.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
Hello all, and happy Thursday!
The Osano team is back from Thanksgiving break, recharged and ready to support your compliance. And as always seems to happen when the holiday season comes around, privacy news has ramped up.
The story that caught my eye recently is November’s multi-state enforcement against Illuminate Education for $5.1 million. Back in 2021, Illuminate suffered a data breach that exposed millions of students’ data. Follow-on investigations revealed severe security failures on Illuminate’s part, such as failing to inactivate former employees’ credentials, to monitor for suspicious activity, and to secure backup databases.
The aspect of this action that I wanted to draw attention to was its multi-state, collaborative nature. California’s, Connecticut’s, and New York’s AGs teamed up on this one.
Even when an investigation doesn’t yield a multi-state penalty, it’s important to remember that state AGs are talking to one another about privacy–they’re sharing lessons learned, tactics, and planned initiatives. It’s yet another reason why we’ve seen privacy enforcement pick up so quickly in the US in the past year. With 2026 right around the corner, I’ll be curious to see if the momentum continues.
Best,
Arlo
Highlights From Osano
New
Blog: Top 10 EU Data Privacy Changes in the Digital Omnibus Proposal
The EU Commission’s proposed changes to the GDPR, AI Act, ePrivacy Directive, and other EU digital regulations would mark a sea change in privacy regulation. It’s not law yet–but if it is enacted, what should you be aware of?
Webinar: Untangling 2026 Privacy: New Laws, Amendments, Enforcement, and More
2025 was confusing enough–between the flurry of amendments, enforcement, and brand new privacy laws, 2026 threatens to be even more complicated for businesses trying to stay on the right side of compliance. In our upcoming webinar, legal and privacy experts break down exactly what you need to know to get through 2026 without being tied into knots over privacy.
Save your seat | January 15th, 1 pm EST
Top Privacy Stories of the Week
CalPrivacy Launches Data Broker Enforcement Strike Force
The California Privacy Protection Agency (CalPrivacy) is creating a Data Broker Enforcement Strike Force within its Enforcement Division to investigate privacy violations by the data broker industry. The Enforcement Division will be reviewing the industry for compliance with the data broker registration requirement in the Delete Act, as well as for compliance with the state’s comprehensive privacy law, the California Consumer Privacy Act (CCPA).
Connecticut, California, and New York Reach Landmark Settlement for Student Data Breach
Recently, Connecticut Attorney General William Tong, California Attorney General Rob Bonta, and New York Attorney General Letitia James announced a significant settlement stemming from the enforcement of the states’ respective privacy laws. Due to failures to protect student data exposed following a data breach in 2022, Illuminate Education has agreed to pay $5.1 million to settle its violations.
Attorney General Bonta Secures $1.4 Million Settlement with Mobile App Gaming Company for Violating California's Nation-Leading Privacy Law
California Attorney General Rob Bonta recently announced a settlement with Jam City, resolving allegations that the mobile app gaming company violated the CCPA by failing to offer consumers methods to opt out of the sale or sharing of their personal information across its apps. In addition to $1.4 million in civil penalties, Jam City must provide in-app methods for consumers to opt out of the sale or sharing of their data and must not sell or share the personal information of consumers at least 13 and less than 16 years old without their affirmative opt-in consent.
EU Justice Chief Draws Red Line on Privacy Reforms
The European Commission went as far as it could with its pro-business data protection reforms without putting Europeans' privacy on the line, says Justice Commissioner Michael McGrath. "We are close to, or at the point, where significant further changes could put at risk those high standards of data protection that I think we hold dearly in the European Union.” The Digital Omnibus proposal, released in November, has drawn criticism from privacy advocates for being excessively pro-business already.
India's Digital Personal Data Protection Act Now in Effect
With the Ministry of Electronics and Information Technology's 13 Nov. official notification of the Digital Personal Data Protection Rules, 2025, India's Digital Personal Data Protection Act (DPDA) has come into effect. Though the DPDPA passed 11 Aug. 2023, it was not operational until the notification of the rules, as timelines specifying its applicability were relegated to be outlined in the rules.
Like what you see in the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
đź“– The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!
