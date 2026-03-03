Sensitive-data enforcement is accelerating across U.S. and EU regimes. The FTC’s PADFAA reminder and California settlements targeting health-condition lists signal heightened scrutiny of data broker models and high-sensitivity targeting, with expectations around counterparty diligence and transfer controls. In Europe, regulators are shifting from policy review to operational testing, launching coordinated enforcement on erasure and revisiting Processor Binding Corporate Rules. States are advancing stricter consent requirements, enhanced minor protections, and tighter ad-tech rules. Meanwhile, a federal court decision warns that AI-generated materials created outside counsel’s direction may not be privileged. The throughline is operational accountability — boards should stress-test sensitive data, deletion, vendor, and AI governance workflows now.

Major Privacy News & Enforcement

FTC Flags “Foreign Adversary” Restrictions for Data Brokers – PADFAA Compliance Reminder

What Happened

The FTC issued a public reminder that the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) prohibits data brokers from selling/disclosing personally identifiable sensitive data to foreign adversaries (and certain controlled entities).

Why It Matters

This is a concrete, enforcement-adjacent signal that broker-style transfers of sensitive data (e.g., precise geolocation, health data, biometric identifiers, SSNs) need counterparty screening and controls, not just contractual promises.

Practical Actions

- Map any “data broker” adjacency in your ecosystem (e.g., partners, enrichment vendors, identity graphs).

- Add counterparty diligence: sanctions/ownership screening, “foreign adversary” risk gating, and audit hooks.

- Tighten sensitive-data transfer rules: purpose limits and ban on onward sale/disclosure without written authorization.

California Privacy Regulator Issues New Data Broker Settlements Focused on Health-Condition Lists

What Happened

CalPrivacy announced new settlement decisions against data brokers, including a marketing firm that allegedly sold lists of people with serious health conditions, resulting in penalties and orders to stop selling Californians’ personal information.

Why It Matters

Broker enforcement is not theoretical. CalPrivacy is targeting high-sensitivity segments and imposing operational prohibitions, not just paperwork fixes.

Practical Actions

- Re-evaluate whether any dataset you buy or sell enables targeting based on health or other sensitive inferences.

- For “audience segment” vendors, require disclosures of segment sourcing, sensitive-category exclusions, and deletion/suppression mechanics.

- Put “sensitive segment” use cases behind Legal/Privacy review (and document decisioning).

EU Spotlight Shifts Toward Erasure Execution in Coordinated Enforcement on the Right To Delete

What Happened

The European Data Protection Board (EDPB) announced a coordinated enforcement initiative focused on challenges in implementing the right to erasure, as noted in Article 17 of Europe’s General Data Protection Regulation (GDPR).

Why It Matters

Even mature GDPR programs get pressured on the operations of deletion, including identity resolution, downstream propagation, backups, and exemptions.

Practical Actions

- Run a deletion “tabletop” where deletion requests fail (e.g., data lakes, logs, vendors, backups).

- Define and document your exception logic, including legal holds, fraud/security, and statutory retention.

- Ensure vendor data processing agreements clearly require deletion propagation and confirmation.

Litigation and Enforcement Trends

The Trend

Biometric notice/consent risk is heating up at the state level, with retail surveillance as a flashpoint. Connecticut reporting highlights increased attention on facial recognition and biometric collection practices and calls for tighter rules in retail contexts, with an active debate about consent, notice adequacy, and potential legislative change.

Practical Actions

- Treat biometric collection — especially face templates and voiceprints — as “sensitive,” requiring explicit consent and prominent notice.

- Maintain a written necessity assessment (e.g., security purpose, minimization, retention).

- Confirm vendor roles and prohibitions on secondary use, such as model training or cross-client matching.

The Trend

Enforcement posture is expanding beyond “privacy-only” statutes into consumer protection. Connecticut is advancing broad consumer protection reforms, including “all-in” pricing and renewal notices, that intersect with digital UX patterns, as regulators often scrutinize the same design choices that show up in privacy consent flows.

Practical Actions

- Audit flows that blend consent and purchase/renewal decisions. Avoid bundling and ambiguous toggles.

- Ensure disclosures are “clear and conspicuous” in the same UI layer as the action button.

- Align records: what the UI showed, what the user selected, and what the system enforced.

The Trend

Privilege risk is now an AI hygiene issue (SDNY: AI-generated client materials ≠ automatically privileged). A February 10 decision from the Southern District of New York held that a defendant could not claim attorney-client privilege over AI-generated documents he created using a third-party generative AI tool simply because he later sent them to counsel. The court emphasized that privilege turns on the nature of the communication and how it was created. GenAI enables users to generate strategy-adjacent materials outside counsel’s direction, expanding potentially discoverable content that may resemble work product but lacks protection and raises authorship, accuracy, and hearsay concerns.

Practical Actions

- Issue clear internal guidance. Prohibit use of public GenAI tools to draft investigation summaries, witness narratives, timelines, or defense themes for matters that may be litigated.

- If AI is permitted, require counsel-directed, legal-owned workflows, controlled prompts, retention safeguards, and an enterprise tool with contractual confidentiality protections.

- Treat AI outputs as drafts. Validate against source records, avoid embedding legal conclusions, and preserve auditable records of inputs and assumptions where appropriate.

- For investigations, move fact development early into counsel-led channels to strengthen work product and privilege claims.

Legislative and Regulatory Updates

The Update

Genetic privacy is moving fast, with multiple new bills with “separate express consent” mechanics. States are introducing (and reintroducing) genetic privacy bills that require express consent, often separate consent for secondary uses, retention of biological samples, and third-party transfers — sometimes naming the recipient.

Practical Actions

- If you touch genetic or biometric-adjacent data, build consent granularity (primary use vs. research vs. marketing vs. sharing).

- Add controls for sample retention, deletion, and transfer logs, including who received what and why.

- Ensure vendor- or service-provider exceptions are narrow and contractually locked.

The Update

Connecticut privacy amendments remain a key “next wave” operational date (July 1, 2026). Connecticut’s privacy law overhaul is set to take effect July 1, 2026, including enhanced protections for minors and targeted advertising restrictions.

Practical Actions

- Identify “minor-likely” touchpoints and design age/segment rules for targeted ads and profiling.

- Validate how you honor opt-out preference signals and how that propagates through ad-tech.

- Update DPIA-style assessments for higher-risk processing categories.

The Update

EU Processor Binding Corporate Rules (BCRs) are back on the table. The EDPB has opened a consultation on draft Recommendations 1/2026, which outline the approved criteria and key principles for processor BCRs.

Practical Actions

- If you operate multi-entity processing groups, reassess your transfer strategy (Standard Contractual Clauses vs. BCRs) and governance readiness.

- Confirm internal processor controls: sub-processing approvals, audit rights, and uniform incident response playbooks.