Pressure Builds Around Vendors, Voter Data, and Age Checks
Privacy developments yesterday were less about new grand rules than about who gets held to account when data escapes its intended boundaries. The strongest move came from Missouri, where state insurance regulators publicly pressed Conduent Business Services for failing to provide enough information about a breach that may have affected insurance consumers and potentially many more people nationwide.
The Missouri Department of Commerce and Insurance said unauthorized access at Conduent ran from Oct. 21, 2024, to Jan. 13, 2025 and that, more than six weeks after first contacting the company, it still did not have adequate answers. Rather than wait longer, the state asked insurers to report whether they used Conduent during the breach window and what services were involved. That is a meaningful escalation: regulators are showing they will go around a slow or uncooperative vendor and pull the map of exposure from customers instead.
In Alberta, the voter-data story moved from controversy to court action. Elections Alberta said it obtained an injunction ordering the Centurion Project to shut down a searchable database tied to an official electors list, after reports that names and home-address details for nearly three million Albertans could be surfaced through the tool. The RCMP is also investigating. After standing out the day before as a leak with political overtones, it now looks more clearly like a governance failure around how political data can be redistributed and repackaged.
Meta also made a concrete platform move, rolling out AI-based age checks on Facebook and Instagram in selected countries including the U.S. The system uses images, text, and engagement patterns to estimate age, deactivate suspected under-13 accounts unless eligibility is proven, and move younger teens into more restrictive account settings. Separately, California’s privacy regulator signaled it is taking its fight against federal preemption in the proposed SECURE Data Act directly to Congress, keeping the state-versus-federal power question very much alive.
Key Points
- Missouri regulators say Conduent still has not provided enough detail to assess the breach’s impact on insurance consumers; the state is now collecting exposure information directly from insurers.
- Some public estimates place the possible Conduent impact at 25 million or more Americans, which would make it one of the largest U.S. breach events if confirmed.
- Elections Alberta obtained a court injunction to shut down the Centurion Project database after reports that it exposed searchable voter records, including home-address information.
- Meta’s age-estimation rollout turns age assurance into an always-on inference system rather than a one-time verification step, with real product consequences for flagged users.
- California’s privacy agency is openly resisting federal privacy preemption, a sign that any U.S. omnibus bill will still face a hard fight over whether it replaces tougher state rules.
Implications
The immediate compliance lesson is that vendor risk is no longer just a contracting problem. When a third party cannot or will not quickly explain what happened, customers may have to reconstruct exposure themselves for regulators, counterparties, and affected users. That raises the premium on data inventories, service maps, incident-notice clauses, and the ability to identify which business lines and consumer groups touched a vendor during a breach window.
The Alberta and Meta stories point to a second pressure point: data collected for one purpose is increasingly being reused to make more consequential decisions. In Alberta, an official voter list appears to have been transformed into a far more intrusive searchable tool. At Meta, age assurance is shifting toward continuous inference from behavior and imagery. In both cases, the central questions are no longer just whether the data was obtained lawfully, but how far it can be repurposed, who can access it, how errors are corrected, and what safeguards exist once the system is live. California’s pushback on federal preemption adds a policy warning here too: a national privacy bill could still reduce some state-level protections rather than simply standardize them.
Things to watch
Watch
Whether Missouri or other states take stronger action against Conduent if fuller incident details and impact counts still do not arrive.
Watch
Whether Alberta investigators clarify the chain from the official electors list to the searchable app, and whether the case triggers tighter rules for political parties or affiliated groups.
Watch
How Meta handles false positives, appeals, and retention of age-inference data as its rollout expands.