Privacy & Cybersecurity Law Blog

The Federal Trade Commission has issued a new Policy Statement encouraging the adoption of robust age‑verification technologies by pledging not to bring enforcement actions under the COPPA Rule against operators of general‑ or mixed‑audience sites that collect, use or disclose personal information solely to determine users’ ages, so long as long as they follow strict safeguards.

On February 24, 2026, the UK ICO announced that it had fined Reddit, Inc. £14.47 million following an investigation into the company’s handling of children’s personal information.

On February 19, 2026, the Organisation for Economic Co-operation and Development published new guidance on the implementation of its Guidelines for Multinational Enterprises and AI Principles.

On February 23, 2026, a Joint Statement on AI-Generated Imagery was published by 61 data protection authorities. The Joint Statement addresses concerns regarding AI systems capable of generating realistic images and videos depicting identifiable individuals without their knowledge or consent.

On February 18, 2026, Virginia Attorney General Jay Jones announced that his office intends to fully enforce new provisions of the Virginia Consumer Data Protection Act restricting minors’ use of social media.

On February 9, 2026, trade association NetChoice filed a lawsuit challenging South Carolina’s newly passed Age-Appropriate Code Design (“SC AACD”) on First and Fourteenth Amendment grounds. The SC AACD was signed into law on February 5, 2026, making South Carolina the fifth U.S. state to enact such a law, following California, Maryland, Nebraska and Vermont.

On February 5, 2026, Connecticut Attorney General William Tong and Senator James Maroney announced that the state’s lawmakers will soon consider new measures aimed at protecting children and teenagers from potential risks associated with artificial intelligence technologies

On February 6, 2026, the Federal Trade Commission announced its second report to Congress on its efforts to combat ransomware and other cyber attacks.

On Friday, February 27, 2026, the California Privacy Protection Agency will hold a public meeting at 9:00 am PST in-person and online to discuss upcoming rulemaking activities.

A recent federal court ruling held that AI-generated documents prepared by a defendant and later shared with legal counsel were not protected by attorney-client privilege or the work product doctrine.

On February 11, 2026, California Attorney General Rob Bonta announced a record $2.75 million settlement with the Walt Disney Company to resolve allegations that the company did not sufficiently comply with consumer opt-out rights under the California Consumer Privacy Act.  

On February 12, 2026, South Korea’s National Assembly passed amendments to the Personal Information Protection Act authorizing administrative fines of up to 10% of a company’s total revenue in certain high-severity data breach cases.

Congress has extended the Cybersecurity Information Sharing Act of 2015 through September 30, 2026 as part of the Consolidated Appropriations Act, a government funding package enacted in early February 2026.

On February 3, 2026, the UK Information Commissioner’s Office publicly confirmed that it has launched formal investigations into X Internet Unlimited Company and X.AI LLC, focused on the Grok artificial intelligence system.

On February 5, 2026, the UK Information Commissioner’s Office announced a £247,590 fine against MediaLab.AI, Inc., the company behind the image-sharing platform Imgur, for failing to lawfully process children’s personal information. 

On January 28, 2026, the U.S. Federal Trade Commission held a workshop entitled “Protecting American Children: A Workshop to Explore Age Verification Technologies.”

On February 5, 2026, the next phase of the UK Data (Use and Access) Act officially came into force, bringing most of its provisions, including the major reforms in Part 5, into effect.

On January 27, 2026, Data Privacy Day, the California Office of the Attorney General announced an investigative sweep into surveillance pricing, a type of algorithmic pricing that uses personal information to set individualized prices, and how such practices may violate the California Consumer Privacy Act.

On January 27, 2026, the Centre for Information Policy Leadership hosted a fireside chat with California Privacy Protection Agency General Counsel Phil Laird in honor of Data Privacy Day.

On January 30, 2026, the Cybersecurity Administration of China released a Q&A document on policies and regulations for the security management of cross-border data transfers. 

On January 20, 2026, the European Commission proposed a comprehensive new cybersecurity package aimed at strengthening the EU’s cybersecurity resilience and enhancing its capacity to manage evolving threats.

The U.S. Supreme Court will soon decide who qualifies as a “consumer” under the federal Video Privacy Protection Act, a 1988 law originally enacted to protect the privacy of individuals’ video rental and purchase records.