N05 | Monday Edition | 20 April 2026

Digital Law Worldwide Update

Monday 13 April to Sunday 19 April 2026

Coverage Window: Monday 13 April to Sunday 19 April 2026

New Title Headlines

EU age verification reaches deployment stage, while DSA minors enforcement tightens around major platforms.
EDPB standardizes DPIAs and accelerates anonymisation and research guidance.
Ofcom closes the initial online-safety fee window and readies the next charging cycle.
Ofcom keeps Online Safety Act monitoring active through fresh risk-assessment requests.
The EU child-safety panel widens the age-limit debate for social platforms.
Virginia bans the sale of precise geolocation data in a VCDPA update.
Massachusetts proposes teen social-media protections with age assurance and default safety controls.
The EU and South Korea finalize a digital trade agreement with trusted data-flow rules.
Korea pairs tougher public-sector leak penalties with pseudonymized-data support.
New York advances AI, surveillance, and dating-platform bills in parallel.
FTC opens fee-transparency rulemaking for online food and grocery delivery.

Detailed Summaries

EU age verification reaches deployment stage

Summary: On 15 April the European Commission said its harmonised age-verification solution was technically ready and would soon be available as an app, and the next day the European Board for Digital Services reaffirmed minors protection as a DSA priority and tied implementation to Article 28(1). The practical effect is that age-gating is no longer an abstract policy discussion: platforms now need to decide how to integrate age assurance, what evidence they will keep about accuracy and robustness, and how to explain privacy-preserving verification to regulators and users. The Commission's pitch is that the app can prove age without collecting additional personal data or enabling tracking, but that claim will only matter if providers can show the control works at scale and fits the rest of their safety stack.

EDPB standardizes DPIAs and accelerates anonymisation work

Summary: On 14 April the EDPB adopted a DPIA template and opened a consultation that runs to 9 June, aiming to standardize how controllers structure and evidence high-risk processing assessments. Two days later it issued scientific-research guidelines, set up a sprint team to finish anonymisation guidance, and approved Europrivacy criteria as European Data Protection Seals, including one seal that can support transfers by data importers outside Europe. The package matters because it turns abstract GDPR concepts into repeatable workflows: teams now have to document why a processing activity is high risk, what assumptions back any anonymisation claim, and whether certification can support internal approval or cross-border transfer design. It is a significant step toward more uniform controller documentation across the EU.

Ofcom closes the initial online-safety fee window

Summary: On 13 April Ofcom updated its online-safety fees page to note that the initial 2026/27 notification window closed on 11 April, meaning fee-liable providers now move into the verification and invoice-preparation phase. The regulator says providers who already notified can expect rolling information requests for the next charging year, while the 2027/28 window opens in June. That sits alongside Ofcom's broader monitoring of record-keeping and risk-assessment duties, so regulated services now face a two-track compliance burden: prove the accuracy of qualifying worldwide revenue, and keep documentary evidence ready for online-safety supervision. For large platforms, this is a financial-control issue as much as a content-governance issue.

Ofcom keeps Online Safety Act monitoring active

Summary: Ofcom's 13 April update also matters because it shows the regulator using evidence requests as its main enforcement lever. The ongoing programme on illegal-content and children's risk assessments already sent formal information requests to 30 providers covering 43 services and more than 70 risk assessments, which means the early phase of Online Safety Act implementation is looking less like a grace period and more like an audit cycle. Providers need to treat risk registers, mitigation choices, and record retention as live compliance artefacts, not background policy documents. In practice, the combination of fee liability, formal requests, and record-keeping scrutiny makes the UK's regime feel operational rather than aspirational.

The EU child-safety panel widens the age-limit debate

Summary: On 16 April the Special Panel on child online safety held its second meeting, focusing on current EU rules, Member State expertise, and international approaches such as Australia's social-media minimum age. The panel exists to advise President von der Leyen on child safety online and the possible need for harmonised age limits, with a report due by summer 2026. That matters because the EU is now separating the technical question of how to verify age from the policy question of whether social platforms should be unavailable to younger teens at all. Platforms and lawmakers should expect the panel to feed directly into the next round of DSA child-safety debate, especially around age thresholds, parental controls, and service design.

