Today in Surveillance:

  • Louisiana's Kids Online Protection Act takes effect today. Platforms must now default to privacy-protective settings for anyone under 16, no adult connections without parental consent, no geolocation sharing, no unsolicited DMs. Violations cost up to $10,000 each. The catch: enforcing it requires knowing who's a minor, and age verification systems are the same surveillance infrastructure the EFF calls "a privacy nightmare."
  • Border agents are searching phones at a record pace. CBP searched 55,318 devices in FY 2025, up 17.6%. Through the first half of 2026, they're on pace to break 64,000. The EFF just asked the Fourth Circuit to require a warrant.
  • The SECURE Data Act hearing is 2 days away. Wednesday's hearing could greenlight a federal privacy bill that would override every state privacy law in the country. The EFF calls it "not a serious piece of privacy legislation."
  • FISA 702 expires in 11 days. No Senate vote. No deal. The warrant requirement remains the sticking point.
  • Illinois privacy bill fate unknown. The legislature closed yesterday. SB 340 passed the Senate 54-3 but whether the House voted before midnight remains unconfirmed.
  • The EFF published five major surveillance reports in May. Border device warrants, SECURE Data Act critique, age verification, Americas surveillance guide, Instagram encryption removal. It's the most concentrated privacy advocacy push in years.

Louisiana's Kids Privacy Law Is Live. The Age Verification Problem Isn't Solved.

Starting today, June 1, 2026, the Louisiana Kids Online Protection and Anti-Grooming Act (HB 37) is law. Every platform used by Louisiana residents under 16 must now implement default privacy settings: adults can't connect with minors without a legal representative's consent, unsolicited DMs to minors are blocked, account visibility is restricted to connected accounts only, and precise geolocation can't be shared with anyone except a parent or authorized law enforcement [1].

Parents get real controls. Legal representatives linked through parental supervision tools can manage account settings, view and block connected accounts, and set limits on microtransactions. Platforms that violate these provisions face civil fines up to $10,000 per violation, with the state attorney general handling enforcement after a notice-and-cure process [1].

On paper, it's a reasonable set of protections. In practice, there's a problem the law doesn't solve: how do platforms know who's under 16?

That's where age verification comes in, and where privacy advocates start sweating. The EFF published a May 2026 analysis calling age verification "a privacy nightmare for everyone." Every age-gating system requires users to hand over sensitive personal information, government IDs, biometric scans, financial data, to third parties just to access a website. That data gets centralized, and centralized data gets breached [2].

This isn't hypothetical. Age verification vendor Persona left a frontend exposed. Driver's licenses leaked. Half of U.S. states now mandate age verification for adult content or social media. Utah's VPN-targeting law (SB 73) took effect May 6. Australia's age verification regime drove a surge in VPN usage as people scrambled to access the open internet. Louisiana itself was one of the first states to require age verification for porn sites in 2023 [2][3].

The tension is real: protect kids from predators and exploitation, or protect everyone from a surveillance infrastructure that treats every internet user as a suspect until they prove their age. Right now, we're choosing both, and getting neither right.

Related: Age Verification: Surveillance Infrastructure in Disguise | Utah's VPN Law Takes Effect

CBP Is Searching Phones at the Border at a Record Pace

U.S. Customs and Border Protection searched 55,318 electronic devices at ports of entry in fiscal year 2025, a 17.6% jump from the 47,047 searches in 2024 and a 32.4% increase over 2023. Through the first half of FY 2026, CBP has already conducted 32,349 searches, putting the year on pace to surpass 64,000 [4].

Of those 55,318 searches in FY 2025, 92% were "basic" searches where agents manually scroll through your phone. The remaining 8% were "advanced" searches involving external equipment to copy and analyze device contents. Non-U.S. citizens accounted for 41,728 of the searches. U.S. citizens: 13,590 [4].

