Hintze Law Global Privacy Updates 

The Hintze Law team continues to monitor global privacy and data security developments to provide timely, practical insights for clients. Below is a summary of key updates from late May through early June 2026. For developments in AI, please see our latest Global AI Updates. 

 

US Privacy Updates 

California Regulators Secure $12.75 Million GM Privacy Settlement 

On May 6, 2026, the California AG and county district attorneys announced a $12.75 million proposed settlement with General Motors (GM) and OnStar for alleged violations of the California Consumer Privacy Act (“CCPA”) and other California state laws. The AG alleged that GM sold California residents’ driving and location data to data brokers, even though it said it did not sell personal information and that it retained driving and location data long after being used to operate OnStar’s connected vehicle services, making it one of the first actions to focus on data minimization. 

The settlement requires GM to obtain consent before disclosing certain driving data to third parties, to delete certain driving data within 180 days of collection, and to allow customers to disable collection of precise geolocation data from vehicles. Earlier this year, GM & Onstar settled with the FTC (see our blog post by Elizabeth Crooks and Susan Hintze) for similar allegations. The Iowa AG’s office has also filed suit against GM & OnStar making related claims (See our summary in our March Global Privacy Updates post). 

 

Utah Imposes Liability for Platforms Hosting Material Harmful to Minors 

On May 6, 2026, amendments to Utah’s age verification law (S.B. 73 and Title 78B-3 Part 10, respectively) took effect, imposing obligations on publishers and distributors of material deemed harmful to minors and reiterating the state Division of Consumer Protection’s enforcement authority with respect to the law. 

Utah’s age verification law has required age verification and prohibited facilitating circumvention methods such as VPN use, enforced by the Division directly under the law, since 2023. Now, entities may face liability under a private right of action where minors access restricted content or where identifying information collected for age verification is retained improperly. The Division is also now authorized to administer and enforce the law as part of its general jurisdiction, which includes guidance and investigatory powers. 

The Division is expected to provide additional guidance on compliance standards, including age verification methodologies and scope determinations. 

 

Vermont Enacts Neurological Rights Law 

On May 18, 2026, Vermont enacted H. 814, establishing statutory protections related to neurological data and AI use in health and human services. The law took effect upon being enacted. 

The law grants individuals rights related to mental privacy, freedom of thought, and protection from unauthorized neurotechnological interference. It also mandates further study and reporting by the state’s AI Advisory Council.  

This development signals increasing legislative attention to emerging risks associated with neurotechnology and AI-driven cognitive data processing. 

 

Louisiana Advances Comprehensive Privacy Law 

Signed by the governor on May 29, 2026, Louisiana’s Data Privacy Act establishes a comprehensive privacy framework similar to other state laws.  

The law provides consumer rights, including access, deletion, and opt-out rights, and imposes obligations such as data minimization, purpose limitation, disclosure of sale of sensitive or biometric data, and data protection assessments for high-risk processing. Notably, an entity that does business in Louisiana that “derives fifty percent or more of its annual revenues from selling consumers' personal information” needs prior consumer consent before selling their sensitive data. 

The law takes effect January 1, 2027, with enforcement by the state attorney general and a temporary cure period.  

 

Connecticut Enacts Data Broker Law 

On May 27, 2026, the governor of Connecticut signed into law An Act Concerning Consumer Privacy and Protection (SB4). The law primarily applies to data brokers, defined as any business that sells or licenses “brokered personal data” to another person, where such data is defined as personal data elements categorized or organized for sale or license to a third party. Such data elements include name, address, date of birth, and other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer. Subject to further rulemaking, SB4’s provisions require data brokers to register and comply with a Department of Consumer Protection provided deletion request platform. 

On June 2, 2026, the governor signed HB5222. The law modifies SB4 by exempting personal data in compliance with the Driver's Privacy Protection Act, exempting a covered entity, business associate or protected health information under HIPAA from the data broker requirements, and changing the civil penalty to up to $200 per day per consumer for each violation of the data broker requirements. 

SB4 enters into effect on October 1, 2026. The data broker registration requirement enters into effect on January 1, 2027, with other requirements entering into effect in the following years. 

 

Connecticut Amends Connecticut Data Privacy Act   

On June 2, 2026, the governor signed HB5222, which amends the Connecticut Data Privacy Act to expand deletion rights to apply to certain “publicly available information” and inferences from such data, prohibit the sale of precise geolocation data, and add other provisions, starting October 1, 2026. 

Although “publicly available information” is not personal data under the Connecticut Data Privacy Act (CTDPA), HB5222 excludes a number of types of personal data from the definition and expands it in one aspect to include data obtained from widely distributed media (e.g., public sources). It also narrows the definition to exclude public information that's combined with other personal data types, and potentially personal data accessible on a website where the consumer restricted access to a specific audience (which some companies or data brokers may scrape believing it to be public data). 

HB5222 enacts new obligations for businesses using facial recognition technology on their premises, where such technology analyzes facial features in still images or video to uniquely and personally identify a specific individual. The edits narrow the CTDPA's statutory exceptions for controllers or processors that use such technology for security, fraud prevention, or to help prevent or respond to illegal activity, including by prohibiting use of third-party databases to help with identity matching, requiring signage at each premises entrance, and mandating a publicly disclosed facial recognition technology policy. 

