U.S.: Virginia’s Social Media Time‑Limit Law for Minors Blocked: Key Takeaways

By Andrew Serwin & Leila Javanshir on March 3, 2026

On February 27, 2026, a federal court in Virginia issued a decision with significant implications for state efforts to regulate minors’ use of social media. In NetChoice v. Jay Jones, the U.S. District Court for the Eastern District of Virginia granted a preliminary injunction blocking enforcement of Virginia Senate Bill 854, a statute that…

U.S.: FTC Issues COPPA Policy Statement to Incentivize the Use of Age Verification Technologies to Protect Children Online

By Andrew Serwin on February 25, 2026

Posted in Children's data, COPPA, Enforcement, FTC

The FTC just released a policy statement regarding enforcement activities related to COPPA, which can be found at this link.

According to Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection, age verification technologies are important child-protective technologies, and this policy statement “…incentivizes operators to use these innovative tools, empowering parents to protect…

U.S.: Illinois Law Trumps Meta’s California Choice-of-Law Provision in BIPA Class Action

By Andrew Serwin & Matt Danaher on February 24, 2026

Posted in Biometric data, BIPA, Class actions

A recent federal court decision raises questions about the enforcement of contractual choice‑of‑law provisions in the context of a case brought under Illinois’s Biometric Information Privacy Act (BIPA).

In Hartman, et al. v. Meta Platforms, Inc., the U.S. District Court for the Southern District of Illinois denied Meta’s motion for summary judgment seeking to…

U.S.: Texas AG Sues Shein Over Alleged Deceptive Practices and Data Privacy Risks

By Andrew Serwin on February 23, 2026

Posted in AG Enforcement, China, Texas AG

On February 20, 2026, Texas Attorney General Ken Paxton filed suit against Shein US Services, LLC, alleging false, deceptive, and misleading practices in violation of the Texas Deceptive Trade Practices Act. The complaint targets both product safety concerns and alleged misrepresentations regarding consumer data practices.

Shein, founded in China in 2008, is a global fast‑fashion…

EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI

By Muhammed Demircan, Ciara Kelly & Rachel de Souza on February 17, 2026

Posted in Artificial Intelligence, EDBP (European Data Protection Board), EU Digital Decade, EU privacy, Privacy Law

Navigating Simplification Without Sacrificing Safeguards: Key Takeaways

As the EU begins the complex task of making the European Artificial Intelligence Act [1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules…

Australia’s Social Media “Ban” and the eSafety Commissioner’s Social Media Minimum Age Regulatory Guidance

By Sarah Birkett & Clarissa Kwee on February 17, 2026

Posted in ePrivacy, New laws

Australia’s world-first social media “ban” has been in the global spotlight since its introduction in late 2025. As other jurisdictions look to follow suit, parents and tech giants alike continue to grapple with a key question: how will the ban be practically enforced?

Application of the “social media ban”

On 10 December 2025, the Online…

EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities

By Rachel de Souza & Heidi Waem on February 6, 2026

Posted in Cyber security, Cyber-crime, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws, Privacy Law

On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised…

UK: Commencement of the data protection provisions in the Data (Use and Access) Act

By David Cook, Linzi Penman & Rachel de Souza on February 6, 2026

Posted in Compliance programs and policies, Cookies, Data subject access and opposition rights, Data transfers, General Data Protection Regulation, Global data transfer management, Lawful basis, Legitimate Interests, New laws, Privacy Law, UK

On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.

The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms…

China: New guidance on data transfer and identification of important data in the automotive sector

By Carolyn Bigg & Amanda Ge on February 4, 2026

Posted in Uncategorized

On 3 February 2026, the Ministry of Industry and Information Technology (MIIT), the sectoral regulator of the automotive sector, and the Cyberspace Administration of China (CAC), the designated data regulator, together with six other government authorities, published the Guidance for the Secure Cross-Border Transfer of Automotive Data (2026 Edition). This new guidance focuses on the…

EU: NIS2 Update – EU Moves to Harmonise Cyber Controls, Refine Scope, and Add New In-Scope Entities

By Heidi Waem, Lorcan Moylan Burke, Henry Kilding & Alanna Grogan on February 3, 2026

Posted in Cyber security, Digital Decade, EU Commission, EU data governance, EU Digital Decade, EU privacy, New laws

The NIS2 Directive continues to evolve – and organisations must keep pace. On 20 January 2026, the Commission unveiled a set of targeted amendments to the NIS2 Directive (“the Proposal“), signalling the next phase of its push to modernise and streamline the EU’s cybersecurity legal framework.

Positioned within a broader legislative package, also…