This Privacy Regulation Roundup summarizes the latest major global privacy regulatory developments, announcements, and changes. This report is updated monthly. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant.
Crimson
Collective Targets Broadband Provider Brightspeed
Summary: In January, a threat actor called
Crimson Collective claimed to have exfiltrated over one million pieces of personal
identifiable information (PII) from customers of a North Carolina residential
broadband provider named Brightspeed. Crimson Collective announced via its
Telegram channel that it had stolen the records. It also specified details
linked to compromised customers such as site IDs, session IDs, user IDs,
transaction information, and payment history. Crimson Collective posted data
samples and informed Brightspeed employees to check their email.
They are seeking three bitcoins as payment from anyone
looking to acquire the breached data. The dataset will be released for free if
no one purchases it within a week (which has since lapsed). Crimson Collective
warns that the compromised data attributes can be used to perform unique
attacks on Brightspeed's customers. They’ve claimed the potential to directly
disconnect customer internet connections, among other targeted attacks like
phishing and phone scams.
Analyst Perspective: Brightspeed has yet to
confirm or deny Crimson Collective's claims, so the breach remains alleged. Brightspeed
is not offering any official customer support such as credit monitoring. It has
stated that there was a “potential security event” and an investigation is
underway. I assume that this suspected breach has been reported to their cyber
insurer and they are working with incident responders and forensic analysts to
evaluate the event. I do have concerns about their breach notification timing,
especially in a state that requires impacted data subjects be notified “without
unreasonable delay.”
Crimson Collective is indicating that it has contacted Brightspeed
and is looking to negotiate while threatening to release the dataset to instill
a sense of urgency. The threat of attacks directly on service availability
should worry consumers, not just those affected by the alleged breach. If
confirmed, the breach could lead to legal and regulatory liabilities for
Brightspeed.
Analyst:
Mike Brown, Advisory
Director – Security & Privacy
More
Reading:
- Source Material: CPO Magazine
- Related Info-Tech Research:
Diverging
AI Adoption Strategies in Australia and New Zealand
Type: Article
Enacted: January
2026
Affected Region:
Australia and New Zealand
Summary: Many countries are defining AI adoption
strategies for government. However, even between neighboring jurisdictions,
there is no guarantee that the philosophies and approaches will be similar.
Take Australia and New Zealand for example. A clear contrast can be seen in
their respective AI adoption strategies.
In Australia, the current Policy for Responsible Use of
AI in Government (version 2.0, published in December, 2025) sets out a range of
requirements, including:
- Designated accountability
- Transparency statements
- Internal use case registers
- Risk-based impact assessments
Beyond this, the government’s 2024 interim response to
the safe and responsible AI consultation has indicated an intention to
introduce additional testing, transparency, and accountability requirements for
high-risk settings. Australia has also adopted AS ISO/IEC 23894:2023, which
demonstrates alignment with international risk-management standards.
In contrast, while New Zealand’s 2025 national AI
strategy is paired with responsible AI guidance for businesses, it is
explicitly based on voluntary adoption. Within the government itself, the
Public Service AI Framework and Responsible AI Guidance for the Public Service
provide guidelines for safe and responsible AI use. It’s also important to note
that New Zealand’s AI governance is influenced by the Algorithm Charter for
Aotearoa, which reflects agency commitments to principles such as transparency,
bias management, privacy, and human oversight among others.
Analyst Perspective: Compared to the more numerous
and explicit guardrails of its neighbor, New Zealand’s approach appears to
focus more on encouraging responsible AI adoption through guidelines and
transparency. Its light-touch model focused on guidance is notably distinct
from Australia’s use of mandatory artifacts and registers.
From an industry perspective, most guidance remains
voluntary in both countries. However, organizations that interact with both
governments should not expect greater homogeneity in their regulatory
approaches and perspectives simply on the basis of geographic proximity.
As national approaches to AI governance diverge,
organizations must proactively develop their AI compliance strategies. Aligning
with global standards and becoming proficient in leveraging risk-based
approaches to AI compliance are good steps to begin with. Adopting leading
practices will make it easier for organizations to operate across a multitude
of jurisdictions.
Analyst: Seva
Ioussoufovitch
, Senior Research Analyst – Security & Privacy
More Reading:
- Source Material: GovTech Review
- Related Info-Tech Research:
Cars,
Consent, and Consequences
Type: Enforcement
Announced: January
2026
Affected Region: USA
Summary: The Federal Trade Commission
(FTC) has issued a landmark order against General Motors (GM) and its connected
vehicle service OnStar. The order prohibits sharing certain driver data with
consumer reporting agencies. It also requires GM to be more transparent about
its data practices and obtain explicit consumer consent before collecting,
using, or sharing connected vehicle data.
The action arose as GM’s
defunct Smart Driver program collected detailed driving behavior and precise
geolocation data and sold it to third-party data brokers. That data was then
resold to insurers, potentially affecting customers’ insurance rates.
Under the order, GM must
secure explicit opt-in consent at the point of vehicle purchase, provide
consumers with access to their data, allow deletion requests, and offer the
ability to disable precise geolocation tracking. GM says it has already
implemented these changes, overhauled its privacy program, and ended its
third-party telematics relationships.
The FTC is signaling a
tougher regulatory stance on connected vehicle data, reinforcing that secondary
uses of sensitive behavioral data, especially when tied to consumer financial
consequences, will face heightened scrutiny.
Analyst Perspective: It would be naive to assume GM is the
only automaker that has engaged in opaque data practices. As vehicles
increasingly function as rolling IoT platforms, similar data collection and
sharing models are likely embedded across the industry. The case therefore
highlights a systemic governance gap, where consumers lack meaningful
visibility into how their vehicle data is used and accountability becomes
diluted across manufacturers, telematics providers, data brokers, and insurers.
For businesses, the order
clarifies that driving behavior and precise location data are highly sensitive personal
information, particularly when their downstream use impact financial outcomes.
Responsibility lies on both sides of the market, manufacturers and supply chain
partners must invest in privacy program maturity.
They should treat vehicle
data as high-risk by default, unbundle consent, restrict third-party data
sharing, and embed privacy controls directly into vehicle experience. To
complement, consumers must become more privacy-literate, actively review
vehicle privacy notices, question bundled consent at purchase, and push for
clearer explanations where disclosures fall short.
In the absence of a
comprehensive US privacy legislation, the FTC is leaning on privacy-by-design
principles. Organizations that proactively align product design, data
governance, security, and privacy with evolving expectations will be better
positioned to sustain trust and keep regulators at bay
.
Analyst: Safayat Moahamad, Research Director – Security & Privacy
More
Reading:
- Source Material: TechCrunch
- Related Info-Tech Research:
If you have a question or would like to receive these monthly briefings via email, submit a request here.
