Today's Focus: Privacy & Data Protection

The FTC's amended COPPA Rule full-compliance deadline is eight days away — Wednesday, April 22. If any part of your product, SDK chain, or ad stack touches children under 13, this changes what you owe.

The amendments (effective June 23, 2025) redefine "personal information" to include biometric identifiers usable for automated or semi-automated recognition: fingerprints, voiceprints, faceprints, iris and retina patterns, genetic data including DNA sequences, and gait patterns. Operators must now obtain separate verifiable parental consent before disclosing a child's PII for any non-integral purpose, and must maintain a written information security program and a written data retention policy.

Why it matters: The FTC is already signaling enforcement intent, and the definition-expansion catches far more operators than the original Rule — voice assistants, AR/VR apps, learning platforms with facial detection for attention-tracking, and ad-tech SDKs embedded in kids' apps are all in scope. Third-party processor contracts need to be papered, biometric inventories need to be current, and consent flows need to be unbundled before next Wednesday.

Sources: FTC Final Rule (https://www.federalregister.gov/documents/2025/04/22/2025-05904/childrens-online-privacy-protection-rule) | White & Case analysis (https://www.whitecase.com/insight-alert/unpacking-ftcs-coppa-amendments-what-you-need-know)

The European Data Protection Board's 118th Plenary runs April 15–16. Expected outputs include further progress on political-advertising guidelines (informed by the March 27 stakeholder consultation) and formal follow-up on the Digital Omnibus proposal. The EDPB–EDPS Joint Opinion 2/2026 already flagged material concerns about data-subject-protection weakening in the Omnibus package. Watch the EDPB press room Thursday afternoon for the adopted documents.

Sources: EDPB Plenary schedule (https://www.edpb.europa.eu/our-work-tools/plenary-meetings_en) | Joint Opinion 2/2026 (https://www.edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22026-proposal_en)

Seventh Circuit: BIPA Damages Cap Applies Retroactively — On April 1, the US Court of Appeals for the Seventh Circuit ruled that Illinois's 2024 BIPA amendment — capping recovery at one violation per person rather than per scan — applies retroactively to pending lawsuits. A worker previously exposed to $7.5M in statutory damages is now capped at $5,000. Active class-action valuations just changed; settlement leverage shifts with them. The statutory compliance duty, however, has not moved an inch. Action: Re-value pending BIPA exposure against the retroactive cap, and keep your consent workflows intact — liability changed, duty didn't. Sources: State of Surveillance (https://stateofsurveillance.org/news/seventh-circuit-bipa-retroactive-damages-biometric-privacy-gutted-2026/) | Hunton Privacy Blog (https://www.hunton.com/privacy-and-cybersecurity-law-blog/illinois-damages-limitation-for-biometric-privacy-violations-applies-retroactively)

Texas AG Lands $1B+ TDPSA Settlement — Location and Biometric Data in Crosshairs — The Texas Attorney General secured a settlement exceeding $1 billion against a major technology company under the Texas Data Privacy and Security Act. The office continues prioritizing location data, biometric data, and automated content recognition tied to connected vehicles and the online ad-data-broker chain. Of every state privacy regulator, Texas now has the most aggressive enforcement posture — and the biggest checks. Action: Map precise-geolocation and ACR data flows; confirm Texas-specific consent for sensitive data categories under TDPSA §541.101. Source: Smith Anderson (https://www.smithlaw.com/newsroom/publications/data-privacy-in-2026-state-enforcement-takes-center-stage)

CPPA Fines PlayOn Sports $1.10M and Ford $375K — Friction and Forced Tracking Are Liabilities — California's privacy regulator announced two March decisions: $1.10M against PlayOn Sports for forcing high-school students to accept tracking technology with no meaningful opt-out, and $375K against Ford Motor Company for "unnecessary friction" in opt-out processing. Global Privacy Control honoring remains a recurring enforcement theme. Action: Test your opt-out flows for click-count, dark patterns, and required fields; verify GPC signal handling end-to-end. Sources: Cooley insight (https://www.cooley.com/news/insight/2026/2026-03-25-a-tale-as-old-as-2020-landmark-2-75-million-ccpa-enforcement) | CPPA announcements (https://cppa.ca.gov/announcements/)

Pull your COPPA inventory and answer one question: which third-party SDKs in your children's product collect biometric identifiers, and do your processor contracts reflect separate verifiable parental consent for non-integral disclosures? If the answer isn't clear, that's your next eight days.

AI Governance — EU AI Act GPAI Code of Practice adherence, state-level algorithmic accountability rulemakings, and the next wave of enforcement signals on high-risk AI systems.

CyberEyeQ — Actionable Regulatory Intelligence. Questions? Contact [email protected]