February 24, 2026
Brazil
Brazil’s Senate has approved legislation transforming the Autoridade Nacional de Proteção de Dados (ANPD) into a fully autonomous regulatory agency. Previously linked to the Presidency, the authority will now operate with functional, administrative, financial, and decision-making independence.
The reform also creates 200 specialist positions in data protection regulation and establishes an internal auditing body, strengthening the agency’s institutional and enforcement capacity. The move aligns Brazil’s regulator with other federal regulatory agencies and reinforces oversight under the Lei Geral de Proteção de Dados (LGPD).
This development signals greater regulatory maturity and is expected to enhance the ANPD’s ability to independently supervise, investigate, and sanction organizations processing personal data in Brazil.
February 19, 2026
United States
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has reached a $103,000 settlement with an Illinois-based treatment provider following a phishing attack that exposed electronic protected health information (ePHI) of 1,980 individuals.
OCR found the organization failed to conduct a required risk analysis under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. As part of the resolution, the provider will implement a two-year corrective action plan, including a comprehensive risk assessment, risk management measures, policy updates, and workforce training.
This marks OCR’s 11th enforcement action under its Risk Analysis Initiative, highlighting continued regulatory focus on cybersecurity compliance in the healthcare sector.
February 18, 2026
Virginia, United States
Virginia Attorney General Jay Jones announced full enforcement of new amendments to the Virginia Consumer Data Protection Act requiring social media platforms to limit users under 16 to one hour per day, unless a parent provides verifiable consent to modify the limit.
The announcement follows a motion to dismiss a lawsuit filed by NetChoice seeking to block the law. Effective January 1, 2026, platforms must use commercially reasonable age verification methods and comply with usage restrictions for minors.
Companies found in violation will receive a 30-day cure period. Continued non-compliance may result in civil penalties of up to $7,500 per violation, along with injunctive relief. The move signals increasing state-level regulatory scrutiny of youth social media use and platform accountability.
February 17, 2026
United States
The Federal Trade Commission (FTC) announced it will not pursue enforcement under the Children’s Online Privacy Protection Act (COPPA) Rule against operators that collect personal information solely to determine a user’s age, if specific safeguards are followed.
Operators must limit data use to age verification, avoid unnecessary retention, implement reasonable security measures, and provide clear notice. The policy applies to general and mixed audience platforms.
The FTC also indicated it will review COPPA to address age verification mechanisms, signaling continued regulatory attention to online child safety.
February 11, 2026
Florida, United States
Florida Attorney General James Uthmeier announced the creation of the Consumer Harm from International Nefarious Actors (CHINA) Prevention Unit, a dedicated division within the Attorney General’s Office focused on countering alleged data privacy, cybersecurity, and economic threats posed by foreign adversaries, particularly the Chinese Communist Party (CCP).
The unit will investigate companies suspected of routing sensitive consumer or medical data to China and has already issued subpoenas to several firms, including medical device manufacturers and technology providers. A subpoena has also been issued to Shein over alleged deceptive trade practices and data privacy concerns.
The initiative reflects increasing state-level scrutiny of cross-border data flows, foreign technology supply chains, and national security-linked privacy enforcement.
February 9, 2026
United States
The Federal Trade Commission (FTC) sent letters to 13 data brokers reminding them of their obligations under the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA).
The law prohibits the sale or transfer of Americans’ sensitive personal data, including health, financial, biometric, geolocation, and government ID information to foreign adversaries such as China, Russia, Iran, and North Korea.
The FTC warned that non-compliance may result in enforcement actions and civil penalties of up to $53,088 per violation, signaling heightened scrutiny of cross-border data transfers.
February 5, 2026
Connecticut, United States
Connecticut Attorney General William Tong released an updated enforcement report under the Connecticut Data Privacy Act (CTDPA), revealing multiple active investigations involving social media, gaming platforms, chatbots, and data brokers, particularly concerning risks to children and teens.
