Today's Focus: Privacy & Data Protection
Today's Top Story
COPPA Compliance Deadline Hits in 15 Days — Are You Ready?
The FTC's amended Children's Online Privacy Protection Rule takes full effect on April 22, 2026, and the clock is ticking. The updated rule expands the definition of personal information to include biometric identifiers, requires operators to obtain separate verifiable parental consent before disclosing children's data to third parties for non-integral purposes, and mandates written information security programs and data retention policies with specific deletion timelines. Operators of child-directed or mixed-audience services who haven't completed compliance updates face per-violation penalties of up to $7,988 for children's data violations.
Why it matters: This isn't a soft launch — the FTC has signaled active enforcement, and the expanded scope means many services not previously covered now fall under COPPA obligations.
What to do: Complete a gap assessment against the amended rule requirements this week, focusing on biometric data handling, parental consent flows, and written security and retention policies.
Also Today
ICO's £14.5M Reddit Fine Sets New Bar for Children's Privacy Enforcement
The UK's Information Commissioner fined Reddit £14.47 million for relying on self-declared age rather than implementing effective age assurance — the largest UK children's privacy penalty ever. Platforms relying on self-declaration for age verification should treat this as a direct warning. Review your age assurance mechanisms now.
EDPB Launches EU-Wide Transparency Enforcement — 25 DPAs Investigating
The European Data Protection Board's 2026 Coordinated Enforcement Framework action is now active, with 25 data protection authorities across Europe auditing how organizations comply with GDPR transparency and information obligations under Articles 12–14. Expect DPA questionnaires and formal inquiries throughout 2026. Audit your privacy notices and layered disclosures against Articles 12–14 requirements now.
CNIL Fines Free Mobile €42M for Massive Data Breach
France's CNIL imposed fines totaling €42 million on Free Mobile — €27 million for a breach affecting 24 million subscriber contracts and €15 million for a parallel fixed-line breach through a compromised VPN. The enforcement underscores that regulators are penalizing structural security deficiencies, not just the fact of a breach. Verify that your VPN access controls and subscriber data protections meet regulatory expectations.
⚠ Deadline Alert
April 22, 2026 (15 days) — Full compliance required with FTC's amended COPPA Rule. Affected: all operators of websites and online services directed at children under 13 or with actual knowledge of child users. Key deliverables: updated privacy notices, written infosec program, written data retention policy, expanded consent mechanisms covering biometric data.
One Thing to Do Today
Review your COPPA compliance checklist. With 15 days to the deadline, confirm that your written information security program and data retention policy are documented, approved, and implemented — these are new requirements many operators have not yet addressed.
Tomorrow's Focus: AI Governance
CyberEyeQ — Actionable Regulatory Intelligence
This newsletter is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your organization.
Contact us: [email protected]