April 6, 2026

The expiry of the EU's interim CSAM scanning regulation Saturday is the most consequential immediate compliance event this week, collapsing the legal foundation for voluntary detection programs across major platforms. Simultaneously, France's Senate-passed social media age ban, the UK's grant of sweeping ministerial internet-restriction powers, Australia's dual-track enforcement and children's privacy code consultation, and Singapore's app store age assurance deadline collectively signal that child online safety has become the dominant regulatory forcing function across jurisdictions — with enforcement teeth now appearing alongside the legislation.

The EU interim regulation permitting voluntary scanning of private communications for child sexual abuse material has lapsed, effective this Saturday. Platforms running detection programs under that framework — including end-to-end-encrypted services that secured specific authorization — now face direct exposure under GDPR Article 5 and ePrivacy rules, with no replacement instrument in force. The proposed Chat Control regulation establishing a permanent scanning regime remains stalled; no passage timeline is reliably foreseeable. The practical question is whether continuing any detection activity, even voluntarily, is now lawful — and affected platforms need legal review of that question immediately. Watch level: ACT NOW (messaging platforms, social media operators with active CSAM detection programs — the interim legal basis expired Saturday; operations relying on it are now without regulatory foundation)

The French Senate has passed legislation prohibiting social media access for under-15s, advancing the measure toward potential enactment. If signed, France would be the first EU member state to adopt a hard age floor matching Australia's 2024 model. This matters beyond France: the DSA framework does not preempt such national restrictions on platform access, and a French precedent may accelerate equivalent proposals in Germany, Spain, and elsewhere. Platform operators should assess whether current age verification and consent architectures could satisfy a sub-15 prohibition, since retroactive engineering at scale is operationally costly. Watch level: PREPARE (social media platforms with EU user bases — bill passed Senate, enactment not confirmed; begin scoping age assurance infrastructure now)

The FTC has filed a proposed settlement with Match Group and OkCupid over sharing biometric and other sensitive user data with facial recognition firm Clarifai contrary to disclosed privacy policies. The order imposes no civil penalty but establishes a permanent injunction covering a broad scope of data types and practices. Two enforcement signals are worth separating: first, the FTC continues to treat biometric data-sharing as a priority even under the current administration; second, the absence of a monetary penalty does not reduce the injunction's compliance burden, which is permanent and forward-looking. Consumer-facing platforms sharing sensitive data with AI or biometric vendors should review third-party data agreements against their current privacy disclosures. Watch level: ACT NOW (consumer data platforms, dating apps, any platform sharing biometric or sensitive personal data with AI vendors — order is filed; review third-party data-sharing agreements and privacy disclosures now)

Utah and South Dakota have enacted genetic privacy laws, adding to a state-level patchwork now spanning at least a dozen jurisdictions with distinct consent, retention, and disclosure requirements for genetic data. The pattern — parallel state enactments absent a federal framework — mirrors the general consumer privacy fragmentation dynamic but is more acute for genetic data because the sensitivity threshold and lawful basis requirements are higher and more variable. Organizations operating direct-to-consumer genetic services, health research programs, or employer wellness programs with genetic components should confirm that state-by-state obligations are mapped and that consent workflows are jurisdiction-specific where required. Watch level: PREPARE (health data platforms, DTC genetic testing companies, employer benefit programs — laws enacted in UT and SD; conduct jurisdiction mapping now)

Australia's eSafety Commission has identified material compliance failures by Facebook, Instagram, Snapchat, TikTok, and YouTube under the Social Media Minimum Age law, citing inadequate age assurance and exploitation of biometric error margins near the 16-year threshold. Enforcement decisions are targeted for mid-2026. Separately, the OAIC has opened consultation on a draft Children's Online Privacy Code through June 5, 2026, which operates alongside the minimum age law and introduces enhanced data protection obligations — including for biometrics — for services accessed by minors. Platforms already building age verification infrastructure for the minimum age law now face a parallel compliance design question from the privacy code. Watch level: PREPARE (social media platforms, app operators with minor users in Australia — enforcement targeted mid-2026; consultation closes June 5; begin dual-track compliance scoping now)