The report reflects expanded minors’ privacy protections effective October 2024. In 2025, the Office issued numerous violation notices, finalized data breach settlements, and completed its first CTDPA enforcement action.
Recent amendments further strengthen protections by lowering applicability thresholds, expanding sensitive data categories, restricting targeted advertising to minors, and requiring disclosures for AI training use.
The development highlights heightened state enforcement of youth privacy and AI-related risks.
February 5, 2026
South Carolina, United States
South Carolina Governor Henry McMaster signed the South Carolina Social Media Regulation Act into law, imposing new obligations on covered online services to protect minors.
The law requires platforms to disable addictive features such as infinite scroll for users under 18, conduct annual third-party safety audits, and prohibit targeted advertising and dark patterns directed at minors. The state Attorney General is authorized to seek treble damages for violations.
The legislation reflects growing state-level momentum toward regulating platform design and youth online safety.
February 24, 2026
United Kingdom
The Information Commissioner's Office (ICO) has fined Reddit £14.47 million for unlawfully processing children’s personal data.
The investigation found Reddit failed to implement robust age assurance measures and did not conduct a data protection impact assessment (DPIA) addressing risks to children. As a result, children under 13 were able to access the platform without a lawful basis for processing their data, potentially exposing them to harmful content.
Although Reddit introduced age verification measures in July 2025, the ICO warned that reliance on self-declaration is insufficient. The regulator is continuing to monitor the platform’s compliance as part of broader enforcement under the UK’s children’s privacy framework.
The decision reinforces regulatory expectations around age assurance and child-centric platform design.
February 18, 2026
European Union
The European Data Protection Board (EDPB) adopted a report under its Coordinated Enforcement Framework (CEF) examining implementation of the right to erasure under Article 17 of the General Data Protection Regulation (GDPR).
In 2025, 32 Data Protection Authorities participated, with 764 controllers across sectors responding. The report identifies recurring challenges, including inadequate internal procedures, insufficient communication to individuals, improper reliance on anonymisation instead of deletion, difficulties with retention periods and backups, and complex balancing tests where the right is not absolute.
The findings will inform further guidance and coordinated follow-up at both national and EU levels. The CEF 2026 action will focus on transparency and information obligations under the GDPR. The initiative signals continued pan-European scrutiny of core data subject rights enforcement.
February 16, 2026
Latvia
Latvia’s Data State Inspectorate (DVI) has issued guidance on the handling of employee absence data in shared workplace scheduling tools, warning that displaying detailed absence reasons to broad staff audiences may breach the General Data Protection Regulation (GDPR).
The DVI clarified that shared schedules should only display general indicators such as “absence” or “not working.” More specific reasons such as illness or personal matters may constitute special category data or excessive processing under the GDPR’s data minimisation and purpose limitation principles.
Where detailed information is necessary (e.g., payroll or legal compliance), access must be restricted to authorised personnel and supported by appropriate accountability measures. The guidance highlights how routine HR systems can create compliance risks if access controls are not properly configured.
February 12, 2026
Italy
Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has authorised healthcare providers to use patients’ telephone numbers for outreach related to National Health Service screening and prevention campaigns.
The decision recognises the public health value of proactive contact but imposes strict conditions. Contact details collected in contexts where anonymity is protected such as certain counselling or sensitive health services are excluded and may not be repurposed.
The ruling provides clarity for healthcare organisations while reinforcing purpose limitation and contextual integrity under the General Data Protection Regulation (GDPR).
February 10, 2026
European Union
The Court of Justice of the European Union (CJEU) has set aside a General Court ruling in a case brought by WhatsApp concerning a binding decision issued by the European Data Protection Board (EDPB).
The Court held that an EDPB binding decision under the General Data Protection Regulation consistency mechanism constitutes an act open to direct challenge, as it definitively determines key issues such as infringement findings and fine adjustments. The CJEU also clarified that the two-month limitation period to bring a challenge begins upon publication of the decision on the EDPB’s website.
