Privacy Pulse: The Biggest Privacy Stories of May 2026

Privacy Pulse: May 2026

May was one of the busiest months for consumer privacy in recent memory. Regulators handed down record penalties, two of the largest data breaches of the year exposed hundreds of millions of records, a federal privacy bill moved toward its first hearing, and a criminal crew showed just how dangerous your personal information becomes once it is loose on the open web. The common thread runs through everything Priwall by mePrism was built to address: the less of your personal data that is exposed, the harder you are to target.

Here are the developments that mattered most this month, and what they mean for you.

A record privacy penalty for selling driver data

California delivered the largest penalty in the history of its privacy law. On May 8, the state announced a $12.75 million settlement with General Motors and OnStar over the secret sale of precise location and driving-behavior data from connected vehicles. That data was sold to companies that used it to set insurance premiums, with no clear consent or notice to drivers (California Attorney General, CalMatters).

For consumers, this is a reminder that the products you use every day, including your car, can quietly become data brokers in their own right. The settlement bars GM from selling this data for five years and requires deletion of retained driving records, but it also signals that regulators are finally treating excessive data collection itself as the violation (LA County District Attorney).

A permanent ban on selling sensitive location data

On May 4, the FTC permanently banned data broker Kochava from selling location data that can reveal visits to health clinics, places of worship, and domestic violence shelters, ending nearly four years of litigation. One Kochava dataset alone covered 61 million devices and 327 million location pings in a single day (FTC, White & Case).

This matters because location data is among the most revealing information about you, capable of exposing your health, beliefs, and daily routines. The order establishes that selling it without your clear, opt-in consent can be an unfair practice that puts people in physical danger, not just a deceptive one (FTC order).

Two massive breaches expose hundreds of millions of people

May brought two of the year's largest breaches, both tied to the same criminal group, ShinyHunters. Early in the month, the group breached Instructure, the company behind the Canvas learning platform used by a large share of U.S. universities, claiming roughly 275 million records including names, emails, student IDs, and private messages (CNN, BBC). The FTC issued a consumer alert in response (FTC).

Days later, Carnival Cruise Line confirmed that the same group had accessed data on nearly 6 million customers, including names, emails, dates of birth, and loyalty details, after an employee was tricked into granting system access. Notices went out on May 27, with two years of credit monitoring offered (Malwarebytes). Both breaches started with social engineering rather than a technical exploit, which is exactly why reducing your exposure matters.

BlackFile shows why your exposed data is the entry point

On May 15, Google's Mandiant threat intelligence team published a detailed profile of a criminal crew known as BlackFile, also tracked as UNC6671. The group calls employees on their personal cell phones, pretends to be internal IT, walks them through a fake security update that hands over their login, and then quietly streams enormous volumes of company data out the door (Google Threat Intelligence Group).

What makes BlackFile so relevant to consumers is what it depends on: your personal cell number, your home address, your relatives, and other details that sit freely available across more than 100 data broker sites. That open-web exposure is what makes the fake phone call sound real. On May 11, the group's leak site briefly resurfaced to announce it was shutting down "under this name," which researchers read as a rebrand rather than a true exit (The Hacker News, Unit 42). Removing your data from broker sites is precisely how you make yourself a harder, more expensive target.

A federal privacy bill heads to its first hearing

The SECURE Data Act, introduced in April, moved a step closer in May. On May 27, a House subcommittee announced its first hearing for June 3. The bill would create national rights to access, correct, delete, and opt out of data sales, and would require data brokers to register with the FTC (House Energy & Commerce).

The catch for consumers is significant. The bill would override all 21 existing state privacy laws, including California's stronger protections, and it does not let individuals sue companies that violate their rights. Privacy advocates have argued the proposal would trade strong state protections for a weaker national floor (EFF, National Law Review).

Connecticut adds real teeth to data broker rules

On May 27, Connecticut signed a new law that bans the sale of precise location data and creates a single, one-click request to delete your information from every data broker registered in the state. The law takes effect October 1 (Consumer Reports, MediaPost).

This is the kind of practical, consumer-friendly mechanism that makes privacy rights usable rather than theoretical, and it adds to the patchwork of state protections that a federal bill could otherwise erase.

The compliance gap that proves the point

A new study released May 20 audited California's 522 registered data brokers and found that only 9% were fully transparent about their practices. Of the broker request processes tested, 43% made it impossible to exercise all consumer rights, and 64% used deliberate friction to discourage people from opting out (Stanford study via arXiv).

The takeaway is blunt: even where strong laws exist, most brokers make it hard to use your rights. That gap between what the law promises and what brokers actually deliver is exactly why having a privacy agent work on your behalf matters.

Steps to take now

You do not have to wait for Congress or your state legislature to improve your privacy posture. Three steps remain essential.

Freeze your credit

The FTC says a credit freeze is free and helps stop identity theft by making it harder for anyone to open a new account in your name. Contact all three major bureaus; freezes are generally placed within one business day and can be lifted within an hour (FTC, USA.gov).

Equifax credit freeze

Experian security freeze center

TransUnion credit freeze

Use phishing-resistant MFA

Multi-factor authentication adds a critical second layer beyond your password. As BlackFile showed, text-message and push approvals can be intercepted, so where possible use a security key or passkey, and never approve a login prompt you did not start yourself.

Register with the FTC Do Not Call Registry

The FTC says you can register your home or mobile number for free at DoNotCall.gov or by calling 1-888-382-1222 from the phone you want to register. Online registration requires confirming a link within 72 hours, and legitimate sales calls may take up to 31 days to stop (FTC, DoNotCall.gov).

Register at the FTC National Do Not Call Registry

Looking ahead

The message from May is consistent. Regulators are pushing harder on the companies that collect and sell your data, but breaches and extortion crews are moving faster, and most data brokers still resist giving you control. The personal information sitting on broker sites is no longer just a privacy nuisance; it is the raw material for the most damaging attacks of the year.

That is the gap Priwall by mePrism was built to close: continuously finding and removing your personal data across the broker ecosystem, so you are harder to target before anything goes wrong. Clarity builds trust, and the clearest step you can take is to shrink your footprint before someone else exploits it.

Ready to try Priwall by mePrism?

If you're a company protecting at-risk employees, or an individual concerned about your digital footprint, start your privacy removal today at mePrism.com
Because your data shouldn’t be a roadmap for violence.

Click here to create your Free Basic account.
 

Explore more from Our Team

Browse more posts written by our team to help you stay in control.

Be Part of the Conversation


 
Previous
Previous

The Post-DROP Household Data-Broker Removal Playbook for 2026

Next
Next

How a New Vishing Extortion Crew Is Weaponizing Personal Data — and Why Privacy Hygiene Is a Frontline Defense