On February 27, 2026, a federal court in Virginia issued a decision with significant implications for state efforts to regulate minors’ use of social media. In NetChoice v. Jay Jones, the U.S. District Court for the Eastern District of Virginia granted a preliminary injunction blocking enforcement of Virginia Senate Bill 854, a statute that
Continue Reading U.S.: Virginia’s Social Media Time‑Limit Law for Minors Blocked: Key Takeaways
A recent federal court decision raises questions about the enforcement of contractual choice‑of‑law provisions in the context of a case brought under Illinois’s Biometric Information Privacy Act (BIPA).
In Hartman, et al. v. Meta Platforms, Inc., the U.S. District Court for the Southern District of Illinois denied Meta’s motion for summary judgment seeking to
Continue Reading U.S.: Illinois Law Trumps Meta’s California Choice-of-Law Provision in BIPA Class Action
On February 20, 2026, Texas Attorney General Ken Paxton filed suit against Shein US Services, LLC, alleging false, deceptive, and misleading practices in violation of the Texas Deceptive Trade Practices Act. The complaint targets both product safety concerns and alleged misrepresentations regarding consumer data practices.
Shein, founded in China in 2008, is a global fast‑fashion
Continue Reading U.S.: Texas AG Sues Shein Over Alleged Deceptive Practices and Data Privacy Risks
Navigating Simplification Without Sacrificing Safeguards: Key Takeaways
As the EU begins the complex task of making the European Artificial Intelligence Act[1] (the “AI Act”) workable in real life, the European Commission’s Proposal for a Regulation amending Regulations (EU) 2024/1689 and (EU) 2018/1139 as regards the simplification of the implementation of harmonised rules
Continue Reading EU: EDPB and EDPS publish joint opinion on the European Commission’s Proposal for the Digital Omnibus on AI
Australia’s world-first social media “ban” has been in the global spotlight since its introduction in late 2025. As other jurisdictions look to follow suit, parents and tech giants alike continue to grapple with a key question: how will the ban be practically enforced?
Application of the “social media ban”
On 10 December 2025, the Online
Continue Reading Australia’s Social Media “Ban” and the eSafety Commissioner’s Social Media Minimum Age Regulatory Guidance
On 20 January 2026, the European Commission proposed a new cybersecurity package, aimed at strengthening the EU’s cybersecurity resilience and capabilities. The package includes a revised Cybersecurity Act (“CSA“) and targeted amendments to the NIS2 Directive (see our blog post for further information on the amendments to the NIS2 Directive). The revised
Continue Reading EU Commission looks to strengthen EU Cybersecurity Resilience and Capabilities
On 5 February 2026, the main changes to data protection legislation in Part 5 of the Data (Use and Access) Act 2025 (“DUAA“) came into force.
The DUAA was passed and received Royal Assent on 19 June 2025. Although some of the DUUA provisions came into force automatically, many of the reforms
Continue Reading UK: Commencement of the data protection provisions in the Data (Use and Access) ActBy: Andrew Serwin, Isabelle Ord, Jeffrey DeGroot, Hayley Curry, and Matt Danaher
On January 26, 2026, the U.S. Supreme Court granted certiorari in Salazar v. Paramount Global to clarify the scope of the Video Privacy Protection Act (“VPPA”) and resolve a circuit split on the issue. See Salazar v. Paramount Global, No. 25-459 (S. Ct.).
Continue Reading Supreme Court to Clarify Meaning of “Consumer” Under VPPA
From 1 July 2026, entities that use an alphanumeric sender ID for SMS/MMS messages in Australia must register that ID on the SMS Sender ID Register.
Sender IDs are used to send SMS/MMS messages from a named entity (i.e. a name displayed at the top of a text message to show who the message is
Continue Reading Australia: Return to Sender ID: Businesses must register “branded identifiers” used in Australian SMS messages
All data controllers processing personal data under the age of 14 (“minors“) must now submit an annual report to Chinese data regulator, the Cyberspace Administration of China (“CAC“). For 2025, the report must be submitted by 31 January 2026. There is no volume threshold, meaning that any data controller processing any
Continue Reading CHINA: new mandatory reports to regulator on children’s data , initial deadline 31 January 2026