The case will return to the General Court for consideration on the merits, including the €225 million fine imposed on WhatsApp. The ruling provides important procedural clarity for companies seeking to contest EDPB binding decisions.
February 10, 2026
European Union
The European Commission has introduced the Digital Omnibus Proposal, aimed at simplifying and harmonising the EU’s digital legal framework, including amendments affecting the General Data Protection Regulation, e-Privacy Directive, Data Act, and NIS 2 Directive.
In a joint opinion, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) welcomed the objective of reducing regulatory complexity but warned that certain proposed changes could weaken fundamental rights protections. Concerns include narrowing the definition of personal data and broadening the “abuse of rights” concept to limit data subject access rights.
The opinion signals potential tensions in the legislative process and highlights the importance of monitoring developments that could significantly reshape EU data protection compliance.
February 5, 2026
United Kingdom
The Information Commissioner's Office (ICO) fined MediaLab.AI, Inc. £247,590 after finding that its image-sharing platform, Imgur, unlawfully processed children’s personal data.
The ICO determined that MediaLab failed to implement age assurance measures, processed data of children under 13 without parental consent, and did not conduct a data protection impact assessment (DPIA). As a result, children were potentially exposed to harmful and inappropriate content.
The enforcement forms part of the ICO’s broader action under the UK’s children’s privacy framework, reinforcing expectations around robust age checks and child-focused platform design.
February 5, 2026
United Kingdom
The UK has commenced phased implementation of the Data (Use and Access) Act (DUAA), marking a significant development in the country’s post-Brexit data protection framework. Full rollout is expected by June 2026.
The Information Commissioner's Office (ICO) has updated guidance on privacy by design and subject access requests to reflect the new regime. The Act also expands the ICO’s enforcement powers, including the ability to compel witness interviews and issue fines under PECR of up to £17.5 million or 4% of global turnover.
The development signals a strengthened UK enforcement landscape and evolving compliance expectations.
February 4, 2026
United Kingdom
The Information Commissioner's Office (ICO) has released a new Data Protection Complaint Handling Framework aligned with the Data (Use and Access) Act 2025.
Under the revised approach, complainants must first exhaust an organisation’s internal resolution process before the ICO intervenes. The regulator will prioritise cases involving significant harm, systemic issues, large-scale breaches, or risks to vulnerable groups such as children. The framework also introduces tiered outcomes, ranging from recorded complaints to formal enforcement action, and enables the ICO to track complaint patterns to identify recurring non-compliance.
The move reflects a more risk-based and targeted enforcement strategy in the UK.
February 4, 2026
France
France’s data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), has clarified when researchers must consult the regulator before processing personal data for public scientific research.
A formal CNIL opinion is required only where three cumulative conditions are met: the project qualifies as public research conducted by a recognised research body, serves a legitimate public research objective, and involves the processing of special category data under Article 9 of the General Data Protection Regulation (GDPR).
The clarification reduces uncertainty for public research institutions and provides clearer parameters for when regulatory oversight is mandatory.
February 2, 2026
Denmark
The Datatilsynet (Danish Data Protection Agency) has issued serious criticism and warnings to 51 municipalities over their use of Google Workspace and Chromebook services in primary schools.
Following a 2024 opinion by the European Data Protection Board (EDPB), the authority examined municipalities’ responsibilities as data controllers when using Google as a processor, particularly regarding sub-processors outside the EU. The DPA warned that failure to ensure essentially equivalent protection for third-country transfers may breach the General Data Protection Regulation (GDPR).
The decision underscores that public authorities must clearly document processor arrangements, ensure lawful international transfers, and maintain ongoing oversight when digital education tools involve complex processing structures.
February 1, 2026
Italy
Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, fined LTL SpA €40,000 for unlawfully retaining and accessing the email account of a former CEO after his dismissal.
Despite a formal request for deactivation, the company kept the account active for two months, exceeding its own 30-day retention policy. The Garante found violations of the General Data Protection Regulation (GDPR) principles of fairness and purpose limitation, noting that continued retention served no legitimate purpose.
