Honestly, if you woke up today in Indiana, Kentucky, or Rhode Island, your digital life technically looks different than it did a few weeks ago. You might not feel it yet. But the law does.
Since January 1, 2026, we’ve officially entered a new era of "patchwork" privacy. While most people were nursing New Year's hangovers, three massive state laws—the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Privacy Act, and the Rhode Island Data Transparency and Privacy Protection Act—all hummed into existence.
It's a mess. A beautiful, complicated, legal mess.
If you're looking for data privacy news today, the big story isn't just one single law; it's the fact that "where you live" now dictates how much of your "neural data" or "precise geolocation" a company can sell before you even finish your morning coffee.
The Instagram Scrape and the "Door Knocker" Hack
Let’s talk about what actually happened this week. If your phone has been blowing up with password reset emails from Instagram, you aren't alone. It’s annoying. It’s scary.
On January 10, reports started swirling about a database from a threat actor named Solonik on BreachForums. We're talking 17.5 million records. Meta (Instagram’s parent company) has been quick to say they weren't "breached" in the traditional sense. Instead, this was a massive "scrape"—basically, someone used a vacuum cleaner on an API to suck up everything that was technically public.
👉 See also: Astronauts Stuck in Space: What Really Happens When the Return Flight Gets Cancelled
Names.
Phone numbers.
Bios.
The danger right now isn't that they have your password. They don't. The danger is the "door knocking." Bots are using those leaked emails to trigger "Forgot Password" requests. They're hoping you'll get tired of the notifications and accidentally hit "Approve" on a login request or click a fake link in a panic.
Pro tip: If you get a reset email you didn't ask for, ignore it. Better yet, check your "Emails from Instagram" tab in the app settings to see if it’s actually real. If it’s not there, it’s a trap.
The 2026 Regulatory Wave: Neural Data and Teens
Beyond the breaches, the real data privacy news today is the aggressive shift toward protecting what’s inside our heads—literally.
Connecticut and Rhode Island have started expanding their definitions of "sensitive data" to include neural data. This isn't sci-fi anymore. With the rise of consumer-grade brain-sensing headbands and AI-integrated wearables, regulators are terrified that your actual brain waves will become the next target for advertisers.
✨ Don't miss: EU DMA Enforcement News Today: Why the "Consent or Pay" Wars Are Just Getting Started
What's happening with the kids?
If you've got teenagers, the rules just got a lot tighter.
- Virginia now has a "one-hour rule" where platforms are supposed to limit minors to 60 minutes of scrolling unless a parent says otherwise.
- Oregon has officially banned the sale of precise geolocation data (anything within 1,750 feet) for users under 16.
- Texas is leaning hard on the "App Store Accountability Act," forcing stores to verify ages before a kid even downloads a game.
It’s a massive headache for tech companies. How do you verify an age without collecting more data? It’s a paradox that hasn’t been solved yet.
The AI Conflict: Grok, Home Depot, and the Ethics of "Watching"
Just today, January 16, the Hong Kong Privacy Commissioner (PCPD) issued a formal warning about X's chatbot, Grok. They’re worried it’s being used to generate "indecent or malicious" content using people's personal info. It’s a global trend: regulators are no longer just looking at how data is collected, but what the AI does with it once it’s in the system.
Speaking of watching, Home Depot is currently in the hot seat with its own investors. A group led by Zevin Asset Management is demanding a report on how the company's surveillance partner, Flock Safety, shares data with law enforcement.
The concern? That customer data is being used for immigration enforcement raids. It’s a perfect example of how data privacy isn't just about "spam emails" anymore—it's about real-world physical safety and civil rights.
🔗 Read more: Apple Watch Digital Face: Why Your Screen Layout Is Probably Killing Your Battery (And How To Fix It)
The "Cure Period" is Dying
For years, companies had a "get out of jail free" card called a "cure period." If they messed up your privacy, they had 30 or 60 days to fix it before getting fined.
That’s ending.
In Oregon, as of January 1, that grace period is gone. If you break the law, the fine starts immediately. The European Data Protection Board (EDPB) is also ramping up for a "Coordinated Enforcement Action" in 2026 that focuses specifically on transparency. They don't want 50-page privacy policies written in Latin-lite legalese. They want you to actually understand who is getting your data.
Your 2026 Privacy Checklist
Look, you can't stop every breach. But you can make yourself a harder target.
- Kill SMS 2FA: Since phone numbers were leaked in the Instagram scrape, SMS-based codes are vulnerable to SIM swapping. Switch to an app like Google Authenticator or Duo.
- Check the "Universal Opt-Out": Many states now require companies to honor "Global Privacy Control" (GPC) signals. You can turn this on in your browser (like Brave or Firefox) and it automatically tells every website you visit "Don't sell my data."
- Audit Your Third-Party Apps: Go into your Instagram, X, and Google settings. Look for "Connected Apps." If you haven't used that "Who Unfollowed Me" app since 2022, revoke its access. That's usually where the scrapers get in.
- Watch the "Sensitive" Toggle: In states like Indiana, you now have the right to opt-out of "profiling." If a site asks for your health info or location, you have the legal right to say no without losing access to the service.
The reality of data privacy news today is that the law is finally catching up to the tech, but the hackers are still running a sprint. Stay skeptical, keep your apps updated, and for the love of everything, stop clicking on "password reset" links you didn't ask for.