This Week in Privacy: Mar 23-29, 2026
This week brought a watershed moment for tech platforms and child safety, as courts delivered unprecedented verdicts holding social media companies legally accountable for harm to minors. Meanwhile, a cascade of breaches continued to expose vulnerabilities in healthcare systems, government networks, and critical infrastructure worldwide.
Top Stories
Meta Faces Historic Legal Defeats Over Child Safety
Meta suffered two devastating courtroom losses this week that could reshape how social media companies approach child protection. On March 24, a New Mexico jury found Facebook liable for violating state consumer protection laws and ordered the company to pay a $375 million fine, the maximum penalty available. The case, brought by New Mexico's attorney general in 2023, alleged Meta knowingly put children at risk of exploitation and mental health harms while misleading the public about platform safety. Just one day later, a Los Angeles jury ordered Meta and YouTube to pay $6 million to a 20-year-old woman who claimed addictive platform features harmed her during childhood. This marks the first jury verdict finding social media companies liable for design choices that allegedly harmed minors, with internal documents and executive testimony presented during the trial. Meta has announced plans to appeal both decisions and faces two additional trials on similar child safety issues.
These verdicts come as the European Commission opened a formal investigation into Snapchat on March 26 over concerns the platform exposes children to grooming and sexual exploitation. The convergence of regulatory and judicial action signals a fundamental shift in how governments worldwide are holding platforms accountable for their impact on young users.
Sweden's National Digital Identity System Compromised
In one of the most significant infrastructure breaches of the year, hackers on March 24 breached Sweden's BankID system, the national digital identity platform used by 8.6 million people. A group called ByteToBreach accessed source code, passwords, and encryption keys connected to BankID through CGI's Swedish division. The stolen data reportedly includes source code from the Swedish Tax Agency's BankID login systems, personal data, electronic signatures of Swedish citizens, and material from internal test servers. The compromised data was subsequently offered for sale on the dark web. This breach represents a catastrophic failure of security for a critical government service that Swedes rely on for everything from banking to filing taxes. The incident highlights the risks of centralized digital identity systems and raises urgent questions about the security practices of government contractors.
TikTok Overhauls Privacy Policy, Adds Biometric Collection
TikTok rolled out a completely new U.S. privacy policy on March 29, switching the data controller from TikTok Ireland/UK to TikTok USDS Joint Venture LLC and introducing sweeping new disclosures. The updated policy explicitly states the company now collects biometric data including faceprints and voiceprints, AI interaction data such as prompts and responses, and sensitive personal information categories under state laws like CCPA. TikTok also introduced a separate Consumer Health Data Privacy Policy and expanded details on advertising data collection through TikTok Advertiser Tools and TikTok Ad Network. The timing and scope of these changes suggest TikTok is preparing for intensified scrutiny under evolving U.S. privacy laws while consolidating control over American user data under a U.S.-based entity.
In Brief
- The European Commission's cloud infrastructure was hacked, with attackers stealing over 350 gigabytes of data from its AWS account hosting Europa.eu websites.
- Iran-linked hackers breached FBI Director Kash Patel's personal Gmail and published over 300 emails and personal photos online.
- Hong Kong's Correctional Services Department disclosed that hackers accessed personal data of 6,800 current and former prison employees.
- A Luxembourg court overturned a major GDPR fine against Amazon, though details of the original penalty remain undisclosed.
- The European Parliament rejected an extension allowing tech platforms to continue scanning user content for child sexual abuse material, with 311 members voting against it.
- Apple announced ads are coming to Apple Maps starting summer 2026, with placements in search results and a new "Suggested Places" feature.
- A federal judge dismissed X's lawsuit against advertisers including Twitch, Shell, and Nestlé over an alleged boycott, ruling X failed to prove antitrust injury.
- CareCloud reported to the SEC that unauthorized access temporarily disrupted one of six electronic health record environments for eight hours.
- French Education Ministry's HR system was breached, exposing personal information of approximately 243,000 teachers and education employees.
- Florida suspended Mirra Health Care LLC after discovering the company improperly shared thousands of Medicare members' health data with unauthorized companies in India and the Philippines.
Healthcare breaches continued at an alarming pace: Corewell Health exposed social security numbers of 19,000 patients, Kaplan disclosed a breach affecting over 230,000 individuals, OpenLoop Health reported compromised patient data, and Infinite Campus warned customers after ShinyHunters claimed to steal K-12 student records.
Settlement announcements included Lakeview Loan Servicing agreeing to $26 million, Fidelity reaching $2.5 million over a breach affecting 155,000 customers, and Excelsior Orthopaedics paying $2.4 million to resolve breach litigation.
The Big Picture
The courtroom victories against Meta represent a turning point in how legal systems are approaching tech platform accountability. For years, Section 230 protections and arguments about the inevitability of online harms shielded companies from meaningful consequences. This week showed that juries and regulators are no longer buying those defenses. When internal documents reveal that executives knew about