The authority also ordered the company to grant the former CEO access to retrieve personal data before permanent deletion.
February 1, 2026
Latvia
Latvia’s Data State Inspectorate (DVI) has published new guidance clarifying requirements for website cookie policies. The authority emphasises that cookie information must be presented separately from the general privacy policy, either as a standalone document or clearly distinct section.
The guidance requires plain-language explanations covering cookie types, purposes, storage durations, and the identifiable names of all first- and third-party recipients. Generic or boilerplate disclosures are unlikely to meet compliance expectations.
The update serves as a reminder for organisations targeting Latvian users to review and strengthen their cookie transparency practices in line with GDPR standards.
February 17, 2026
Saudi Arabia
Saudi Arabia’s Saudi Data and Artificial Intelligence Authority (SDAIA) has issued new licensing and accreditation rules for personal data controllers and processors.
Applicants must demonstrate compliance with the Personal Data Protection Law (PDPL), its Implementing Regulations, and applicable SDAIA standards. Certifications will be valid for two years and subject to periodic review and ongoing compliance checks.
The framework aims to strengthen accountability, standardise compliance practices, and enhance trust in Saudi Arabia’s evolving data protection regime.
February 4, 2026
Australia
The Office of the Australian Information Commissioner (OAIC) welcomed a decision by the Administrative Review Tribunal affirming key privacy breaches by Bunnings Group Limited in its use of facial recognition technology (FRT).
The Tribunal upheld findings that Bunnings breached Australian Privacy Principles (APP) 1 and 5 by failing to provide adequate notice and by not conducting a formal, structured privacy risk assessment before deploying FRT. However, it departed from the earlier finding under APP 3.3, concluding that Bunnings could rely on limited exemptions from consent requirements for the purpose of preventing retail crime and protecting staff and customers.
The ruling reinforces that emerging technologies remain subject to strong privacy governance obligations under Australia’s Privacy Act, and that exemptions must meet strict, case-specific criteria.
February 2, 2026
South Korea
South Korea’s Personal Information Protection Commission (PIPC) has launched the 2026 Artificial Intelligence (AI) Privacy Public-Private Policy Council to address emerging privacy risks linked to agent-based and physical AI systems.
The Council will operate through three divisions focused on data processing standards, risk management, and information subject rights. The initiative aims to shift regulatory discussions from large-scale data collection toward managing complex risks across AI service flows, including real-time inference, inter-service connectivity, and autonomous decision-making.
With participation from industry, academia, legal experts, and civil society, the Council seeks to develop practical standards, risk mitigation models, and safeguards for automated decision-making and transparency rights.
February 2, 2026
South Korea
South Korea’s Personal Information Protection Commission (PIPC) imposed a KRW 703 million penalty and a KRW 4.8 million fine on the National Research Foundation of Korea following a breach that exposed personal data of over 120,000 individuals.
The incident stemmed from a vulnerability in the JAMS paper submission system, leading to disclosure of names, resident registration numbers, contact details, and bank information. The PIPC cited failures in containment and response.
Corrective measures include mandatory security scans, re-notification of affected individuals, and public disclosure of the enforcement outcome.
February 1, 2026
Brunei Darussalam
Brunei’s Authority for Info-communications Technology Industry (AITI) has released a guide outlining recommended data protection measures under the Personal Data Protection Order (PDPO).
The guidance emphasises strong internal accountability structures, robust ICT security policies, and technical safeguards such as encryption, secure coding, penetration testing, and vulnerability assessments. It also highlights the importance of employee training, appointing a Data Protection Officer, maintaining data inventories, and conducting Data Protection Impact Assessments.
The guide aims to strengthen organisational readiness and compliance under Brunei’s evolving data protection framework.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2026 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, LLC.
3155 Olsen Drive
Suite 325
San Jose, CA 95117
Type
