Privacy updates

Hintze Law Global Privacy Updates

The Hintze Law team monitors global privacy and data security developments to provide timely, practical insights for clients. Below is a summary of key updates from mid-April 2026 to date.

 

US Privacy Updates

Alabama Legislature Passes Comprehensive Privacy Bill

The Alabama legislature passed a bill, which if signed by the governor, would make Alabama the twenty-second state to enact a broadly applicable comprehensive privacy law.  The law would take effect May 1, 2027, and would be enforced by the attorney general (following a mandatory forty-five-day right to cure violations).  There do not appear to be any provisions that impose materially stricter obligations on companies than those that are required under other state comprehensive privacy laws.

CPPA Public Comment Period re: Employee Data

California regulators are signaling increased oversight. On April 20, 2026, the California Privacy Protection Agency (CalPrivacy) opened a public comment period on potential updates to California Consumer Privacy Act (CCPA) requirements related to employee data. The proposed changes focus on notice, disclosure, and transparency obligations, particularly in nontraditional interfaces and employment contexts. Comments are being accepted through May 20, 2026.

In parallel, the CPPA’s newly established Audits Division is expected to begin proactive compliance reviews later in 2026. Unlike the Enforcement Division, which investigates violations, the Audits Division will evaluate business practices and identify compliance gaps, with findings potentially referred for enforcement.

Illinois BIPA Ruling

In a significant ruling interpreting the Illinois Biometric Information Privacy Act (BIPA), the U.S. Court of Appeals for the Seventh Circuit held in Clay v. Union Pacific Railroad Company (April 1, 2026) that the 2024 amendment to BIPA applies retroactively. The amendment limits damages to a “per person” basis rather than “per scan,” substantially reducing potential exposure for businesses. As a result, claims pending as of, or brought after, August 2, 2024, are subject to this reduced damages framework.

 

Maryland Legislature Passes Comprehensive Privacy Law Amendment To Restrict Data Sharing

Maryland passed HB 711, amending the Maryland Online Data Privacy Act (MODPA) to impose new restrictions on sharing personal data with government entities involved in civil immigration enforcement. The amendment limits when organizations may respond to subpoenas or cooperate with law enforcement in this context, while still allowing compliance with court-issued warrants. These changes take effect July 1, 2026.

New Jersey Health Privacy Law

New Jersey’s newly enacted Privacy Protection Act, signed March 25, 2026, introduces targeted restrictions affecting government entities and healthcare providers. The provisions for health care facilities include:

  • Prohibiting the collection of information relating to a patient's "immigration status, citizenship status, place of birth, social security number, or individual taxpayer identification number," except when necessary to ensure the safe and appropriate delivery of health care services, as applicable by law, or to provide a requested public service, benefit, or program.

·         Providing that any record relating to such information used for health care services shall not be considered a government record or disclosed except under limited statutory exceptions; and

·         Clarifying that this prohibition does not apply when the patient to whom the record or information pertains has knowingly provided written consent for disclosure.

    • "The Department of Health, in consultation with the Attorney General, shall develop and make publicly available a standardized written consent form."

These provisions take effect on April 1, 2027.

Nebraska Age-Appropriate Design Code (AAADC)

Nebraska amended its Age-Appropriate Design Code (AAADC) through legislation signed on April 17, 2026. The amendments expand the scope of regulated entities and design features, lower applicability thresholds, and introduce new requirements such as tools enabling minors to delete or unpublish accounts. The law also strengthens protections against default settings or design practices that reduce minors’ privacy protections.

Idaho Passes Social Media Child Protection Law

On April 2, 2026, Idaho’s governor signed HB 542, which applies to any social media platform that, across their corporate group (parents, subsidiaries, and affiliates), has earned at least $1 billion in advertising revenue worldwide in one or more of the preceding three years.

Covered platforms will be subject to the following requirements for Idaho users:

·         Periodic age estimation triggered by users’ cumulative use of the platform

·         Collection of date of birth for new accounts

·         Verifiable parent consent (VPC) prior to creating or maintaining an account for a child user (age 16 or younger), changing terms and conditions applicable to a child account, and changing privacy settings of a child account

·         High-privacy default settings

·         No “addictive interface features” or “profile-based paid commercial advertising” in a child account’s display/feed

·         Account deletion requirements depending on whether the request comes from a child user or their parent

This law may be enforced by a private right of action (by a child or parent), including claims of harm to mental health and emotional distress. The Idaho AG may also investigate and enforce reckless or knowing violations as per se violations of state consumer protection act. There is a three-year statute of limitations for all claims. A successful action has penalties of actual damages or $10,000, whichever is greater, and there are punitive damages available in the event of “consistent pattern[s] of reckless or knowing conduct.”

All requirements except age estimation take effect July 1, 2026. Age estimation requirements functionally* take effect January 1, 2027.

