TL;DR:
- Clearview AI loses Canadian appeal. The B.C. Court of Appeal ruled that Clearview is subject to Canadian privacy law even though they pulled out of the country. 40 billion face images scraped without consent.
- UK drops VPN restriction details. Government consultation launching next month may require VPN providers to verify users’ ages. The Lords’ under-18 VPN ban likely to be softened but not killed.
- AI deepfakes are already flooding the 2026 midterms. State lawmakers scrambling to catch up as fabricated candidate audio and video spread. 26 states now have deepfake election laws, up from 5 in 2023.
- 78 AI chatbot bills introduced in 27 states. Six weeks into the 2026 session, state legislators are racing to regulate AI before Congress acts. California targeting AI companion chatbots with safety rules.
- Data breach transparency “on life support.” ITRC annual report: record 3,322 data compromises in 2025. Companies increasingly refusing to disclose attack methods.
- Betterment ransom data now public. ShinyHunters published stolen customer data after Betterment refused to pay. Breach now confirmed worse than first reported.
Clearview AI Loses Canadian Appeal: Privacy Law Applies Even After Exit
Clearview AI tried a clever legal maneuver: leave Canada, then argue Canadian law doesn’t apply. It didn’t work.
The British Columbia Court of Appeal dismissed Clearview’s appeal on February 19, upholding findings that the company violated Canadian privacy law by scraping billions of face images from social media without consent.
Clearview’s database contains over 40 billion face images, scraped from Facebook, LinkedIn, Instagram, and anywhere else photos appear online. They sold access to law enforcement agencies who could upload a photo and get matches in seconds.
The company stopped doing business in Canada after the initial privacy ruling but argued they shouldn’t be bound by the findings. The Court of Appeal disagreed: you can’t violate a country’s privacy laws, leave, and escape accountability.
This matters beyond Canada. Clearview faces similar legal challenges in Australia, the UK, France, Italy, and Greece. The Canadian ruling shows that pulling out of a jurisdiction doesn’t make findings disappear.
Clearview continues operating in the U.S., where it has contracts with hundreds of law enforcement agencies, including a CBP deal for tactical targeting. If you’ve ever posted a photo online, your face is probably in their database.
Sources: Lethbridge Herald
UK Reveals VPN Restriction Plans: Consultation Coming Next Month
The UK government tipped its hand on February 15: a consultation is coming that will explore “options to age restrict or limit children’s VPN use where it undermines safety protections.”
This follows the House of Lords’ January 21 vote to ban VPNs for under-18s outright. That amendment (passed 207-159) would require VPN providers to implement “highly effective” age verification. The government isn’t adopting it wholesale, but isn’t killing the idea either.
The consultation will likely look at multiple options: app store age ratings, blocks at the provider level, or full identity verification for all VPN users. That last option is the scariest: it would mean showing ID to use encrypted networking tools.
Privacy advocates have pointed out the problem: VPNs aren’t just for bypassing content restrictions. They protect journalists, activists, domestic abuse survivors, and anyone else who needs to hide their location or communications. Banning them for minors means banning them for teenage LGBTQ+ youth researching their identities, or young people living under controlling family situations.
More than 420,000 people signed a petition calling for repeal of the Lords’ VPN amendment. VPN usage reportedly spiked 1400% on the first enforcement day of the UK’s age verification requirements.
Whatever emerges from the consultation will still face a Commons vote. But the trajectory is clear: the UK wants to restrict encrypted privacy tools.
Sources: TechRadar, PiunikaWeb, Cyber Insider
AI Deepfakes Are Already Flooding the 2026 Midterms
The fabricated videos have started. And regulators are scrambling.
With primary elections for the 2026 midterms approaching, AI-generated deepfakes (including fabricated audio and video of candidates) are emerging as a widespread campaign tactic. Georgia lawmakers are holding hearings on countermeasures. Election security experts warn it will be “much more sophisticated” than anything seen in 2024.
Recent examples already making headlines:
- In Virginia, a Republican lieutenant governor candidate debated an AI-generated version of his Democratic opponent
- In New York, former Gov. Andrew Cuomo briefly posted a deepfake ad containing racist stereotypes before deleting it
- Across multiple states, audio clips of candidates saying inflammatory things are circulating on social media
The core problem: by the time a deepfake is debunked, the damage is done. Candidates must spend campaign resources fighting disinformation instead of discussing policy.
