Privacy & Cybersecurity Law Blog

On March 3, 2026, the Virginia Attorney General appealed a federal court’s grant of a preliminary injunction barring the enforcement of a new Virginia law requiring age verification and a time limit on social media use by minors under the age of 16 pending a final determination on the merits.    

On March 3, 2026, the CalPrivacy announced its first enforcement action involving student privacy, requiring PlayOn Sports to pay a $1.10 million fine for alleged violations of the CCPA’s opt-out rights and requirements.

Recent changes to 42 CFR Part 2 mean many covered entities must update their HIPAA Notices of Privacy Practices by February 16, 2026.

On February 5, 2026, Alabama Governor Kay Ivey signed Alabama House Bill 161, the App Store Accountability Act, establishing age categorization, age verification and parental consent requirements for mobile application marketplace providers operating in Alabama, effective January 2027.

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

On March 3, 2026, the European Commission published draft guidelines intended to clarify the application of the Cyber Resilience Act and opened a public consultation to gather feedback from stakeholders.

On February 27, 2026, the UK ICO announced a public consultation on proposed updates to its guidance concerning research, archiving and statistics to reflect the changes introduced by the Data (Use and Access) Act 2025.

On February 19, 2026, the U.S. Department of Health and Human Services’ Office for Civil Rights announced a $103,000 settlement with Top of the World Ranch Treatment Center, an Illinois substance use disorder treatment provider, to resolve alleged noncompliance with the HIPAA Security Rule’s risk analysis requirement.

The Federal Trade Commission has issued a new Policy Statement encouraging the adoption of robust age‑verification technologies by pledging not to bring enforcement actions under the COPPA Rule against operators of general‑ or mixed‑audience sites that collect, use or disclose personal information solely to determine users’ ages, so long as long as they follow strict safeguards.

On February 24, 2026, the UK ICO announced that it had fined Reddit, Inc. £14.47 million following an investigation into the company’s handling of children’s personal information.