This Week in Privacy: May 4-10, 2026

The education technology sector took center stage this week as a sweeping Canvas platform breach disrupted learning for students nationwide, while TikTok moved closer to a massive $400 million settlement over child privacy violations. Meanwhile, a wave of breaches affecting everything from gaming platforms to cybersecurity firms highlighted how no sector is immune to data exposure.

Top Stories

TikTok Faces $400 Million Settlement Over Child Privacy Violations

The Trump administration is nearing a $400 million settlement with TikTok to resolve a 2024 lawsuit accusing the platform of illegally collecting data from millions of children under 13 without parental consent. The lawsuit alleged TikTok and ByteDance violated federal child privacy laws and exposed minors to advertising and adult content. In an unusual twist, White House officials have reportedly discussed redirecting the settlement funds to finance construction projects in Washington, D.C., including a 250-foot triumphal arch near Arlington National Cemetery. The proposed use of the funds has raised questions about whether penalties for privacy violations should support unrelated government initiatives rather than directly benefiting affected users.

Canvas Learning Platform Breach Disrupts Education Nationwide

A security breach disabled Canvas, one of the most widely used online learning management platforms, for several hours on May 8. The attack impacted students and employees at Charlotte-Mecklenburg Schools and prompted Portland Public Schools to issue breach warnings to affected parties. Canvas operator Instructure disclosed the breach after hackers threatened to leak stolen data, forcing the company to take the platform offline. The incident affected educational institutions across the country that rely on Canvas for coursework delivery, grading, and student communication. Details about what data was compromised remain unclear, but the disruption underscores the vulnerability of digital infrastructure that millions of students depend on daily.

Data Brokers Banned From Selling Precise Location Data

The Federal Trade Commission reached a landmark settlement with data broker Kochava that bans the company and its subsidiary from selling Americans' precise location data without explicit consent. The settlement resolves a 2022 lawsuit alleging Kochava collected and sold geolocation data from hundreds of millions of mobile devices, tracking movements to sensitive locations including mental health facilities, reproductive health clinics, places of worship, and domestic violence shelters. The company had charged clients $25,000 subscription fees for access to raw latitude and longitude data covering over 94 billion monthly transactions from approximately 125 million users. This enforcement action represents one of the most significant restrictions on the location data broker industry to date.

In Brief

• Meta deployed AI technology across Facebook and Instagram to detect underage users by analyzing profile content, photos, and bone structure in images, deactivating accounts until age verification is provided.
• Apple agreed to pay $250 million to settle claims it misled customers about Apple Intelligence features on iPhone 15 Pro and iPhone 16 models that weren't available at launch.
• Google settled for $50 million with Black employees who alleged systemic racial discrimination in hiring, compensation, and promotions, including use of criteria like not being "Googly enough."
• Cybersecurity firm Trellix disclosed attackers gained access to a portion of its source code repository, affecting a vendor that protects over 200 million endpoints.
• NVIDIA partner GFN.am suffered a breach exposing full names, emails, phone numbers, and dates of birth for GeForce NOW gaming service users in Armenia.
• Zara was targeted through a breach at analytics platform Anodot, exposing 197,376 customer email addresses, order IDs, and support ticket records.
• Ireland's Data Protection Commission opened an investigation into Shein over EU data transfers to China.
• Braintrust discovered unauthorized access to its AWS account, compromising customer API keys for cloud-based AI models.
• Alberta voter data affecting 2.9 million people was leaked to a separatist group and ordered removed by court injunction.
• Elon Musk settled an SEC lawsuit for $1.5 million over delayed disclosure of his Twitter stock purchases in 2022, though a judge declined to immediately approve the settlement.

The Big Picture

This week revealed a troubling pattern: platforms built on collecting and monetizing user data are facing accountability, but often only after years of alleged violations. TikTok's potential $400 million settlement stems from a 2024 lawsuit about practices that likely predated it. Kochava's location tracking ban resolves allegations from 2022. Apple's $250 million payout addresses marketing claims from 2024. The lag between harmful practices and consequences means millions of users remain exposed while litigation slowly unfolds. Meanwhile, the education sector's Canvas breach demonstrates that critical infrastructure serving students nationwide remains vulnerable to disruption, with schools left scrambling to notify families about potential data exposure. As enforcement actions pile up and breach notifications become routine, the question is whether these penalties actually change corporate behavior or simply become another cost of doing business.