Hello Friends,

As digital platforms increasingly engage younger audiences, protecting children’s personal data has become a critical focus for regulators worldwide. Children require enhanced safeguards due to their vulnerability and limited awareness of data processing risks. Organizations must implement age-appropriate transparency, reliable age verification where necessary, and obtain verifiable parental consent in line with applicable legal requirements.

Frameworks such as the GDPR and emerging child specific privacy laws emphasize privacy by design, data minimization, and high default protection settings for minors. By embedding stronger safeguards into digital services, organizations can ensure compliance while fostering a safer and more trustworthy online environment for children.

Enjoy reading!

 

 

Privacy Enforcement

International: DPAs Publish Joint Statement on AI Generated Imagery and Protection of Privacy

Several Data Protection Authorities issued a joint statement addressing the privacy risks associated with AI generated imagery, particularly deepfakes and synthetic media. The statement highlights concerns around unlawful processing of personal data, identity misuse, reputational harm, and the nonconsensual creation of realistic images. Regulators emphasized that organizations deploying generative AI tools must ensure lawful bases for processing, transparency, data minimization, and appropriate safeguards against misuse. The statement also underscores accountability obligations under global data protection frameworks, reinforcing that innovation in AI must remain consistent with fundamental privacy rights and individual dignity. Read More

 

Alabama: Bill on the Alabama Personal Data Protection Act Passes House

The Alabama House passed the Alabama Personal Data Protection Act, marking significant progress toward establishing a comprehensive state level privacy framework. The proposed legislation outlines obligations for data controllers and processors, including transparency requirements, consumer access and deletion rights, and safeguards for sensitive personal data. It also introduces accountability measures such as data protection assessments and enforcement mechanisms through the Attorney General. If enacted, Alabama would join other U.S. states adopting structured privacy regimes, contributing to the expanding state level regulatory landscape and increasing compliance expectations for businesses operating across multiple jurisdictions. Read More

 

Data Breach

UK: ICO Fines Reddit £14.47 Million for Children’s Privacy Failures

The UK Information Commissioner’s Office imposed a £14.47 million fine on Reddit for serious failures in protecting children’s personal data. The investigation found that the platform did not implement adequate age assurance mechanisms and failed to provide appropriate safeguards for minors using its services. The ICO determined that Reddit processed children’s data without sufficient transparency and risk mitigation measures, contrary to the Children’s Code and UK data protection requirements. The enforcement action reinforces regulatory expectations that online platforms must design services with child privacy at the forefront and adopt proactive compliance frameworks. Read More

Spain: AEPD Fines Barcelonesa €310,000 for Data Breach

Spain’s data protection authority, the Agencia Española de Protección de Datos, fined Barcelonesa €310,000 following a personal data breach that exposed sensitive information. The investigation revealed deficiencies in technical and organizational security measures, including inadequate access controls and insufficient incident response practices. The authority concluded that the organization failed to ensure appropriate protection of personal data as required under the GDPR. The decision underscores the importance of maintaining robust cybersecurity controls, conducting regular risk assessments, and implementing effective breach detection and response mechanisms to prevent unauthorized access and regulatory penalties. Read More

 

Spain: AEPD Fines Majorel €80,000 for Unlawful Employee Data Processing

The Agencia Española de Protección de Datos imposed an €80,000 fine on Majorel for unlawfully processing employee personal data. The authority found that the company collected and processed employee information without a valid legal basis and failed to adequately inform staff about the scope and purpose of such processing. The case highlights the strict application of GDPR principles, including transparency, purpose limitation, and lawfulness, within employment contexts. The enforcement action serves as a reminder that organizations must carefully assess legal grounds when handling employee data and ensure internal processing practices align with data protection obligations. Read More

 

Privacy in Spotlight

Morocco: Portugal’s CNPD and Morocco’s CNDP Sign MoU on Personal Data Protection Cooperation

The Portuguese Comissão Nacional de Proteção de Dados (CNPD) and Morocco’s Commission Nationale de Contrôle de la Protection des Données à Caractère Personnel (CNDP) signed a strategic Memorandum of Understanding to strengthen bilateral cooperation on data protection. The MoU focuses on exchanging expertise, collaborative training initiatives, and joint responses to emerging privacy challenges such as artificial intelligence and image processing. It also envisages sharing best practices in enforcement and regulatory frameworks, with annual meetings planned to deepen dialogue and reinforce regulatory capacity between the two authorities.Read More   

 

Thailand: PDPC Issues Rules on Binding Corporate Rules

Thailand’s Personal Data Protection Committee (PDPC) issued formal regulations on Binding Corporate Rules (BCRs) to govern international personal data flows within corporate groups. Effective from 17 February 2026, the framework sets conditions for multinational organizations to adopt BCRs as a lawful mechanism for cross-border transfers, ensuring consistent protection of personal data across jurisdictions. The rules clarify requirements on accountability, transparency, and safeguards that organizations must implement, aligning Thailand’s data protection regime more closely with global privacy standards and enhancing legal certainty for international business operations.

 

Regulations

New York: Bill for Artificial Intelligence Training Data Transparency Act Introduced to Assembly

A bill was introduced in the New York State Assembly proposing the Artificial Intelligence Training Data Transparency Act to enhance accountability in AI systems. The legislation would require organizations deploying high-impact AI models to disclose key elements of their training datasets, including data sources, labeling processes, and the extent of personal information used. The objective is to increase transparency, mitigate bias, and empower oversight by regulators and the public. Proponents argue that clearer insight into training data practices will reduce discriminatory outcomes and promote ethical innovation. The bill is part of a broader wave of U.S. legislative initiatives seeking to govern emerging AI technologies responsibly.  Read More

South Dakota: Bill on Age Verification and Parental Consent

South Dakota lawmakers introduced legislation requiring online services to implement robust age verification and parental consent mechanisms before collecting personal data from minors. The proposed bill would obligate digital platforms to verify a user’s age through reliable methods and obtain verifiable parental consent for users under a specified threshold before processing their personal information. The draft also outlines penalties for non-compliance and emphasizes protections against data misuse involving children. This legislative effort reflects growing state-level privacy activism in the U.S., focusing on strengthening safeguards for children’s data in the absence of comprehensive federal privacy law.  Read more

Brazil: Senate Approves Law Transforming ANPD into a Regulatory Agency

Brazil’s Senate approved legislation upgrading the Autoridade Nacional de Proteção de Dados (ANPD) into an autonomous regulatory agency with expanded enforcement powers. Under the reform, the ANPD would gain greater independence from the executive branch, enhanced budgetary autonomy, and broader authority to issue binding rules and impose administrative penalties. The change is intended to bolster Brazil’s data protection ecosystem by empowering the ANPD to more effectively supervise compliance with the Lei Geral de Proteção de Dados (LGPD) and guide regulatory standards. Supporters believe this will strengthen legal certainty for businesses and elevate privacy governance in Latin America’s largest economy. Read More