Privacy Policy News
& Data Breach Tracker

The U.S. Immigration and Customs Enforcement agency issued a grand jury subpoena demanding Reddit hand over identifying information - including name, address, and phone number - of a user who allegedly criticized ICE online. Reddit's attorneys called the move "a disturbing escalation" and argued the user's posts and anonymity are protected under the First Amendment, though the company has not stated whether it will challenge the order. This follows hundreds of similar subpoenas issued by the ...

The European Parliament blocked the extension of a temporary law that allowed tech companies to scan their platforms for child sexual abuse material, creating a legal gap that makes such scanning currently illegal in the EU. Google, Meta, Snap, and Microsoft criticized the decision as an "irresponsible failure" and stated they would continue voluntary scanning despite the regulatory uncertainty. Child safety experts warn this could sharply reduce abuse reports, similar to a 58% drop that occu...

Google has agreed to pay $135 million to settle claims that Android devices transmitted cellular data to Google without user consent, even when idle, affecting approximately 100 million US Android users from November 2017 onward. The settlement website is now live for eligible users to file claims (capped at $100 per person), with final court approval scheduled for June 23. As part of the settlement, Google will update its terms of service to clarify passive data transfers and fully stop coll...

Elon Musk wants any damages from his OpenAI lawsuit given to the AI company's nonprofit arm

Instagram's privacy policy has undergone significant structural changes, with the data controller shifting from Meta Platforms Ireland Limited to Meta Platforms, Inc. (indicating a change in applicable jurisdiction). The policy removed several transparency provisions including detailed explanations about joint controller arrangements with Page admins for Facebook Page Insights, joint processing with partners, and specific EU-focused legal basis information. New language was added regarding ad personalization that emphasizes Meta's use of cross-product data, activity tracking via cookies, and inferred interests to show ads, while removing previous references to user controls over partner data usage for ad personalization. The policy also removed age and gender as required account creation fields and eliminated specific Cookie settings controls that were previously mentioned.

A Guardian investigation uncovered evidence that child sex traffickers were using Facebook and Instagram to buy and sell children, particularly through private messaging features like Facebook Messenger. The investigation, which began in 2021 after a tip about surging online child exploitation during the pandemic, involved analyzing federal court records that revealed traffickers negotiating sales of teenagers on Meta's platforms. Meta lost a multimillion-dollar legal case in March related to...

Facebook's privacy policy underwent a major structural revision, shifting the data controller from Meta Platforms, Inc. to Meta Platforms Ireland Limited. Key changes include: expanded disclosures about AI interactions and metadata collection; new joint controller arrangements with Page admins and Business Tool partners; emphasis on Accounts Center for cross-product data combination (now opt-in); clearer conditional language around ad personalization ("if we show you ads"); removal of claims about combating racial bias; and addition of new legal basis and user rights sections. The policy also removed specific references to money transfers and marketplace shops while adding payment-related transaction categories.

Google updated its privacy policy effective April 2, 2026, making several wording changes around data collection and analytics. The policy now states that activity information is saved 'by your activity controls' rather than 'in your account,' and references 'ad and analytics services' more generically instead of specifically naming Google Analytics. The policy clarifies that third-party sites and apps 'still share' (not 'may still share') information with Google even when using private browsing modes, making data collection practices more explicit. Minor updates were also made to health data processing language under Washington and Nevada state laws.

Instagram's privacy policy has undergone a major structural revision with significant changes to data controller identity, data processing scope, and user rights presentation. The controlling entity changed from Meta Platforms, Inc. to Meta Platforms Ireland Limited. The policy introduces new disclosures about joint controller arrangements with Facebook Page admins and business partners, adds mandatory age and gender collection requirements for account creation, and reorganizes how cross-product data usage and ad personalization are explained. The policy also removes previous language about combating racial bias against marginalized communities and changes how communication preferences are described.

Microsoft consolidated and simplified its data retention policy language, removing specific examples and timelines. Notable removals include: the 18-month de-identification period for Bing search queries and cookie IDs (previously 6 months for IP addresses), the 13-month retention limit for personalized advertising data, and the 18-month deletion timeline for Bing Experience Improvement Program data. The new policy provides less detail about retention criteria and timeframes, shifting to general statements about retaining data 'as long as necessary' with fewer concrete commitments.