The legal fight is heating up. In May 2026, the EFF, the national ACLU, and affiliates in Maryland, North Carolina, South Carolina, and Virginia filed an amicus brief in the U.S. Court of Appeals for the Fourth Circuit arguing that border searches of electronic devices require a warrant under the Fourth Amendment. The case. U.S. v. Belmonte Cardozo, involves a U.S. citizen whose cell phone was searched after arriving at Dulles airport from Bolivia [5].

The Fourth Circuit heard oral arguments on May 8. A ruling could set precedent for the entire mid-Atlantic region. The Knight Institute at Columbia and the Reporters Committee for Freedom of the Press also filed briefs focusing on First Amendment implications, journalists and sources who travel internationally face the same warrantless searches as everyone else [5].

Federal circuits are splitting on the issue. The Fourth Circuit previously ruled in U.S. v. Kolsuz (2018) that forensic device searches at the border require "some measure of individualized suspicion" but punted on whether that means reasonable suspicion or a full warrant. This case could force a clear answer [5].

Related: EFF to Third Circuit: CBP Needs a Warrant to Search Your Phone | How to Travel Without Feeding ICE Your Data

Wednesday's Hearing Could Kill 20 State Privacy Laws

Two days. On Wednesday, June 3, the House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade will hold a hearing on the SECURE Data Act (HR 8413) at 10:15 AM EDT. The hearing is open to the public and will be livestreamed [6].

The bill would create a federal privacy framework that preempts every existing state privacy law, not as a floor that states can build on, but as a ceiling they can't exceed. California's CCPA, Vermont's data broker rules, Illinois's BIPA, Maryland's MODPA, all 20-plus state privacy laws would be overridden by a single federal standard [6][7].

The EFF's verdict: "not a serious piece of privacy legislation." Their May 2026 analysis argues the bill is written to simplify compliance for corporations, not to protect consumers. It lacks meaningful enforcement mechanisms and would eliminate the strongest state-level protections millions of Americans already rely on [7].

Watch the hearing. This is where the fight over whether privacy is a state right or a federal prerogative gets real.

Related: SECURE Data Act: The June 3 Hearing That Could Reshape Privacy | EFF and EPIC: The SECURE Data Act Isn't Serious

FISA 702: 11 Days Left

Section 702 expires June 12. The Senate hasn't voted. The 45-day extension Congress passed on April 30 is running out, and there's no deal in sight [8].

The sticking point hasn't changed: whether the FBI should need a warrant to search Americans' data collected under Section 702. Bipartisan reform bills exist in both chambers. The House passed a 3-year extension 235-191 in April, but the Senate rejected it because of a CBDC ban rider attached to the bill [8].

Making it worse: the FISA Court found in March 2026 that compliance problems the DOJ claimed to have fixed in early 2025 are ongoing, and extend beyond the FBI to other intelligence agencies. The "filtering" tools used to query Americans' information are broken across the intelligence community [8][9].

If Congress does nothing by June 12, existing surveillance orders stay active until their individual expiration dates, but no new ones can be issued. The intelligence community treats this as an operational crisis. Civil liberties groups see it as their best shot at forcing reform.

Related: FISA 702: Reform Is Dead, the June Deadline Isn't

Illinois Privacy Bill: The Clock Ran Out. Did It Pass?

The Illinois General Assembly adjourned sine die yesterday, May 31. SB 340, the Consumer Data Privacy Act, passed the Senate 54-3 with some of the strongest data minimization rules in the country. It needed a House vote before midnight to stay alive [10].

As of this morning, the outcome hasn't been officially confirmed. The bill would have prohibited the collection, processing, or sale of sensitive data, racial origin, religious beliefs, biometrics, precise geolocation, unless actually necessary for the service requested. It would have banned outright sales of sensitive data. Consumer Reports backed it. Industry groups like SIIA opposed it [10].

If the House passed SB 340, Governor Pritzker still needs to sign it. If the House didn't vote in time, one of the most promising state privacy bills of 2026 is dead, and the SECURE Data Act hearing on Wednesday makes the question of state-level privacy rights even more urgent.

We'll update this story when the official record is available.

