Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Back To Home
Research Team (Tsaaro)
Disney’s $10 Million Children’s Privacy Settlement
Mar 3, 2026
Overview:
The United States Department of Justice has finalised a settlement with Disney Worldwide Services and Disney Entertainment Operations after a federal investigation revealed the company had been mishandling children’s data on YouTube for years. The case, referred to the Department by the Federal Trade Commission (FTC), centres on allegations that Disney systematically bypassed the Children’s Online Privacy Protection Act (COPPA). By failing to correctly identify child-directed content, Disney allowed YouTube to gather sensitive data from minors under the age of 13 without the legal requirement of parental consent. These "persistent identifiers" were then used to serve targeted advertisements to children, generating revenue for the media giant at the expense of family privacy
The Core Violation:
The Federal Trade Commission (FTC) investigation found that Disney’s internal policy was to set audience designations at the channel level rather than reviewing each video individually.
By marking entire channels as Not Made for Kids (NMFK) by default, hundreds of child-focused videos featuring franchises like Frozen, Toy Story, and The Incredibles were left open to data tracking.
Regulators alleged that YouTube had actually warned Disney as early as June 2020, even reclassifying over 300 of Disney’s videos themselves. Despite this, Disney reportedly failed to update its review process for its 1,250+ YouTube channels.
Harm: Because these videos weren't flagged as Made for Kids, children were served targeted ads and tracked via persistent identifiers, while also being exposed to unrestricted comments and autoplay features not meant for minors.
10 Years of Strict Oversight
Beyond the fine, the court order forces a massive operational shift for Disney. They must now implement a formal Audience Designation Program that will be active for at least 10 years.
Mandatory Manual Reviews: Disney is now legally required to review every single video it publishes to YouTube to determine if it is child-directed, moving away from automated channel-wide defaults.
Parental Consent Overhaul: For any other websites or apps aimed at children under 13, Disney must now prove they have robust systems to notify parents and gain verifiable consent before a single byte of data is collected.
Enforced Injunction: The settlement legally bars Disney from repeating these practices. The DOJ emphasized that they will take swift action against any future infringements, signaling that the era of passive compliance for media giants is over
This case proves that regulators expect companies to have durable workflows and human oversight to ensure that privacy protections are actually applied at the content level, not just the account level. For any business using third-party platforms like YouTube or social media, default settings are not a legal defense.
Source: https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html
News of the week:
Vietnam's New Personal Data Protection Law (PDP Law)
Vietnam is officially stepping up its game with a brand-new Law on Personal Data Protection (PDP Law) that kicks in on 1 January 2026. This isn't just a minor update it's the country’s first legislation dedicated to privacy, and it covers any business local or foreign that engages with the data of people in Vietnam. The stakes are getting much higher: if you’re caught trading data illegally or messing up international transfers, the fines can be massive. Up to 5% of your annual revenue or ten times whatever profit was made from the violation. There’s also a new "72-hour rule" where you have to report serious databreaches to the government almost immediately after finding them.
Operationally, this law adds a few more items to compliance to-do list. Companies now need to keep formal records, called Impact Assessments, for both your local data handling and any data you send out of the country. There are also new, rules for the workplace like making sure you’re being transparent if you monitor employees and only collecting what’s actually necessary during hiring. While smaller startups get a five-year grace period to figure out the technical staff requirements, the message for everyone else is clear.
Source: New Law on Personal Data Protection Comes into Operation on 1 January 2026 | Rajah & Tann Asia .
U.S. Officials Sound the Alarm Over AI Toys and Children's Privacy
A new wave of AI-powered toys, mostly coming from China, is causing a lot of worry among U.S. officials lately. These smart toys like the popular BubblePal, which clips onto stuffed animals are part of a massive market expected to hit $25 billion globally by 2030. While they look like harmless fun, lawmakers like Rep. Raja Krishnamoorthi are warning that these toys are essentially data-collection machines. Because many of them run on Chinese AI models (like DeepSeek) and store voice recordings and chat histories in the cloud, there are major fears that this sensitive info could be accessed by the Chinese government under their data-access laws.
The House Select Committee on the CCP has even reached out to Education Secretary Linda McMahon, urging her to launch a nationwide campaign to warn teachers and parents. The concern isn't just about data, it's about child safety, too. These toys are being marketed to kids as young as three, and because they talk back, children often share personal secrets or family details they wouldn't normally tell a stranger. Officials are pushing for much tighter oversight to make sure that educational tools don't turn into surveillance tools in classrooms and living rooms. The big takeaway here is to be extra cautious with any toy that requires a Wi-Fi connection and a microphone always check where that data is actually going.
Source: Fact Check Team: AI toys spark privacy concerns as US officials urge action on data risks.
EU Fixes the "Slow Motion" Problem in GDPR Enforcement
On November 17, 2025, the Council of the European Union officially signed off on a new regulation that is basically a speed boost for data privacy investigations. Since the GDPR started in 2018, the biggest complaint has been how long it takes for different countries to work together on big cases sometimes years. This new law fixes that by creating a single playbook for how every national data protection authority (DPA) in the EU has to handle complaints, making the whole process much faster and more predictable.
What’s Changing for Businesses and Individuals?
The new rules focus on cutting through the red tape and setting strict clocks for investigations.
Universal Standards: It doesn't matter if you file a complaint in France or Germany; the rules for what makes a case valid are now the same across the board.
Strict Deadlines: Investigations now have a due date. Most cases must be wrapped up within 12 to 15 months, though complex ones can get a one-time extension.
The Right to Speak Up: Before a final decision is made, both the person who complained and the company being investigated now have a formal right to see the preliminary findings and give their side of the story.
The key takeaway is that era of privacy disputes is evolving, with these rules set to fully kick in by early 2027 (15 months from now), companies should expect a much faster turnaround on cross border complaints and less legal gymnastics between different EU countries.