may bring civil penalties up to $5,000 for violations.
Utah Enacts Genetic and Healthcare Testing Privacy Law
On March 17, 2026, Utah’s Governor signed HB 0182 into law. The law applies to research or medical facilities that conduct research on, with, or relating to genetic sequencing or the human genome and takes effect January 1, 2028. The statute prohibits the use of genetic sequencers or operational and research software with ties to foreign adversaries (specifically China, Cuba, Iran, North Korea, Russia, and Venezuela) and stipulates that genetic sequencing data cannot be stored in or accessed by individuals in those jurisdictions. In addition to meeting specific data security requirements for storage, subject facilities must provide sworn statements of compliance to the Attorney General. The Attorney General is responsible for enforcement, with the law providing for statutory damages of $10,000 per violation.
International Updates
UK ICO Publishes Report on Use of AI and ADM in Recruitment
In June 2025, the ICO announced that the use of automated decision making (ADM) in recruiting is a key regulatory focus. Between March 2025 and January 2026, they interviewed over 30 employers, and, in March 2026 the ICO released a report with their findings and regulatory expectations related to ADM in recruitment.
India Amendments on Synthetically Generated Information
On February 20, 2026, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2026 (the consolidated IT Rules, 2021 may be accessed here) entered into effect. The amendment focuses on “synthetically generated information” (SGI)—information generated so as appear to be real, authentic or true, and depicts any individual or event in a manner that is, or is likely to be perceived as, indistinguishable from a natural person or a real-world event.
The provisions for intermediaries offering computer resources which facilitate SGI include:
Requiring notification users every 3 months of their obligations regarding such information;
Enforcing terms against violation of SGI obligations (including removal of such content within 3 hours of notice);
Requiring due diligence in relation to SGI, including the deployment of technical measures to prevent unlawful SGI, explicit prohibition of certain high-risk SGI categories, mandatory labelling and provenance embedding for SGI which is not prohibited; and safeguards to prevent tampering/removal of such labels/metadata/identifiers.
Indonesia Announces U16 Social Media Ban
On March 6th, 2026, Indonesia's Minister of Communication and Digital Affairs, Meutya Hafid, announced a social media ban of users under 16, similar to that seen in Australia. An accompanying press release can be found here. Starting on March 28, 2026, such accounts on “high-risk” platforms—including X, YouTube, Facebook, Instagram, Threads, Roblox, and livestreaming app Bigo Live—will begin to be deactivated, citing perceived threats of pornography, cyberbullying, online fraud, and social media addiction. Details for the ban's implementation are still forthcoming.
Brazil’s ANPD Becomes a Regulatory Agency
On February 24, 2026, the Brazilian Senate approved Provisional Measure No. 1,317/2025. The measure was signed by the President on February 25, 2025, officially rebranding the ANPD by transforming the “A” from “Authority” into “Agency.” This transition grants the ANPD full administrative and financial autonomy, significantly expanding its institutional role. It also establishes 200 new specialist regulatory positions to increase the agency's technical capacity.
Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on data protection including AI, privacy, and data security. Hintze attorneys and data consultants support technology, advertising, media, fintech, health, biotech, ecommerce, and mobile industries.