CDP Institute

Google has just become the second tech giant after Meta to settle – for $1.4 billion – with the State of Texas under its “Capture or Use of Biometric Identifier” law. This allows the state to impose damages of up to $25,000 per violation for using citizen data without consent.

The data of billions of US citizens who use sites like Expedia and Booking.com is conveyed to airlines via the Airlines Reporting Corporation (ARC), according to newly released information. This data, including itinerary and financial information, is then sold to US Immigration Customs and Reinforcement (ICE). In further police state news, the US Health and Human Services (HHS) agency is proposing to obtain US Postal Service data, including information on package- and mail-tracking, credit cards and other financial information, IP addresses, and images of the outsides of envelopes and packages.

Slip-sliding away? California, which has previously led the way in privacy legislation, has opted to forgo rules it had drafted to regulate AI and similar systems. This results from the California Privacy Protection Agency’s decision to accede to business pressure to narrow the definition of “automated decision making,” allowing companies to opt out of rules by claiming algorithmic tools are just advisory to human decision making.

OneDrive’s forthcoming “Prompt to Add Personal Account to OneDrive Sync,” an “ease-of-use” prompt feature designed to enable click-of-the-screen synchronization of personal accounts with business accounts also is a default agreement that user files (potentially including those with sensitive data) can be transferred. Security experts point out business data could also then be copied to personal accounts if IT departments don’t block this.

New laws in these states and others are cracking down on how app and tech companies can engage with teens. The Texas legislature sent Governor Abbot a law making it the second state after Utah to require app distributors to verify user ages and block those under 18 from downloading apps without parental consent. Virginia’s governor just signed a bill that restricts teen social media to 1-hr/day unless parent’s consent to more; and Arkansas has a new law that 1) requires parental consent for data collection, 2) prohibits targeted advertising to teens and, 3) limits data collection to only what is necessary for servicing.

Part of the 2026 budget, it requires businesses to disclose clearly to consumers when a price has been set by an algorithm using their personal data.

Portugal has just joined Switzerland, Austria, and Luxembourg banning use of the cameras – and leaving yours turned off or packed away won’t help and could get you a fine as high as €25,000.