Iowa AG Files Lawsuit Against Meta for Misrepresentation of Material Harmful to Minors and Addictive Design Features

On April 8, Iowa Attorney General Bird announced a state consumer protection lawsuit against Instagram alleging youth safety and “addictive” design claims. The lawsuit alleges that Meta allow adult sexual content, alcohol, tobacco, and drug use and references, and mature/suggestive themes on Instagram despite the app’s “T for Teen” rating. The lawsuit also alleges that Instagram has addictive design features, including notifications, infinite scroll, ephemeral content, quantification and display of social interaction, and algorithmic recommendation feeds.

The lawsuit seeks a permanent injunction against Meta’s alleged misrepresentations about the content available on Instagram and “civil penalties, disgorgement, and other costs and fees.”

West Virginia and Alabama Settles Children's Safety Claims with Roblox

On April 21, 2026, the Alabama AG and the West Virginia AG both announced settlements with Roblox. (Alabama's settlement can be found here.) The agreements levee $12.5M and $11M fines respectively and impose additional requirements which include:

  • Verifying the age of all users before granting chat access,

  • Restricting adults from contacting U16 users except through verified trusted friends

  • Alerting minors upon first entering a private chat

  • Defaulting all U16 and unverified users to safe content mode

  • Allocating funds and resources to internet safety compliance and enforcement.

Multiple states also recently reached settlements with Roblox regarding children’s data and online safety practices. These agreements impose new requirements, including age verification for chat access, restrictions on adult-minor interactions, default safety settings for younger users, and enhanced compliance investments. These settlements reflect a coordinated enforcement trend focused on protecting minors online. Read about in depth in our latest blog post.

 

International Updates

China PIPL Enforcement Campaigns: Increased Scrutiny Across Key Sectors

On April 2, 2026, Cyberspace Administration of China (CAC), together with the Ministry of Industry and Information Technology (MIIT) and the Ministry of Public Security (MPS), announced a set of nationwide enforcement initiatives under the Personal Information Protection Law (PIPL). The announcement lays out the most detailed and coordinated PIPL enforcement roadmap to date.

Unlike earlier enforcement efforts that were largely complaint‑driven or ad hoc, the 2026 initiatives take a structured, sector‑by‑sector approach, with regulators spelling out exactly what they plan to inspect and where.

Key highlights include:

  • Seven targeted enforcement campaigns, covering:

    • Apps and embedded SDKs

    • Internet advertising and adtech

    • Education (with a strong focus on children’s data)

    • Transportation and mobility platforms

    • Healthcare providers

    • Financial services

    • Criminal data‑trafficking and “insider” cases

  • Explicit focus on adtech and automated decision‑making, including profiling, personalized advertising, and failure to honor opt‑out choices.

  • Increased scrutiny of SDKs, signaling that third‑party code is no longer a compliance blind spot.

  • Escalation risk: the involvement of public security authorities underscores that serious or repeated violations may move beyond administrative penalties to criminal enforcement.

European Data Protection Board 2025 Report

On April 9, 2026, the European Data Protection Board (EDPB) published a report on its work in 2025. Over the year the EDPB:

  • Published guidelines on interactions between the GDPR and other EU digital laws, including the Digital Services Act, Digital Markets Act, and the EU AI Act;

  • Published guidelines and opinions on topics such as pseudonymisation

  • Focused on the right to erasure through the 2025 Coordinated Enforcement Framework, with participation from 32 supervisory authorities and responses from 764 controllers.

 

Industry / Tech Updates

Google Analytics Changes Affecting “Sales”

Changes to Google Analytics taking effect June 15, 2026, may have significant compliance implications. Businesses will no longer be able to prevent data collected through Google Analytics from being shared with Google Ads through Analytics settings alone. Instead, service configurations will determine whether Google acts as a data processor or controller, which may affect whether data sharing constitutes a “sale” or targeted advertising under applicable laws. This change increases both regulatory risk and potential exposure under statutes such as California’s privacy laws and the California Invasion of Privacy Act (CIPA).

 

 

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized boutique law firm that provides counseling exclusively on data protection, including privacy, AI, and data security. Our attorneys and consultants support clients across technology, advertising, media, fintech, healthcare, biotech, e-commerce, and mobile sectors.

FTC Finalizes Order Against GM and OnStar Over Driver Data

By Elizabeth Crooks and Susan Hintze

Two roads crossing and overlay of round icons with images depicting vehicles and location information

On January 14, 2026, the Federal Trade Commission (FTC) finalized a settlement order with General Motors (GM) and OnStar regarding the collection and disclosure of driver behavioral and location data. The complaint alleged violations of the Federal Trade Commission Act (FTC Act), including the collection, use, and disclosure of such data without notice to consumers and without consumers’ informed consent.

The Complaint

In its complaint claiming deceptiveness and unfairness under the FTC Act, the FTC made the following allegations.

GM and OnStar gave consumers false assurance that the driving data collected would only be used for consumers for their own safety and to assess their own driving habits. Instead, GM and OnStar sold this data to third parties, including consumer reporting agencies, auto insurance companies, and others for unrelated purposes and without appropriate notice or consent.

