A Chinese toy seller violated children’s privacy law by allowing a third party in China to collect children’s geolocation data without parental consent, the FTC alleged in an enforcement action announced Wednesday.

Software company PowerSchool’s failure to protect the personal information of almost 900,000 Texas schoolchildren and educators late last year was a violation of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act, alleged Attorney General Ken Paxton (R) in a lawsuit Wednesday (see 2509030050). Texas joined Tennessee (see 2505120026) and a class-action in California (see 2501220057) in suing the company over the incident.

Draft regulations to implement the New Jersey Data Protection Act (NJDPA) may exceed the statute, said advertising, tech industry and news media groups in comments to the New Jersey attorney general’s office’s Division of Consumer Affairs. They suggested that New Jersey try to align more closely with other states that have comprehensive privacy laws.

The EU General Court threw out a challenge to the EU-U.S. Data Privacy Framework (DPF) on Wednesday, confirming that the U.S. adequately protects Europeans' personal data and that trans-Atlantic data flows can continue.

Privacy Daily is providing readers with the top stories from last week, in case you missed them. All articles can be found by searching the title or clicking on the hyperlinked reference number.

Consumers filed 214 complaints in the first year since the Oregon Consumer Privacy Act (OCPA) took effect, with the majority concerning online data brokers, according to a report from the state’s DOJ. The right to delete data was consumers' top complaint.

Congress should amend the Gramm-Leach-Bliley Act and preempt all state privacy laws from regulating financial services, the Mortgage Bankers Association (MBA) said in comments to the House Financial Services Committee.

Disney violated children’s privacy law by allowing illegal collection of minors' personal data on YouTube, the FTC alleged in a $10 million settlement announced with Disney on Tuesday.

A circuit split centering on interpretations of the Video Privacy Protection Act (VPPA) of 1988 suggests the U.S. Supreme Court could decide to review two cases about the statute simultaneously.

A California bill to set notification deadlines for data breaches passed the Senate unanimously on Thursday and could be headed to the governor’s desk soon. The Senate passed SB-446 on May 28 and it’s been sailing through the Assembly on consent agendas since then (see 2508200033). Meanwhile, state fiscal hawks advanced many privacy and AI bills, while holding back some others, at committee meetings Friday.