Multiple surveillance cameras mounted on a pole against a clear sky

Today's Headlines:

  • FTC nails OkCupid for secretly sharing 3 million photos with facial recognition startup Clarifai. Match Group settles. No monetary penalty.
  • Maryland's privacy law goes live today. MODPA enforcement starts April 1. Fines up to $25K per violation. One of the strictest state laws in the country.
  • 19 days until Section 702 expires. Johnson pushed the vote to mid-April. Reform is dead. Clean extension incoming.
  • EU extends CSAM scanning to August 2027. Parliament voted to keep the ePrivacy derogation alive. Encrypted messages stay off-limits, for now.
  • Court kills FinCEN real estate surveillance rule. Texas judge says tracking cash home purchases exceeds federal authority.

OkCupid Sent Your Face to an AI Company. The FTC Noticed.

The Federal Trade Commission announced a settlement with OkCupid and its parent company Match Group Americas over a simple accusation: OkCupid promised users their data was private, then shipped nearly 3 million photos to Clarifai, a facial recognition startup.[1]

The data sharing happened back in 2014, but the FTC complaint is fresh. OkCupid's privacy policy at the time said user information wouldn't be shared with third parties. Then the company handed photos, location data, and personal information to Clarifai, a company that builds facial recognition models. That's not a gray area. That's a lie.[2]

The settlement bars OkCupid and Match Group from misrepresenting how they collect, use, or share personal data. They have to accurately describe what privacy controls actually do. No monetary penalty. An OkCupid spokesperson called it "an issue from 2014" they wanted to "move forward" from.[3]

Three million faces fed to a facial recognition company, and the price tag is zero dollars. Your dating profile photos trained AI systems that are now used across industries. The FTC's message: we'll make you promise not to do it again. The industry's takeaway: the fine for lying about biometric data sharing is a press release.[4]

Full investigation: How OkCupid's founders funneled 3 million faces to a military AI contractor

Maryland's Privacy Law Starts Enforcing Today

As of today, April 1, Maryland's Online Data Privacy Act is enforceable. The state's Attorney General can now pursue companies that mishandle personal data, with fines up to $10,000 for first violations and $25,000 for repeats.[5]

MODPA stands apart from the growing pile of state privacy laws. It has lower applicability thresholds, meaning smaller companies can't duck it. It bans the sale of sensitive data outright rather than offering opt-outs. And it includes data minimization requirements: companies can only collect what they actually need.[6]

Maryland residents now get the standard toolkit: access, correct, delete, and download their personal data. They can opt out of targeted advertising, data sales, and profiling. Companies that don't comply get a 60-day cure period before the AG comes knocking. That cure period expires April 1, 2027. After that, no warnings.[7]

Montana's cure period also expired today. Indiana's six-month compliance grace period began. The state privacy patchwork grows. Twenty-one states. Twenty-one different rules. Companies are drowning in compliance. Consumers are still getting surveilled. The federal privacy law that would fix this? Still imaginary.

Full coverage: Maryland MODPA | State legislation tracker

19 Days: Section 702 Vote Pushed to Mid-April

Speaker Johnson officially pushed the FISA Section 702 vote to the week of April 14. He originally planned it for the week of March 20. The reason: a dozen GOP holdouts demanding reforms he can't deliver without losing the White House.[8]

The math hasn't changed. The Congressional Progressive Caucus (98 House Democrats) voted to oppose any reauthorization without "dramatic reforms." The bipartisan SAFE Act would require warrants for American queries and close the data broker loophole. But the White House wants a clean extension. The intelligence community wants a clean extension. Johnson broke a 212-212 tie last time to kill the warrant requirement. Nobody expects him to flip.[9]

Rep. Pramila Jayapal warned against giving "Stephen Miller a blank check" for domestic surveillance. Over 130 civil rights and AI groups signed a letter demanding privacy protections. The EFF reminded everyone that Section 702 was "already misused to run improper queries on peaceful protesters, federal and state lawmakers, Congressional staff, thousands of campaign donors, journalists, and a judge."[10]

Nineteen days. Two weeks of recess. One week to vote. Zero momentum for reform.

Section 702 explainer | CPC opposition vote

EU Extends CSAM Scanning Rules: Encrypted Messages Spared (For Now)

The European Parliament voted on March 13 to extend the ePrivacy Directive derogation that lets platforms scan user messages for child sexual abuse material. The original expiration was April 3, two days from now. The extension pushes it to August 3, 2027.[11]

Here's the key win for privacy: the restrictions tightened. Detection tools can only flag known CSAM or previously reported material. End-to-end encrypted communications are off-limits. Scanning requires judicial authorization and must target users "reasonably suspected" of involvement, no blanket dragnets.[12]

But the permanent regulation is still being negotiated. Trilogue talks between the Parliament, Council, and Commission are underway, with Cyprus targeting a deal by July 2026. The risk: "Chat Control" proposals that would mandate backdoors in encrypted messaging. Signal has already threatened to leave the EU if forced to break encryption.[13]

The temporary fix bought 16 more months. The permanent fight over whether governments can read your messages isn't going away.