Consumers were not informed that constantly collected precise geolocation data; detailed driving events such as seat-belt usage, hard braking, and speeds over 80 mph; and data about which radio stations consumers listened to would be shared with these entities. These entities used the data for unexpected purposes including denying or canceling insurance, increasing insurance premiums, and for advertising analytics. Many consumers were, therefore, unaware of what exactly they had opted into when giving their consent. Based on the incomplete information GM and OnStar had provided to consumers, those consumers had no reason to expect that their consent to collection and use of their driving data might have real-world, negative financial consequences.

In addition to inappropriate notice and consent about sharing, consent for different features were bundled together inappropriately. Consent for safety and maintenance alerts were bundled with a consent to enroll in OnStar Smart Driver, a service unrelated to vehicle maintenance. There was only one ‘accept’ or ‘decline’ choice for such features and the choice was described in such a way that consumers did not understand what maintenance and safety features and alerts they would lose by not consenting to the OnStar service.

Further, GM did not provide a setting that allowed consumers the ability to mask location data on all vehicles. Where the setting was available, it was defaulted to “off,” and GM did not widely communicate the availability of the setting to consumers. Moreover, because of the lack of adequate disclosures at consent about the constant collection and sharing of precise location data, consumers did not appreciate the importance of the setting.

The complaint alleged that as a result of GM and OnStar’s business practices, consumers experienced loss of auto insurance, unexpected increases in insurance premiums, and loss of privacy about sensitive data, including locations visited and day-to-day movements.

The Order

In its order, the FTC defines location data more broadly than in past orders. For the first time, the definition of ‘location data’ includes data that reveals the precise location of not only a mobile device or consumer but also of their vehicle.

In its definition of Covered Driver Data, the FTC also describes a car’s vehicle identification number (VIN), or an alternative identifier that can be linked to VIN, as “reasonably linkable” to a consumer. It further describes data linked to a VIN as not included in its definition of “Deidentified.” Both definitions suggest a willingness to treat VIN as personal information.

The FTC’s order requires GM and OnStar to, in sum:

·         Not disclose driver data to a Consumer Reporting Agency.

·         Obtain affirmative express consent prior to collecting, using, or disclosing driver data to a third party; obtain separate consent for each separate, unrelated service or feature; and not place limits on withholding or withdrawing consent, such as by degrading the quality or functioning of a product or service as a penalty.

·         Give consumers a means to disable collection of 1) location data and 2) all vehicle data if they decline OnStar.

·         Honor consumer requests to access and delete their driver data.

·         Minimize data collection to what is reasonably necessary to fulfill the specific purpose for which it was collected.

·         Document, adhere to, and publish an up-to-date data retention schedule.

·         Delete or destroy all prior-retained driver data within 180 days of the order and instruct third parties to destroy data.

·         Not misrepresent collection, use, and disclosure of data or purposes for the same.

The order has a typical 20 year termination date. However, the FTC departed slightly from its standard duration, limiting the requirement not to disclose driver data to a Consumer Reporting Agency to only five years.

Key Takeaways

We highlight several key takeaways below, particularly for any organization collecting telemetry or location data:

Choice Mechanisms. Ensure that consents for unrelated services and features are not bundled together. And make sure that effects of consents are described clearly and thoroughly and not in a way that might cause confusion.

Treatment of ‘Location Data.’ Present consumers with a way to opt-in to and disable the collection and use of precise geolocation data separate from other choices and clearly inform consumers how to do so.
Ensure that your definitions and application of rules regarding precise geo-location data extends not only to the consumer but also those things a consumer has with them or travels in.

Notice. Ensure that consent disclosures and privacy statements are presented accurately and with enough detail that consumers can understand the impact of choices. Train those responsible for handling agreements to understand privacy commitments made to consumers and to ensure that agreements do not violate those commitments.

VIN and Other Unique IDs as Identifiable Data. If you collect VIN associated with data about an individual, ensure that you protect it as you would other personal data. Consider treating other unique identifiers that, like VIN, could be linked to individuals as personal data.

Third Party Accountability. Review data sharing agreements with third parties to ensure that limitations are clearly outlined and that continued access to data is conditioned on agreeing to, and having a process in place to, delete data upon your instruction. Verify that contractual commitments with third parties about consumer data do not conflict with promises made to consumers and that adequate consents are obtained before agreeing to share sensitive data with third parties.

Hintze Law PLLC is a Chambers-ranked and Legal 500-recognized, boutique law firm that provides counseling exclusively on AI, privacy, and data security. Its attorneys and data consultants support technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy, data security, and AI law. 

Elizabeth Crooks is Senior Privacy Analyst at Hintze. Elizabeth has a Masters of Science in Information Management and guides global companies on privacy, cybersecurity, and data protection matters. 

Susan Hintze is Co-Managing Partner at Hintze Law PLLC, on the IAPP’s Board of Directors, and a Westin Emeritus Fellow with the IAPP.