Key developments
Canada releases age-assurance guidance, tees up ChatGPT ruling
IAPP's Alex LaCasse reported that Privacy Commissioner Philippe Dufresne unveiled two OPC age-assurance guidance documents at the Canada Symposium, one for platform operators and one for developers. The guidance addresses when age assurance should be used, necessity and proportionality, data minimization, limits on secondary use, and deletion practices. The OPC also published consultation feedback on the Canadian Children's Privacy Code, and Dufresne said the final ChatGPT decision will be released on May 6 while the X deepfake inquiry has been expedited.
Why it matters
It shows Canadian privacy regulators are moving from guidance into active AI and child-privacy enforcement.
Sources & driving stories
IAPP · Alex LaCasse
IAPP coverageFTC settlement would curb location-data sales
The Record's Suzanne Smalley reported that the FTC has a proposed settlement with Kochava and subsidiary Collective Data Solutions over sensitive location-data sales. The order, still subject to court review, would bar the companies from selling, sharing, or disclosing sensitive location data without explicit consent and would require supplier checks, deletion tools, retention controls, a sensitive-location-data program, and FTC notice if violations occur. The FTC complaint alleged Kochava sold near-real-time geolocation data that could reveal visits to houses of worship and health clinics.
Why it matters
If approved, the order could become a template for stricter controls on location-data brokers.
Sources & driving stories
THE RECORD · Suzanne Smalley
The Record coverageInstructure breach exposed student data
Rocketnews and Security Affairs reported that Instructure confirmed a breach affecting student information after ShinyHunters claimed responsibility. The company said external cybersecurity experts and law enforcement were involved and responded by revoking privileged credentials and access tokens, patching systems, rotating keys, and increasing monitoring. Reported exposed data included names, email addresses, student ID numbers, and some teacher-student messages; no passwords, dates of birth, government IDs, or financial information were identified, and outside reporting suggested the incident may affect roughly 9,000 schools.
Why it matters
The incident involves a widely used education platform and may touch a large number of schools and students.
Sources & driving stories
ROCKETNEWS
Rocketnews coverageSECURITY AFFAIRS · Pierluigi Paganini
Security Affairs coverageWorth noting
WORTH NOTING
Vimeo breach exposed 119,000 emails
Have I Been Pwned said the ShinyHunters-linked incident exposed mostly video titles, technical metadata, and email addresses via third-party analytics vendor Anodot, without video content or credentials.
WORTH NOTING
OPM breach monitoring is expiring
Government Executive reported that MyIDCare identity protection for 2015 OPM breach victims is ending after 10 years, forcing some affected workers to re-enroll at their own expense.
Still unclear
OPEN QUESTION
Will the May 6 ChatGPT decision set AI privacy standards?
The OPC's imminent ruling could clarify how Canadian regulators assess collection, use, and disclosure of personal information in AI systems.
OPEN QUESTION
Will the Kochava order become a location-data template?
A final settlement could influence how aggressively U.S. regulators police consent, deletion, and downstream sharing in the data-broker market.