EFF Declared War on Surveillance in May

The Electronic Frontier Foundation published at least five major surveillance and privacy analyses in May 2026, the most concentrated advocacy push from the organization in recent memory [7][5][2][11][12].

The lineup: a Fourth Circuit amicus brief demanding warrants for border device searches. A takedown of the SECURE Data Act as "not serious privacy legislation." An analysis calling age verification "a privacy nightmare for everyone." A guide for governments across the Americas to curb state surveillance abuses. And a public rebuke of Meta for killing end-to-end encryption on Instagram DMs [5][7][2][11][12].

Add in the ongoing ALPR analysis, where EFF found that police use license plate reader databases for "virtually any whim" without warrant requirements, and the border device search statistics showing 55,318 searches in FY 2025, and you get a picture of an organization that sees the current moment as a critical inflection point for surveillance in America [13].

The EFF also filed complaints with California and New York attorneys general over Google's decision to hand a student's financial data to ICE without notification, breaking a decade-old privacy promise [14].

Related: Meta Killed Instagram's Encryption | States Are Blocking Public Access to ALPR Data

Verizon DBIR: Hackers Are Exploiting Software Flaws Faster Than You Can Patch Them

The 2026 Verizon Data Breach Investigations Report landed in late May with a finding that should worry everyone: vulnerability exploitation has surpassed stolen credentials as the top breach entry point for the first time in the report's 19-year history. Software flaws now account for 31% of breaches [15].

The numbers paint a grim picture. Third-party supply chain breaches jumped 60% and now account for 48% of all breaches. The human element was involved in 62% of incidents. Only 26% of critical vulnerabilities in CISA's Known Exploited Vulnerabilities catalog were fully patched during 2025, down from 38% the year before [15].

AI is accelerating everything. Criminals are using generative AI for target selection, malware development, vulnerability research, and social engineering. On the defensive side, 67% of employees accessing AI tools at work are using personal accounts, meaning corporate data is flowing through systems IT departments can't see or control [15].

Related: Verizon DBIR 2026: The Full Breakdown

What to Watch

  • Today, June 1: Louisiana Kids Online Protection and Anti-Grooming Act takes effect. Privacy defaults mandatory for users under 16.
  • June 3: House Subcommittee hearing on the SECURE Data Act (HR 8413). Federal privacy preemption on the table. 10:15 AM EDT, livestreamed.
  • June 12: FISA Section 702 expires. 11 days. No Senate deal.
  • June 30: T-Mobile breach monitoring enrollment deadline.
  • July 1: Virginia facial recognition law takes effect. Connecticut, Arkansas, Utah privacy law amendments kick in. Connecticut requires disclosure of personal data use for LLM training.
  • August 2: EU AI Act general-purpose AI rules apply. High-risk biometric surveillance rules delayed to December 2027.

References

  1. Digital Policy Alert: Kids Online Protection and Anti-Grooming Act (HB 37) Enters Into Force
  2. EFF: Age Verification is a Privacy Nightmare
  3. Online Safety Law Center: Louisiana
  4. CBP: Border Search of Electronic Devices at Ports of Entry
  5. EFF: EFF to Fourth Circuit: Electronic Device Searches at the Border Require a Warrant
  6. House Energy and Commerce Committee: Hearing on Establishing a Federal Data Privacy Law
  7. EFF: The SECURE Data Act is Not a Serious Piece of Privacy Legislation
  8. Brennan Center: Section 702 of FISA: 2026 Resource Page
  9. Roll Call: Congress Clears Short-Term FISA Extension
  10. Consumer Reports: Consumer Reports Supports the Illinois Consumer Data Privacy Act
  11. EFF: We Must Not Normalize Digital Surveillance Abuses
  12. EFF: Your Privacy Shouldn't Be A Corporate Decision
  13. EFF: Open Records Laws Reveal ALPRs' Sprawling Surveillance
  14. EFF: Google Broke Its Promise to Me. Now ICE Has My Data.
  15. Verizon, 2026 Data Breach Investigations Report (DBIR)