Data privacy news for February

We’re just two months in to 2026 and there has already been a ton of privacy news. Three new laws went into effect last month and we are currently preparing for two major changes coming later this year.

We also interviewed Paul Crafter and Esther Chung from Assessed Intelligence to discuss their ARISE framework and viewing privacy through a harmonized governance lens. You can listen to this insightful episode here. Now for the headlines!

What’s new in privacy? 

Below are some of the most notable news in privacy from this month: 

1. Apple defeats California privacy law claims in data tracking lawsuit. A Federal Court dismissed key claims alleging that Apple violated California privacy laws by collecting data from its in-house apps despite user opt-outs. The Court found that Plaintiffs failed to adequately plead violations of CIPA, the California Constitution, unfair competition law and breach of implied contract. Learn more here. 
2. California launches DROP. California launched the Delete Request and Opt-Out Platform (DROP), allowing residents to submit a single request to stop data brokers from selling their personal information under the Delete Act. The platform enables centralized opt-out requests as of January 1. Read more here. 
3. Washington county considers AI surveillance guardrails. Thurston County, Washington officials are drafting an ordinance that would regulate the use of AI-enabled surveillance technologies by county agencies. The proposal would require Board approval, impact assessments, and ongoing reporting. It would also restrict uses such as facial recognition, predictive policing, and discriminatory profiling. Read more here.
4. FTC finalizes order against GM and OnStar over geolocation data practices. The Federal Trade Commission finalized an order settling allegations that General Motors and OnStar collected and sold consumers’ precise geolocation and driving behavior data without informed consent. The order bans GM from sharing such data with consumer reporting agencies for 5 years and requires affirmative express consent, expanded opt-out rights, and data access and deletion mechanisms. Learn more here.
5. Washington legislators consider ban on retail surveillance pricing. Washington legislators introduced a bill that would prohibit the use of surveillance pricing in grocery stores, ban surge pricing on essential goods, and pause the deployment of electronic shelf labels. Learn more here. 
6. Google agrees to $8.25 million settlement over Play Store children’s privacy class action lawsuit. Google agreed to pay $8.25 million to settle a class action alleging violations of COPPA based on the collection of children’s personal data through Google’s Play Store apps without parental consent. Read more here. 
7. California’s Privacy Protection Agency steps up data broker enforcement. The CPPA announced increased enforcement activity under the Delete Act, including scrutiny of data broker registration and compliance with deletion and opt-out obligations. The agency warned that failure to comply may result in significant penalties. Read more here. 
8. California Attorney General opens investigation into xAI and Grok over nonconsensual deepfake images. California Attorney General Rob Bonta announced the opening of an investigation into xAI regarding the alleged production and dissemination of nonconsensual, sexually explicit AI-generated images. The investigation alleges that images involved women and children. The investigation will assess whether xAI violated California law in connection with the creation and distribution of AI-generated intimate imagery without consent. Learn more here.
9. TikTok’s new Privacy Policy sparks concern. After its sale, TikTok updated its’ Privacy Policy, sparking some users to be concerned about their privacy while using the app. The new Privacy Policy states that TikTok may collect precise location from its’ users and that it may process sensitive personal information in accordance with applicable law, instead of just as necessary to run the service. Learn more here.  
10. Kaiser Permanente to pay $46 million in data breach settlement. The lawsuit alleged that from November 2017 to May 2024, Kaiser’s websites and apps used third party tracking code that transmitted confidential personal and health information without consent to companies such as Google, Microsoft, Meta and Twitter (X). Read more here. 

What privacy bills are we tracking? 

As part of our service, we keep track of privacy bills that would affect the way Privacy Policies are written. Below is our most recent list of privacy bill proposals in the United States. You can access the privacy bill tracker any time on our blog.

• Illinois – IL SB52;
• Illinois – IL HB3041;
• Illinois – IL SB2875;
• Maine – ME HB710/HB1088;
• Maine – ME HB1220;
• Massachusetts – MA SB33;
• Massachusetts – MA SB301;
• Massachusetts – MA SB2619;
• Massachusetts – MA HB4746;
• Michigan – MI SB359;
• Mississippi — MS SB2015;
• Mississippi – MS HB1051;
• New York – NY S4276;
• New York – NY AB5827;
• New York – NY AB974;
• New York – NY AB4947;
• New York – NY SB8524;
• North Carolina – NC – HB462;
• North Carolina – NC – SB757;
• Pennsylvania – PA HB78;
• Pennsylvania – PA SB112;
• Vermont – VT H812;

Privacy Events

Here are some great virtual events that you can attend to learn more about the hottest issues in privacy and meet other privacy professionals: 

1. Love privacy trivia – February 13, 2026; 
2. The EU Digital Omnibus: latest legislative developments and corporate compliance impact – February 24, 2026. 

Conclusion

That’s it for this month! We will see you in March with a new episode of Privacy Lawls that we’re really excited about. If you haven’t already, please subscribe wherever you get your podcasts! Thanks, and see you next time!