Children’s Data, AI and Enforcement: Key Developments from Spring 2026

Developments You Might Have Missed (But Rulefinder Data Privacy Hasn’t)

Want to stay ahead of regulatory change? Rulefinder Data Privacy helps you track, interpret, and act on global developments - so your organisation can stay compliant with confidence. Here’s a roundup of key themes we’ve covered throughout spring.

Children’s data: Rising global attention

Regulators worldwide are increasing scrutiny on children’s data, with new laws, guidance, and enforcement measures emerging.

Brazil: A new law aimed at protecting children online (ECA Digital) came into force on 17 March 2026, introducing:

• age-appropriate design requirements across digital services

• more robust parental controls and enhanced transparency expectations

• clear accountability measures and restrictions on certain practices involving children

The ANPD in Brazil has issued preliminary guidance on the use of age-assurance technologies.

Australia: The OAIC has also published guidance on age-assurance technologies, reinforcing expectations in this area

USA:

• from 1 April 2026, under the Maryland Kids Code, organisations are now expected to carry out data protection impact assessments for online products likely to be accessed by children under 18

• Nebraska has expanded its online safety law, broadening its scope and the range of design features subject to additional obligations

Our key advice to organisations is to:

• monitor developments as regulatory frameworks rapidly evolve.

• ensure processes and procedures are in place to implement requirements such as risk assessments and age-appropriate design.

• pay close attention to age verification requirements and guidance on relevant technologies in this area.

• maintain clear records of processing so that the necessary controls can be applied where children’s data is processed.

We recently updated our “Topic in focus” for children’s data. Please get in touch if you would like a copy.

Steady stream of global compliance guidance

Regulators continue to issue guidance to help organisations navigate complex compliance areas.

Key jurisdiction - France (CNIL):

• a Q&A document on its cookie guidance, helping to clarify practical implementation

• a template DPO activity report to support accountability

• updates to its data protection doctrine, including key decisions and regulatory positions

• guidance on the use of tracking pixels (with similar guidance also published by the Italian Garante)

• guidance on retention periods, including detailed benchmarks for employment data 

Key topics:

New guidance on lawful bases for processing has been released, with regulators providing guidance on consent and transparency in Israel and Türkiye.

In the UK, the ICO has issued updated guidance on legitimate interests and purpose limitation, reflecting recent legislative changes by the Data (Use and Access) Act.

Other key themes like data breach (see this quick reference guide from the Canadian regulator) and international transfers (for example the ICO’s new interactive international transfer guidance tool) remain important areas for regulators to provide guidance and clarification on.

Next steps: It’s worth taking stock of the latest guidance available and using it as an opportunity for a review of the compliance approach in key jurisdictions or on key topics.

Artificial intelligence: Expanding rules and guidance

The EU AI Act is not the only game in town when it comes to legislation and guidance on AI.

China:

In April, two key sets of Measures were finalised:

• the Trial Measures for Ethical Review and Service of Artificial Intelligence Technology require certain key principles to be adhered to throughout the AI lifecycle and set out the process for ethics reviews of in scope activities

• the Interim Measures for the Management of Artificial Intelligence Anthropomorphic Interactive Services apply to systems simulating human interaction, and include restrictions and obligations on providers

Philippines: The NPC has published guidelines on data scraping, which is particularly relevant where publicly available data is used to train AI systems

Türkiye: Guidance on generative AI in the workplace and agentic AI systems, including associated compliance considerations

Next steps: Organisations should review their processing activities in these jurisdictions and assess whether they are caught by any new rules, or whether processes should be adjusted in line with any update guidance.

Spotlight on South Korea: Increased regulatory activity

We’ve seen a surge in activity in South Korea. Recently, we spoke with local counsel, Michael Kim (Kim & Chang), to explore what these developments mean in practice.

• you can read a summary of the key points here 

• the full recording of the discussion can be accessed on request

Our main recommendations for organisations are:

• review security arrangements and incident response plans in the light of upcoming amendments and new regulatory powers, including proactive investigations and global server searches.

• ensure the appointment of a domestic agent and comply with PIPA, regardless of local presence, due to PIPA’s broad jurisdiction.

• review privacy notices and consider the need for a South Korea specific notice (or addendum) to meet local requirements and nuances.

• ensure consent forms meet South Korean formatting and disclosure requirements, including explicit purposes, retention periods, and proper sectioning.

• monitor regulatory developments. It is likely that further regulations, guidelines (which may function as de facto rules and be used as standards during audits), and enforcement decrees will be issued in the short term which may impact compliance standards.

South Africa - new opt-out registry

South Africa has introduced a new opt-out registry for direct marketing.

• organisations are required to register on the system to carry out direct marketing activities

• marketing lists must be screened against the opt-out database before use

• if there are issues with accessing the registry from outside South Africa, organisations can contact the National Consumer Commission