The Hintze Law team monitors global privacy and data security developments to provide timely, practical insights for clients. Below is a summary of key updates from mid-April 2026 to date.

US Privacy Updates

Alabama Legislature Passes Comprehensive Privacy Bill

The Alabama legislature passed a bill, which if signed by the governor, would make Alabama the twenty-second state to enact a broadly applicable comprehensive privacy law.  The law would take effect May 1, 2027, and would be enforced by the attorney general (following a mandatory forty-five-day right to cure violations).  There do not appear to be any provisions that impose materially stricter obligations on companies than those that are required under other state comprehensive privacy laws.

CPPA Public Comment Period re: Employee Data

California regulators are signaling increased oversight. On April 20, 2026, the California Privacy Protection Agency (CalPrivacy) opened a public comment period on potential updates to California Consumer Privacy Act (CCPA) requirements related to employee data. The proposed changes focus on notice, disclosure, and transparency obligations, particularly in nontraditional interfaces and employment contexts. Comments are being accepted through May 20, 2026.

In parallel, the CPPA’s newly established Audits Division is expected to begin proactive compliance reviews later in 2026. Unlike the Enforcement Division, which investigates violations, the Audits Division will evaluate business practices and identify compliance gaps, with findings potentially referred for enforcement.

Illinois BIPA Ruling

In a significant ruling interpreting the Illinois Biometric Information Privacy Act (BIPA), the U.S. Court of Appeals for the Seventh Circuit held in Clay v. Union Pacific Railroad Company (April 1, 2026) that the 2024 amendment to BIPA applies retroactively. The amendment limits damages to a “per person” basis rather than “per scan,” substantially reducing potential exposure for businesses. As a result, claims pending as of, or brought after, August 2, 2024, are subject to this reduced damages framework.

Maryland Legislature Passes Comprehensive Privacy Law Amendment To Restrict Data Sharing

Maryland passed HB 711, amending the Maryland Online Data Privacy Act (MODPA) to impose new restrictions on sharing personal data with government entities involved in civil immigration enforcement. The amendment limits when organizations may respond to subpoenas or cooperate with law enforcement in this context, while still allowing compliance with court-issued warrants. These changes take effect July 1, 2026.

New Jersey Health Privacy Law

New Jersey’s newly enacted Privacy Protection Act, signed March 25, 2026, introduces targeted restrictions affecting government entities and healthcare providers. The provisions for health care facilities include:

• Prohibiting the collection of information relating to a patient's "immigration status, citizenship status, place of birth, social security number, or individual taxpayer identification number," except when necessary to ensure the safe and appropriate delivery of health care services, as applicable by law, or to provide a requested public service, benefit, or program.

·         Providing that any record relating to such information used for health care services shall not be considered a government record or disclosed except under limited statutory exceptions; and

·         Clarifying that this prohibition does not apply when the patient to whom the record or information pertains has knowingly provided written consent for disclosure.

• "The Department of Health, in consultation with the Attorney General, shall develop and make publicly available a standardized written consent form."

These provisions take effect on April 1, 2027.

Nebraska Age-Appropriate Design Code (AAADC)

Nebraska amended its Age-Appropriate Design Code (AAADC) through legislation signed on April 17, 2026. The amendments expand the scope of regulated entities and design features, lower applicability thresholds, and introduce new requirements such as tools enabling minors to delete or unpublish accounts. The law also strengthens protections against default settings or design practices that reduce minors’ privacy protections.

Idaho Passes Social Media Child Protection Law

On April 2, 2026, Idaho’s governor signed HB 542, which applies to any social media platform that, across their corporate group (parents, subsidiaries, and affiliates), has earned at least $1 billion in advertising revenue worldwide in one or more of the preceding three years.

Covered platforms will be subject to the following requirements for Idaho users:

·         Periodic age estimation triggered by users’ cumulative use of the platform

·         Collection of date of birth for new accounts

·         Verifiable parent consent (VPC) prior to creating or maintaining an account for a child user (age 16 or younger), changing terms and conditions applicable to a child account, and changing privacy settings of a child account

·         High-privacy default settings

·         No “addictive interface features” or “profile-based paid commercial advertising” in a child account’s display/feed

·         Account deletion requirements depending on whether the request comes from a child user or their parent

This law may be enforced by a private right of action (by a child or parent), including claims of harm to mental health and emotional distress. The Idaho AG may also investigate and enforce reckless or knowing violations as per se violations of state consumer protection act. There is a three-year statute of limitations for all claims. A successful action has penalties of actual damages or $10,000, whichever is greater, and there are punitive damages available in the event of “consistent pattern[s] of reckless or knowing conduct.”