Full coverage: EU Chat Control | Signal's EU exit threat

Court Kills FinCEN Real Estate Surveillance Rule

A federal judge in the Eastern District of Texas struck down FinCEN's rule requiring title companies to report details on cash real estate purchases. The rule went into effect March 1. It lasted 19 days.[14]

The rule would have forced title insurance agents, escrow agents, and attorneys to report information about home purchases made by business entities or trusts without traditional financing. FinCEN's theory: anonymous shell company purchases enable money laundering. The judge's response: "The fact that some bad actors have conducted non-financed real estate transactions does not make such transactions categorically 'suspicious.'"[15]

Pacific Legal Foundation brought the case on behalf of Flowers Title Companies. The court found FinCEN exceeded its authority under the Bank Secrecy Act. FinCEN confirmed that reporting requirements are suspended while the order stands. An appeal is expected.[16]

Full coverage: FinCEN rule struck down

European Commission Breach: ShinyHunters Grabbed 350GB

The European Commission confirmed on March 27 that a cyberattack hit its AWS-hosted cloud infrastructure on March 24. ShinyHunters, the extortion group on a 2026 rampage, claims to have stolen 350GB of data including mail server contents, databases, and confidential documents.[17]

This is the Commission's second major breach this quarter. In February, hackers compromised its mobile device management platform. Internal systems weren't affected this time, and Europa websites stayed online, but the optics are grim: the body writing Europe's data protection rules can't protect its own data.[18]

Full coverage: EC data breach

Quick Hits

  • IAPP Summit Day 3: The world's largest privacy conference wraps up in DC with workshop sessions on AI governance, state privacy compliance, and cross-border data transfers. Three days of panels. Zero federal privacy laws closer to reality.[19]
  • ICE surveillance budget: The $28.7 billion surveillance tech spend continues making waves. WebProNews, NPR, and NBC all running coverage. That figure is ten times ICE's total surveillance spending over the previous 13 years. Mobile Fortify facial recognition app. 24/7 social media monitoring teams. The works.[20]
  • Trump centralized database: The Intercept's March 17 report on the administration building an AI-searchable database of every U.S. resident continues gaining traction. Freedom of the Press Foundation is suing for documents. DOGE whistleblowers say the goal is a "master database" hosted at DHS.[21]
  • Montana privacy cure period expired: As of today, Montana's Consumer Data Privacy Act no longer gives violators a chance to fix problems before enforcement. The AG can now act immediately.[22]

What to Watch

  • Meta smart glasses deadline (April 6): Senators Markey, Wyden, and Merkley gave Meta until April 6 to answer questions about Name Tag facial recognition in Ray-Ban smart glasses. 5 days.
  • FISA 702 vote week (April 14): Johnson's target for bringing Section 702 to the floor. 13 days.
  • Section 702 sunset (April 20): Legal expiration date. No extension means the authority dies. 19 days.
  • Meta New Mexico trial (May 4): Phase 2 of the state's case against Meta over children's privacy on Instagram. 33 days.
  • EU AI Act full enforcement (August 2): Bans real-time biometric surveillance in public. Fines up to 35M or 7% of global revenue. 123 days.

Sources

  1. FTC - "FTC Takes Action Against Match and OkCupid for Deceiving Users by Sharing Personal Data with Third Party" (March 2026)
  2. Engadget - "OkCupid settles FTC case on alleged misuse of its users' personal data"
  3. PYMNTS - "OkCupid Settles FTC Case Alleging Misrepresentation of Privacy Policies"
  4. Biometric Update - "FTC order bars OkCupid from misleading users about biometric data sharing" (March 2026)
  5. Verified Credentials - "Maryland Online Data Privacy Act Enforcement Begins on April 1, 2026"
  6. Osano - "What Makes the Maryland Online Data Privacy Act (MODPA) Different?"
  7. Corporate Compliance Insights - "What You Need to Know About Maryland's New Data Privacy Law"
  8. Common Dreams - "Johnson Delays FISA Vote Amid Bipartisan Push for 'Major, Necessary' Privacy Reforms"
  9. The Intercept - "Democrats Might Save Mike Johnson's Push to Give Trump Domestic Spying Power" (March 23, 2026)
  10. EFF - "Congress Is Dropping the Ball with a Clean Extension of FISA" (March 2026)
  11. Help Net Security - "EU Parliament backs extension of CSAM detection rules until 2027" (March 13, 2026)
  12. European Parliament - "Child sexual abuse online: support for extending rules until August 2027"
  13. EU Perspectives - "Chat Control setback: Parliamentary committee rejects message-scanning extension"
  14. Pacific Legal Foundation - "Court strikes down federal real estate surveillance rule" (March 2026)
  15. HousingWire - "FinCEN anti-money laundering rule struck down in court"
  16. Davis Graham - "FinCEN Residential Real Estate Reporting Rule Struck Down"
  17. TechCrunch - "European Commission confirms cyberattack after hackers claim data breach" (March 27, 2026)
  18. Help Net Security - "Second data breach at European Commission this year leaves open questions over resilience" (March 30, 2026)
  19. IAPP - Global Privacy Summit 2026 (March 30 - April 2, DC)
  20. WebProNews - "ICE's $28.7B Surveillance Tech Surge Raises Privacy Alarms in 2026"
  21. The Intercept - "Trump Wants to Put You in a Massive, Secret Government Database" (March 17, 2026)
  22. Secure Privacy - "Privacy Laws 2026: Global Updates & Compliance Guide"