CDP Institute

Ireland’s Data Protection Commission fined TikTok €530 million ($600 million) for breaching GDPR by transferring data to China without consent. The company intends to appeal, and claims China never requested data, and it never provided data to them. EU authorities believe data was at risk while being processed and faults TikTok for not being transparent with users.

Nigerians may lose Facebook and Instagram services if Meta makes good on its threat made to protest three sizeable fines imposed there. The fines levied by separate agencies are: 1) $220 million for alleged anti-competitive practices, 2) $37.5 million for unapproved advertising; and 3) $32.8 million for violating privacy laws.

Georgia is the eighth US state challenged on an age-verification law, as NetChoice swipes at the Georgia Children on Social Media Act. The business tech advocacy group sued Georgia over the new law which is due to go into effect this summer. Intended to protect the privacy of young children, the law requires companies to use “commercially reasonable efforts” to verify someone’s age and requires parental consent for minors to use social media.

Michigan’s Attorney General has sued television platform Roku for ongoing violation of the Children’s Online Privacy Protection Act (COPPA) and the Michigan Consumer Protection Act. The company is accused of systematically collecting, processing, and disclosing children’s data, which is not allowed under COPPA. The company is also accused of misleading parents about what data it collects.

Meta claims this will provide users multi-pronged protection, including from other party access, by protecting against attempted modifications that could post threats, and protection from being targeted.

They say privacy information provided to South Africans is far less than what is given to EU and other users. This is consistent with the concern that big tech traditionally gives short shrift to African country privacy laws as compared with laws in other parts of the world.

Blue Shield of California has admitted to a major data breach affecting 4.7 million members. It's due to a misconfigured Google Analytics setup. Meanwhile in Connecticut, Yale New Haven Health Service suffered a big cyberattack exposing sensitive patient data including social security numbers. Also, the website for Covered California, the health exchange that covers Californians under the Affordable Care Act, has been transmitting sensitive data to LinkedIn via trackers.

China’s chatbot DeepSeek which has been making EU countries nervous about its data collection practices, is being investigated by South Korea’s data protection authority for passing data to Chinese companies. However, automaker BMW just announced it's collaborating with DeepSeek to integrate its AI technology for enhanced, in-car intelligence. Wow!

New Mexico has a new privacy law going into effect this summer which bars state employees from disclosing sensitive personal data without a clearly defined need. The Nondisclosure of Sensitive Personal Information Act will be applicable to insurers, contractors and government service providers who will be liable for civil penalties and criminal sanctions if the data is mishandled.

IBM’s X-Force 2025 Threat Intelligence Index reports cybercriminals are taking a new tack when it comes to data piracy, changing from ransomware system lockdowns to stealthily entering systems and then lying in wait for opportunities to steal login information. The report, which resulted from studying 150 billion security events from 130+ countries, notes an 84% jump in phishing attacks and expanded use of AI by cybercriminals.

The US Federal Trade Commission (FTC) has just published the updated and more forceful rule for the Children’s Online Privacy Protection Act (COPPA), putting more pressure on businesses, apps and websites to protect children’s privacy and data confidentiality. The stronger rules, which will go into effect this summer, include new disclosure requirements, required creation of information security programs, and additional restrictions designed to keep data from being shared with advertisers and data brokers.

This has also impacted ~20% of its agency workforce who were told to stay home while corrections are being implemented.