Data Privacy & Governance Hub

Key Takeaways Unauthorized third parties accessed Booking.com customer data including names, contact details, and reservation information, though financial information was reportedly not compromised. This stolen travel data enables criminals to impersonate hotels with specific reservation details, making extortion attempts far more convincing and effective. The company did not disclose how

Key Takeaways The Alabama Personal Data Protection Act grants residents the right to access, correct, delete, and obtain copies of their personal data. Unlike many other state frameworks, the APDPA does not require data protection impact assessments or universal opt-out preference signals, and includes broader exemptions than other state laws.

Key Takeaways California’s DROP program allows residents to submit a single request to delete their data from registered data brokers. The platform is state-run and free to use. More than 500 registered brokers are notified when a deletion request is submitted. The law applies only to brokers registered in California.

Key Takeaways Maine’s LD 1822 is one of the most comprehensive state-level data privacy bills in the country, introducing data minimization requirements, protections for sensitive data, and a ban on unnecessary biometric collection. The bill shifts the burden of data protection from consumers to companies and requires them to justify

Key Takeaways Discord is defaulting all accounts to a “teen appropriate” mode, requiring adult users to verify their age through an AI-driven inference model or through a video selfie or government ID upload. This new policy raises concerns about transparency about how much behavioral monitoring is required to train and

Key Takeaways Starlink updated its Global Privacy Policy in January, allowing the use of customers’ personal information to train artificial intelligence and machine learning models. The updated policy extends the use of data to the company’s affiliates, service providers, and third-party collaborators, who may also use it to train AI

Key Takeaways Connecticut’s Data Privacy Act stands as a pioneer among the country’s most robust data privacy measures, with recent amendments significantly strengthening protections for minors. Over 60 violation notices and warning letters were issued to companies, with over 1,800 breach notifications cited in the 2025 Annual Enforcement Report, reflecting

Key Takeaways Automated license plate readers continuously collect real-time data on vehicles, not just those suspected of criminal activity. The cameras enable authorities and law enforcement to piece together the movements, habits, and patterns of individuals’ lives over time. There’s a lack of consistent regulation nationwide, meaning data-sharing practices vary

Key Takeaways There is a growing trend of toy companies collaborating with AI partners to produce smart toys that use Wi-Fi, microphones, and large language models to interact with children. These toys collect sensitive data about the child and their family, including names, faces, preferences, voices, and locations, without clear

Key Takeaways TikTok’s updated privacy policy now includes the collection of a user’s precise location data as well as the ability to process sensitive personal information. Although the app was divested to a U.S. joint venture earlier this year to address national security concerns, users are now increasingly worried about

Key Takeaways Disney mislabeled children’s content on YouTube, ultimately violating the COPPA rule and enabling the unlawful collection of personal information from millions of minors for targeted advertising without proper parental consent. YouTube’s policy, which relies on content creators to self-label without independent verification, creates an institutional gap that allows