All requirements except age estimation take effect July 1, 2026. Age estimation requirements functionally* take effect January 1, 2027.

Iowa AG Files Lawsuit Against Meta for Misrepresentation of Material Harmful to Minors and Addictive Design Features

On April 8, Iowa Attorney General Bird announced a state consumer protection lawsuit against Instagram alleging youth safety and “addictive” design claims. The lawsuit alleges that Meta allow adult sexual content, alcohol, tobacco, and drug use and references, and mature/suggestive themes on Instagram despite the app’s “T for Teen” rating. The lawsuit also alleges that Instagram has addictive design features, including notifications, infinite scroll, ephemeral content, quantification and display of social interaction, and algorithmic recommendation feeds.

The lawsuit seeks a permanent injunction against Meta’s alleged misrepresentations about the content available on Instagram and “civil penalties, disgorgement, and other costs and fees.”

West Virginia and Alabama Settles Children's Safety Claims with Roblox

On April 21, 2026, the Alabama AG and the West Virginia AG both announced settlements with Roblox. (Alabama's settlement can be found here.) The agreements levee $12.5M and $11M fines respectively and impose additional requirements which include:

• Verifying the age of all users before granting chat access,

• Restricting adults from contacting U16 users except through verified trusted friends

• Alerting minors upon first entering a private chat

• Defaulting all U16 and unverified users to safe content mode

• Allocating funds and resources to internet safety compliance and enforcement.

Multiple states also recently reached settlements with Roblox regarding children’s data and online safety practices. These agreements impose new requirements, including age verification for chat access, restrictions on adult-minor interactions, default safety settings for younger users, and enhanced compliance investments. These settlements reflect a coordinated enforcement trend focused on protecting minors online. Read about in depth in our latest blog post.

International Updates

China PIPL Enforcement Campaigns: Increased Scrutiny Across Key Sectors

On April 2, 2026, Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS), announced a set of nationwide enforcement initiatives under the Personal Information Protection Law (PIPL). The announcement lays out the most detailed and coordinated PIPL enforcement roadmap to date.

Unlike earlier enforcement efforts that were largely complaint‑driven or ad hoc, the 2026 initiatives take a structured, sector‑by‑sector approach, with regulators spelling out exactly what they plan to inspect and where.

Key highlights include:

• Seven targeted enforcement campaigns, covering:

• Apps and embedded SDKs

• Internet advertising and adtech

• Education (with a strong focus on children’s data)

• Transportation and mobility platforms

• Healthcare providers

• Financial services

• Criminal data‑trafficking and “insider” cases

• Explicit focus on adtech and automated decision‑making, including profiling, personalized advertising, and failure to honor opt‑out choices.

• Increased scrutiny of SDKs, signaling that third‑party code is no longer a compliance blind spot.

• Escalation risk: the involvement of public security authorities underscores that serious or repeated violations may move beyond administrative penalties to criminal enforcement.

European Data Protection Board 2025 Report

On April 9, 2026, the European Data Protection Board (EDPB) published a report on its work in 2025. Over the year the EDPB:

• Published guidelines on interactions between the GDPR and other EU digital laws, including the Digital Services Act, Digital Markets Act, and the EU AI Act;

• Published guidelines and opinions on topics such as pseudonymisation

• Focused on the right to erasure through the 2025 Coordinated Enforcement Framework, with participation from 32 supervisory authorities and responses from 764 controllers.

Industry / Tech Updates

Google Analytics Changes Affecting “Sales”

Changes to Google Analytics taking effect June 15, 2026, may have significant compliance implications. Businesses will no longer be able to prevent data collected through Google Analytics from being shared with Google Ads through Analytics settings alone. Instead, service configurations will determine whether Google acts as a data processor or controller, which may affect whether data sharing constitutes a “sale” or targeted advertising under applicable laws. This change increases both regulatory risk and potential exposure under statutes such as California’s privacy laws and the California Invasion of Privacy Act (CIPA).

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique law firm that provides counseling exclusively on data protection, including privacy, AI, and data security. Our attorneys and consultants support clients across technology, advertising, media, fintech, healthcare, biotech, e-commerce, and mobile sectors.