Key developments
Disneyland sued over facial recognition at entrances
Fox8's Iman Palm, the Los Angeles Times, and Chicago Tribune reported that Summer Christine Duffield filed a $5 million putative class action on May 15 in U.S. District Court in New York after visiting Disneyland and Disney California Adventure on May 10 with her children. The complaint says the April rollout of facial recognition at park entrances captures guests' faces, converts them to numerical values, and matches them to ticket or annual-pass photos without adequate disclosure or written opt-in consent. Disney says the system is optional, biometric values are deleted within 30 days unless retained for legal or fraud-prevention reasons, and non-facial-recognition lanes remain available.
Why it matters
The suit tests whether biometric entry systems at a major consumer venue can satisfy consent and disclosure rules, especially when children are involved.
Sources & driving stories
NYC Health + Hospitals breach exposes biometrics
Webpronews's Ava Callegari reported that NYC Health + Hospitals said a third-party vendor compromise exposed records of at least 1.8 million people, including names, Social Security numbers, diagnoses, medications, insurance and billing data, fingerprints, and palm prints. The system said suspicious activity was detected on Feb. 2, unauthorized access appears to have run from about Nov. 25, 2025, through Feb. 11, 2026, and notice was posted March 24. It has reset credentials, added detection tools, tightened remote access, and offered 24 months of credit monitoring through Kroll while notifying HHS.
Why it matters
The breach combines large-scale health data exposure with immutable biometrics, sharpening vendor-risk and identity-theft concerns.
Sources & driving stories
WEBPRONEWS · Ava Callegari
Webpronews coverageLondon police requested data 700,000 times
The Register reported that London's Metropolitan Police asked tech companies for communications data more than 700,000 times in 2025 under UK legal powers. The figures showed a sharp jump in requests involving LycaMobile and hundreds of requests tied to privacy-focused services such as Proton and Signal, with the Met saying it obtained Proton-user data 139 times since 2024. Proton and Signal disputed parts of the account and said they limit or refuse requests that do not meet legal and human-rights requirements.
Why it matters
The scale of requests highlights the breadth of lawful-access surveillance and the pressure on privacy-first services to resist or limit disclosure.
Sources & driving stories
THE REGISTER
The Register coverageWorth noting
WORTH NOTING
Cambridge drops ShotSpotter microphones
The city council's vote is another concrete rollback of acoustic surveillance because of privacy and reliability concerns.
WORTH NOTING
California fines Ford, PlayOn Sports
The enforcement actions show regulators targeting opt-out friction, tracking banners, and privacy notice accuracy.
Still unclear
OPEN QUESTION
Will Disney's optional-lane design satisfy consent law?
The lawsuit will hinge on whether notice, opt-out signage, and 30-day deletion are enough for biometric collection at a family venue.
OPEN QUESTION
Which vendor was behind the hospital breach?
Identifying the third-party point of failure will determine how much of the incident reflects a single compromise versus a broader supply-chain issue.