 

Connecticut Enacts Surveillance Pricing Law 

On June 2, 2026, Connecticut enacted a surveillance pricing law as a part of HB5222 which takes effect February 1, 2027.  Surveillance pricing under the law includes establishing a customized price for a consumer good or service that is based (in whole or part) on personal data collected (A) through any technology or technological method, and (B) by the person establishing the customized price either directly or indirectly. The law prohibits surveillance pricing by certain retailers and third-party delivery services. 

Companies engaging in surveillance pricing for online transactions may be required to prominently display in advertising, and price listings, a notice that “THIS PRICE WAS INCREASED USING YOUR PERSONAL DATA” if the surveillance pricing didn’t result in a discount. 

 

Stay on Enforcement of Texas App Store Law Lifted 

On May 28, 2026, the Fifth Circuit Court of Appeals lifted the preliminary injunctions that blocked enforcement of Texas’s App Store Accountability Act. Since it was set to take effect January 1, 2026, the Attorney General can now enforce the Act while constitutional challenges to the Act remain ongoing. 

Obligations for app developers include designating age ratings for each app based on its content/elements, notifying app stores of significant changes, and verifying ages and parental consent status using information from app stores. 

 

State Enforcement Focuses on Children’s Privacy and Platform Design 

State AGs continue to pursue enforcement actions targeting platform practices allegedly affecting minors. 

  • Texas filed suit against Netflix alleging deceptive practices related to user data collection and advertising representations.  

  • Oklahoma filed lawsuits against Roblox and Temu alleging inadequate protections for minors and unlawful data collection practices.  

  • Texas also sued Discord, alleging insufficient age verification and misleading safety representations.  

These actions reflect an ongoing enforcement priority on age verification, transparency, and alignment between public representations and actual data practices.  

 

Texas Expands Enforcement on Consumer Data Practices 

Texas regulators continue to pursue enforcement and investigations involving consumer data. 

  • On May 11, 2026, the Texas attorney general announced a settlement with LG requiring enhanced consent and disclosure practices for viewing data collection.  

  • On May 20, 2026, the attorney general launched an investigation into Meta’s AI-enabled smart glasses, citing concerns regarding continuous data capture and transparency.  

These actions underscore increasing scrutiny of connected devices and AI-enabled data collection technologies. 

 

Louisiana Adopts App Store Age Verification Framework 

On May 15, 2026, Louisiana enacted HB 977, establishing requirements for app stores and developers to verify user age and obtain parental consent for minors.  

The law creates shared obligations across app store operators and developers, including data-sharing requirements and enforcement mechanisms overseen by the attorney general. These requirements enter into effect on July 1, 2027. 

The framework reflects a broader trend toward ecosystem-wide accountability for child privacy compliance. 

 

EEOC Considers Rescinding Demographic Reporting Requirement 

On May 14, 2026, the U.S. Equal Employment Opportunity Commission submitted a proposal to the Office of Information and Regulatory Affairs rescinding the requirement for large employers to submit annual demographic reports.  

If finalized, employers may need to reassess data collection practices in light of other applicable legal obligations and operational needs. 

 

Beyond US Updates 

European Commission Finds Potential DSA Violations by Meta 

On April 29, 2026, the European Commission announced preliminary findings alleging that Meta violated the Digital Services Act by failing to adequately prevent underage access to its platforms.  

The Commission claimed deficiencies in Meta’s age verification mechanisms and platform safeguards. The Commission also states it is continuing to investigate other potential DSA breaches by Meta, including Meta’s assessment and mitigation of risk of “addictive behavior” of minors driven by online features. . 

 

Canada Issues Guidance on Age Assurance 

Canada’s Office of the Privacy Commissioner issued guidance outlining when and how organizations should implement age assurance mechanisms.  

In its Policy Note, the Office of the Privacy Commissioner noted that no singular age assurance method has been broadly adopted across Canada, and while its position regarding such a method may change, the office emphasized that age assurance is one part of a children safety program. The guidance emphasizes proportionality, risk-based implementation, and limits on the use of collected data, reinforcing privacy-by-design principles. 

 

Turkiye Regulates Social Media and Gaming Platforms 

On April 22, 2026, Turkiye adopted amendments to Law No. 5651 imposing age-based restrictions and parental control requirements for social media and gaming platforms.@ 

The amendments require age verification, service restrictions for minors, and enhanced parental oversight tools, aligning with global trends toward increased protections for children online. 

 

Latvia Issues Cookie Compliance Guidance 

On May 8, 2026, Latvia’s Data State Inspectorate released guidance identifying common deficiencies in cookie consent practices.  

The guidance reiterates the requirement for clear, informed, and freely given consent, as well as functional user controls and transparent disclosures. 

 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on AI, privacy, and data security. Hintze attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of AI, privacy, and data security 

 

Don’t Sleep on Maryland: The Maryland Online Data Privacy Act Will Keep Health and Wellness Companies Up at Night — Hintze