Twenty-six states now have laws regulating AI-generated political content, up from just five in 2023. But the FEC hasn’t issued clear guidance on AI in political advertising, creating enforcement gaps.
If you see a shocking clip of a candidate, pause before sharing. Reverse image search. Check if the candidate’s official accounts have addressed it. Deepfakes are designed to provoke immediate emotional reactions.
Sources: TIME, Campaign Now, Public Citizen
78 AI Chatbot Bills in 27 States: Six Weeks Into the Session
State legislators aren’t waiting for Congress.
Six weeks into the 2026 legislative session, lawmakers have introduced 78 bills regulating AI chatbots across 27 states. The focus: protecting consumers from deceptive AI systems and holding companies accountable for algorithmic harm.
Key legislative trends:
- Surveillance pricing: Multiple states are targeting companies that use AI to charge different customers different prices based on personal data
- Algorithmic discrimination: Bills requiring impact assessments before deploying AI in high-stakes decisions like hiring, housing, and credit
- AI companion chatbots: California is imposing safety requirements on AI systems that provide “human-like social interactions,” with heightened protections for minors
The federal vacuum is driving this. The Trump administration signed an executive order attempting to preempt state AI regulations. But states are pushing forward anyway: 20 now have comprehensive consumer privacy statutes on the books, and they’re expanding into AI.
For companies deploying AI systems, this means navigating a patchwork of state requirements. For consumers, it means some states will offer more protection than others. California, Illinois, and Texas continue leading on enforcement.
Sources: Transparency Coalition, Troutman Privacy
ITRC: Data Breach Transparency “On Life Support”
Companies are getting hacked more than ever. They’re telling us less about it.
The Identity Theft Resource Center’s annual report found a record 3,322 data compromises in the United States in 2025. That’s the highest number ever recorded. But the more alarming finding: companies are increasingly refusing to disclose how attackers got in.
Breach notifications are becoming less useful. Companies report that data was stolen but won’t say whether it was ransomware, a phishing attack, or an unpatched vulnerability. This makes it harder for other organizations to defend themselves and harder for victims to understand their risk.
The ITRC described breach transparency as being “on life support.” Without knowing attack methods, the security community can’t identify trends or prioritize defenses. Breached individuals can’t assess whether they’re targets for specific follow-up attacks.
This trend benefits attackers. If companies won’t admit that a specific vulnerability was exploited, other companies won’t know to patch it. The information asymmetry favors criminals.
Sources: Insurance Journal
Quick Hits
Betterment stolen data published after ransom refusal: ShinyHunters is publishing customer data from the January 2026 Betterment breach after the company refused to pay ransom. Malwarebytes reports the breach is “worse than we thought”: stolen files include retirement plan details, financial interests, and internal meeting notes. 1.4 million customers affected. [Our coverage]
Edmonton police testing facial recognition on body cameras: Edmonton police announced they’re testing live facial recognition on body-worn camera feeds. This turns police accountability tools into real-time surveillance devices. Privacy advocates warn this trend will accelerate in 2026.
Dutch telecom Odido confirms 6 million accounts breached: The Netherlands’ third-largest telecom confirmed attackers accessed customer names, phone numbers, email addresses, bank account numbers, and passport numbers. The breach affects more than 6 million accounts.
FISA 702 countdown, 55 days: Section 702 expires April 20. Congress returned from recess today. The SAFE Act, which would require warrants for FBI searches of American communications, is expected to be reintroduced. [Our explainer] [The reauthorization fight]
What to Watch
- UK VPN consultation launch: Expected next month. The scope of proposed age verification will determine whether VPNs remain usable privacy tools or require ID to access.
- State AI legislation: Watch California’s AI chatbot safety rules. If they pass, other states will copy the framework.
- Midterm deepfake tracking: Public Citizen maintains a state-by-state tracker of deepfake election laws. Check your state’s protections.
- Clearview ripple effects: Canada’s ruling could influence pending cases in Australia and Europe. The question: can you escape privacy violations by leaving a jurisdiction?
- ShinyHunters fallout: The group has hit 15+ companies in February alone. If your data was in Betterment, Figure, Panera, or other affected companies, assume it’s now public.