User Privacy

A $135 million Google settlement received preliminary court approval on March 5, 2026, resolving class action allegations that Google unlawfully surveilled and collected private information from cellular data purchased by Android users. The settlement covers over 100 million Americans, with payouts of up to $100 per person. As part of the settlement, Google will be required to obtain users' affirmative consent before using cellular data.

On February 19, 2026, West Virginia AG JB McCuskey filed a consumer protection lawsuit alleging Apple allowed child sexual abuse materials (CSAM) to be stored and distributed on iCloud services. The lawsuit claims Apple 'prioritized user privacy over child safety for years' - Apple filed only 267 CSAM reports to the National Center for Missing and Exploited Children in 2023, compared to Google's 1.47 million reports. The state seeks statutory and punitive damages plus injunctive relief requiring Apple to implement effective CSAM detection.

On February 11, 2026, California AG Rob Bonta announced the largest CCPA settlement to date with Disney. The company's opt-out webform only stopped sharing through Disney's own ad platform while continuing to sell data to third-party ad-tech companies. Disney failed to provide in-app opt-out in streaming apps, ignored device-specific Global Privacy Control signals for logged-in users, and required bundle subscribers to opt out up to 10 separate times to fully stop data sharing.

On February 10, 2026, PayPal disclosed a data breach affecting approximately 100 PayPal Working Capital loan applicants due to a software coding error. Personal data including Social Security numbers, dates of birth, and business contact information was exposed from July 1 to December 13, 2025. Some customers experienced unauthorized transactions and received refunds. PayPal offered 2 years of free credit monitoring through Equifax.

In February 2026, Anthropic aired anti-OpenAI advertisements during the Super Bowl, criticizing OpenAI's announced plans to add 'Instagram-style' advertising to ChatGPT. The ads resulted in an 11% boost in Anthropic users. Sam Altman called the ads 'deceptive.' The rivalry escalated at the India AI Summit where Altman and Dario Amodei refused to hold hands during a group photo with PM Modi.

Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509, with a CVSS score of 7.8 out of 10.0. The vulnerability allows attackers to bypass document security checks and is being actively exploited in the wild via malicious files. The emergency patch was released outside Microsoft's normal Patch Tuesday schedule due to active exploitation.

Cisco released a patch for a critical vulnerability affecting its Unified Communications and WebEx products that allowed remote code execution. The vulnerability was actively exploited in the wild before the patch was released, representing a significant security risk to enterprise communications infrastructure.

Researchers demonstrated that Google's Gemini AI model could be tricked using prompt-injection attacks to leak private details about a user's calendar. The vulnerability allows malicious actors to extract sensitive personal information through carefully crafted prompts, highlighting security risks in AI systems with access to private user data.

Google agreed to pay $68 million to settle class action claims that Google Assistant-enabled devices (Google Home, Nest Hub, Pixel phones) surreptitiously recorded users' private conversations without consent. The recordings occurred due to 'false accepts' — the device mistakenly activating and recording when no wake word was spoken. Final approval hearing is scheduled for March 19, 2026.

A January 2026 Citizen Lab report found Cellebrite equipment was used in at least seven cases to extract data from phones seized from activists and a journalist detained during pro-Palestinian protests in Jordan between late 2023 and mid-2025. None of the individuals consented to the searches. All four devices forensically analyzed showed Cellebrite product use in 2024-2025.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

Nike disclosed it is investigating unauthorized access that resulted in the extraction of approximately 1.4 terabytes of internal data. The incident involves a large volume of files taken from internal systems, which signals sustained access rather than a short-lived intrusion. The breach represents a significant compromise of Nike's internal systems and data.

Google settled allegations that apps in its 'Designed for Families' programme, meant to help parents find safe apps for children, were actually tracking children's data. The programme was supposed to certify apps as safe for kids, but the tracked apps violated children's privacy protections.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.

In January 2026, reporting revealed that ICE was using a Palantir-built tool called ELITE that taps Medicaid data to identify and arrest people for deportation. The tool maps potential targets and provides 'confidence scores' for individuals' current addresses. A data-sharing agreement between ICE and the Centers for Medicare and Medicaid Services gave ICE access to personal data of nearly 80 million Medicaid patients. The Electronic Frontier Foundation challenged the use of healthcare data for immigration enforcement, arguing patients never consented to their health-related information being repurposed for deportation.

Since 2020, Coinbase has published annual transparency reports detailing government and law enforcement requests for customer information. The 2025 report (covering October 2024-September 2025) disclosed 12,716 requests, a 19% increase year-over-year, with approximately 53% from outside the United States. The reports provide customers with data about requests received and offer insight into global law enforcement and regulatory trends around the world.

The US Federal Communications Commission designated DJI as a national security threat and banned its communications equipment from use in the United States in December 2025.

In December 2025, families of Levi Maciejewski (13, Pennsylvania, died 2024) and Murray Downey (16, Scotland, died 2023) sued Meta alleging Instagram's design enabled sextortion schemes targeting teens. The lawsuit cited an internal 2022 audit that allegedly found Instagram's 'Accounts You May Follow' feature recommended 1.4 million potentially inappropriate adults to teenage users in a single day. Instagram's default public privacy settings for teens were not changed to private until 2024, despite Meta claiming the change was made in 2021.

In November 2025, Meta's board of directors settled a shareholder derivative lawsuit for $190 million. Shareholders alleged that board members failed to properly oversee compliance with a 2012 FTC consent decree on user privacy, and that they improperly agreed to the $5 billion 2019 FTC settlement specifically to shield Mark Zuckerberg from personal liability. The suit highlighted undisclosed conflicts of interest among board members, including allegations that Marc Andreessen provided Zuckerberg strategic advice during board negotiations over a stock restructuring.

Wales stated Wikipedia would not comply with UK Online Safety Act age verification requirements, saying 'We will not be identifying users under any circumstances. We will not be age-gating Wikipedia under any circumstances. So, if it comes to that, it's going to be an interesting showdown, because we're going to just refuse to do it.'