CDP Institute

The Trump-appointed acting head of the U.S. Consumer Financial Protection Bureau withdrew a Biden-era proposal to limit sale by data brokers of Americans’ private information limit data brokers, according to a Federal Register notice issued last week.

The IAB Europe’s Transparency & Consent Framework (TCF) violates several GDPR principles but is not fatally flawed, the Belgian Court of Appeals has ruled. The ruling confirmed that TC Strings, which capture consumer consent to use their data for ad targeting, are personal data and that consumers must consent for IAB Europe to host them. But the IAB indicated that it believes it can make relatively minor changes to bring TCF into conformance. Many publishers rely on TCF as their basis for data-based ad targeting.

President Trump has passed a rare bipartisan privacy law, providing stricter penalties for distribution of non-consensual intimate imagery, a.k.a. “revenge porn.” Free speech advocates have some concerns about potential censorship and monitoring of private communications and the President has already promised to use it against his enemies.

Indonesia recently passed the first regulation in Asia to require digital products and services provide a high level of privacy by default. This according to the IEEE Standards Association, which collaborated with policymakers in Indonesia on the rule.

The handy new tool is regularly updated with enforcement news, although Osano cautions it isn’t comprehensive and does not constitute legal advice. Indeed, the first search we tried — for ‘CNIL’ — came up blank.

Google has just become the second tech giant after Meta to settle – for $1.4 billion – with the State of Texas under its “Capture or Use of Biometric Identifier” law. This allows the state to impose damages of up to $25,000 per violation for using citizen data without consent.

The data of billions of US citizens who use sites like Expedia and Booking.com is conveyed to airlines via the Airlines Reporting Corporation (ARC), according to newly released information. This data, including itinerary and financial information, is then sold to US Immigration Customs and Reinforcement (ICE). In further police state news, the US Health and Human Services (HHS) agency is proposing to obtain US Postal Service data, including information on package- and mail-tracking, credit cards and other financial information, IP addresses, and images of the outsides of envelopes and packages.

Slip-sliding away? California, which has previously led the way in privacy legislation, has opted to forgo rules it had drafted to regulate AI and similar systems. This results from the California Privacy Protection Agency’s decision to accede to business pressure to narrow the definition of “automated decision making,” allowing companies to opt out of rules by claiming algorithmic tools are just advisory to human decision making.

OneDrive’s forthcoming “Prompt to Add Personal Account to OneDrive Sync,” an “ease-of-use” prompt feature designed to enable click-of-the-screen synchronization of personal accounts with business accounts also is a default agreement that user files (potentially including those with sensitive data) can be transferred. Security experts point out business data could also then be copied to personal accounts if IT departments don’t block this.

New laws in these states and others are cracking down on how app and tech companies can engage with teens. The Texas legislature sent Governor Abbot a law making it the second state after Utah to require app distributors to verify user ages and block those under 18 from downloading apps without parental consent. Virginia’s governor just signed a bill that restricts teen social media to 1-hr/day unless parent’s consent to more; and Arkansas has a new law that 1) requires parental consent for data collection, 2) prohibits targeted advertising to teens and, 3) limits data collection to only what is necessary for servicing.

Part of the 2026 budget, it requires businesses to disclose clearly to consumers when a price has been set by an algorithm using their personal data.