This Week in Privacy: May 25-31, 2026

The week ending May 31 was defined by accountability—both the kind that arrives through court settlements and the kind that gets exposed when security fails. Major tech platforms paid out hundreds of millions to settle claims they harmed children and violated user privacy, while a series of breaches revealed how easily sensitive data can be stolen or carelessly exposed.

Top Stories

[Big Tech Settles Youth Safety Lawsuits](https://privacywire.org/industry/kentucky-school-district-received-approximately-27-million-may-2026) for tens of millions as pressure mounts over platform design. Meta, Snap, ByteDance, and Alphabet collectively paid roughly $27 million to settle claims brought by a Kentucky school district that accused them of creating addictive features that fueled student mental health crises including anxiety, depression, and self-harm. The settlement came just weeks before what would have been the first trial among similar lawsuits filed by 1,200 other school districts nationwide. Separately, the Supreme Court cleared the way for Vermont's lawsuit against Meta to proceed, with the state alleging Instagram was deliberately designed to exploit teenagers' developing brains to drive compulsive use and ad revenue.

[Google Settles Android Data Collection Lawsuit](https://privacywire.org/google/google-agreed-to-pay-135-million-to-may-2026-2) for $135 million over claims the company collected user information without proper consent. The class-action settlement, which received preliminary court approval, alleged that Android devices transmitted data to Google's systems in the background—even when apps weren't in use or privacy settings were disabled—and consumed users' cellular data without permission. The alleged collection spanned from November 2017 through the settlement date. Google denied wrongdoing but agreed to pay, marking another significant privacy payout in a week filled with accountability measures.

[Insurance Data Breach Lawsuit and New California Privacy Bill](https://privacywire.org/industry/california-attorney-general-rob-bonta-is-suing-may-2026) highlight growing scrutiny of how sensitive information is handled. California's attorney general sued Chrome Holding Co., the successor to 23andMe, over a 2023 breach that exposed genetic and ancestry data of nearly seven million users through credential-stuffing attacks. Hackers specifically advertised stolen information belonging to Asian American Pacific Islander and Jewish users on the dark web. Meanwhile, California lawmakers are advancing legislation that would modernize insurance data privacy laws unchanged since before smartphones existed, giving consumers more control over their information and authorizing penalties up to $1 million for violations.

In Brief

• A gaming cheat service called Atlas Menu had its entire database of 64,000 user accounts published to GitHub after attackers compromised all company systems.

• Lithuania's real estate registry was breached with over 600,000 records downloaded by attackers using stolen credentials, with officials tracing connections to a foreign state.

• A third-party UK visa service exposed at least 100,000 passport photos and selfies through a misconfigured server, then sent lawyers instead of immediately fixing the flaw when notified.

• Dutch police arrested a suspect for repeatedly accessing Ajax football club's systems through an unpatched vulnerability, exposing email addresses and stadium-ban records.

• A Romanian hacker was sentenced to 56 months in federal prison for selling access to Oregon's emergency management network and nearly a dozen other U.S. systems.

• Apple released quantum-resistant encryption code and verification tools to the public, including algorithms already protecting 2.5 billion devices.

• Oklahoma sued Temu for allegedly collecting sensitive data without consent and transferring it to the Chinese government without user knowledge.

• The Netherlands blocked the sale of its national digital ID system operator to a U.S. tech firm over data security concerns.

• Google reorganized its privacy controls, splitting "Search Services History" from "Web & App Activity" and clarifying that it records audio a few seconds before wake words like "Hey Google."

The Big Picture

This week's events reveal a growing recognition that digital privacy failures carry real consequences. Courts and regulators are increasingly willing to extract significant financial penalties from tech companies, particularly when minors are involved or when data collection happens without meaningful consent. At the same time, the sheer volume of breaches—from gaming services to government registries to insurance companies—demonstrates that organizations still struggle with basic security hygiene. Whether through credential stuffing, unpatched vulnerabilities, or misconfigured servers, sensitive data keeps ending up in the wrong hands. The combination of legal pressure and persistent security failures suggests we're entering a period where privacy protection will be enforced through both courtroom settlements and the hard lessons of repeated breaches.