This Week in Privacy: May 11-17, 2026

This week brought a rare moment of accountability in Silicon Valley, as Google agreed to pay $135 million to settle allegations it secretly drained data from 100 million Android users' phones. Meanwhile, a wave of lawsuits crashed over Netflix, and educational technology faced a crisis as Canvas suffered back-to-back breaches affecting hundreds of millions of students worldwide.

Top Stories

Google settles Android data collection lawsuit for $135 million

Google agreed to pay $135 million to resolve a class action alleging the company collected data from Android devices without permission and consumed users' cellular data in the process. The lawsuit covers approximately 100 million US Android users with cellular data plans from November 2017 through the settlement's approval. While Google denied wrongdoing, the company committed to updating its Google Play terms to clarify when passive data transfers occur and to fully stop collecting data when users disable "allow background data usage." The settlement represents one of the largest privacy payouts in recent years and highlights ongoing tensions around background data collection practices that drain both battery life and monthly data allowances without clear user consent.

Canvas breaches expose data from 275 million students and educators

The educational platform Canvas, owned by Instructure and used by nearly 9,000 schools worldwide, experienced two separate data breaches on April 29 and May 7. The hacking group ShinyHunters claimed responsibility for the April incident, which exposed usernames, email addresses, student ID numbers, and communications from over 275 million users. Instructure reached an agreement with the attackers on May 11 to return and destroy the stolen data. A separate report indicated the company paid a ransom to restore system access, with a former White House cyber official noting the attack involved artificial intelligence technology. The breach locked students and teachers out during critical end-of-semester periods, raising questions about the security of educational technology systems that store sensitive information about minors.

Texas launches multi-pronged assault on Netflix data practices

Texas Attorney General Ken Paxton filed multiple lawsuits against Netflix this week, alleging the streaming giant operates surveillance infrastructure that processes more than 10 million events per second and collects extensive user data without proper consent. The complaints claim Netflix shares viewing habits, locations, device information, and children's behavior with advertisers, data brokers including Experian and Acxiom, and ad tech platforms like Google Display & Video 360. Internal communications cited in the lawsuit allegedly described Netflix as a "logging company that occasionally streams movies" collecting approximately 5 petabytes of behavioral data daily. This contradicts public statements by CEO Reed Hastings in 2020 denying that Netflix collects user data. Netflix has called the lawsuit meritless and based on inaccurate information.

Federal judge questions suspicious Musk-SEC settlement

A federal judge raised red flags about a $1.5 million SEC settlement with Elon Musk over his delayed disclosure of Twitter stock purchases in 2022. Judge Sparkle Sooknanan identified irregularities including the replacement of Musk as defendant with a trust bearing his name and a 99% reduction in penalties from the originally sought $150 million. The judge summoned attorneys to explain why the settlement was structured to remove Musk personally and stated she cannot approve the agreement without evaluating whether it serves the public interest, signaling potential judicial skepticism of negotiated settlements that appear unusually favorable to powerful defendants.

In Brief

• Vimeo confirmed a breach affecting 119,000 users that originated from a security incident at third-party analytics vendor Anodot, exposing names, email addresses, video titles, and metadata.
• The DOJ subpoenaed Apple and Google for personal information on at least 100,000 users who downloaded the EZ Lynk Auto Agent app as part of an emissions violations investigation.
• Security researchers exploited 24 zero-day vulnerabilities in Windows 11, Microsoft Edge, and other enterprise software at Pwn2Own Berlin, earning $523,000 on the first day.
• The UK's Competition and Markets Authority launched a formal investigation into whether Microsoft's bundling of Windows, Office, Teams, and Copilot harms competition.
• Meta announced an incognito mode for WhatsApp's AI chatbot where messages are processed in a secure environment and disappear when the session ends.
• NVIDIA confirmed a data breach at its GeForce NOW cloud gaming service but provided no details about what data was compromised.
• Santa Clara County sued Meta alleging the company knowingly profits from scam ads on Facebook and Instagram, with internal documents suggesting up to $7 billion in annual revenue from scam advertisers.
• ShinyHunters released data from real estate firm Cushman & Wakefield affecting over 310,000 accounts after an extortion demand went unpaid.
• Community Bank disclosed that employees improperly entered customer data including Social Security numbers into an unauthorized AI application.
• Oklahoma Attorney General sued Temu alleging the Chinese shopping app illegally accessed cameras, microphones, and location data without consent.
• The UK's Information Commissioner's Office fined South Staffordshire Water £964,900 after a 2022 ransomware attack exposed data from over 600,000 customers, with hackers having remained undetected in systems for 20 months.
• German authorities arrested the alleged main administrator of Dream Market dark web marketplace and recovered approximately $1.7 million in gold bars purchased with cryptocurrency proceeds.

The Big Picture

This week reveals a growing impatience with tech companies' self-regulation. Google's $135 million settlement, while not an admission of guilt, signals that class actions can extract meaningful financial consequences for opaque data practices. The coordinated assault on Netflix from Texas demonstrates that state attorneys general are willing to use consumer protection laws to challenge surveillance-based business models, even when companies publicly deny those practices exist. Meanwhile, the Canvas breaches highlight a disturbing vulnerability in educational technology: systems holding sensitive data about hundreds of millions of children lack the security infrastructure to withstand determined attackers. The combination of ransomware payments, AI-enhanced attacks, and delayed breach notifications suggests the education sector has become a soft target. As judicial skepticism grows (see the Musk-SEC settlement questioning) and zero-day vulnerabilities continue to surface in widely-used enterprise software, the week underscores that privacy protection increasingly depends on enforcement action rather than