Virginia bans the sale of precise geolocation data

Summary: On 14 April Virginia Governor Abigail Spanberger signed SB338, amending the Virginia Consumer Data Protection Act to ban the sale of consumers' precise geolocation data and to make the change effective on 1 July 2026. The update matters because Virginia is moving beyond consent-based treatment of location data and into an outright sale prohibition, which is more aggressive than the usual sensitive-data-with-consent model. That change hits ad-tech, location-data brokers, analytics vendors, and downstream buyers that rely on geo datasets for targeting, attribution, or audience segmentation. It also gives Virginia another privacy-law edge that businesses operating across multiple states will need to map carefully.

Massachusetts proposes teen social-media protections

Summary: On 14 April Governor Maura Healey filed a supplemental budget proposal that would require social-media platforms to use age assurance, apply strong default safety settings for users under 18, and disable features such as infinite scroll, autoplay, algorithmic feeds, overnight access, and location tracking by default. For users 15 and under, only a parent or guardian could change those settings, and the proposal would also limit cumulative use to two hours per day and require easy reporting of harmful content. This is one of the most detailed youth-online-safety proposals in the United States, and it pushes the issue beyond vague calls for safer design into product defaults, time limits, and parental controls that would require real technical implementation.

The EU and South Korea finalize a digital trade agreement

Summary: On 17 April the European Commission and South Korea used the 13th EU-Republic of Korea Trade Committee and the first Strategic Dialogue on Trade, Supply Chains and Technology to endorse the final text of the EU-Korea Digital Trade Agreement, which is slated to be signed later this year. The Commission frames the deal as a way to build consumer trust, legal certainty, and trusted data flows while keeping a high standard for digital trade rules. For legal teams, the significance is not just trade diplomacy: it is a sign that cross-border data, digital services, and supply-chain governance are increasingly being bundled into broader economic-security arrangements. That will matter for data transfer planning, digital contracting, and sector-specific market-access issues.

Korea pairs tougher public-sector leak penalties with pseudonymized-data support

Summary: On 13 April the PIPC announced it would substantially expand penalties for public institutions that leak personal data, linking the move to its 2026 public-sector privacy evaluation plan. On 15 April it followed with an on-site briefing for research institutions on pseudonymized-data support, explicitly framing the programme as part of AI-era safe data use and policy research. The combination is important because it shows Korean privacy policy moving on two tracks at once: harder punishment for public-sector mishandling and more formal channels for controlled reuse of de-identified or pseudonymized data. Universities, hospitals, and contractors will need to prove both security discipline and eligibility for the data-use pathways they want to rely on.

New York advances AI, surveillance, and dating-platform bills

Summary: On 13 April New York's legislature pushed several digital-law bills forward in parallel. Assembly Bill A7172A was amended and recommitted to codes, requiring DCJS to write a protocol for AI and facial-recognition use in criminal investigations; Senate Bill S9890 was referred to consumer protection to regulate automatic license plate reader systems; and Senate Bill S9097 advanced to third reading with new rules on content bans and record retention for online-dating services. The common thread is that New York is treating surveillance, biometric tools, and platform moderation as one policy cluster rather than separate debates. That makes the package a useful bellwether for other states and for national vendors watching state-by-state precedent.

FTC opens fee-transparency rulemaking for delivery platforms

Summary: On 14 April the FTC asked for public comment on whether to pursue rulemaking against unfair or deceptive fee practices in online food and grocery delivery services. The notice is framed as a fee-transparency exercise, but it is really a signal that the agency is willing to test sector-specific rules where online intermediaries sit between consumers and essential transactions. The ANPRM asks about total price disclosure, fee presentation, variable charges, promotions, and unauthorized billing, which means delivery platforms should expect closer scrutiny of how mandatory charges are shown and when they become visible in the checkout flow. For product and legal teams, this is another example of consumer-protection law reaching directly into interface design.

Global Pattern

Across jurisdictions, the week shows digital law moving into operating mode across child safety, privacy engineering, fees, digital trade, and consumer pricing. Europe is pairing age verification with more structured data-protection and identity workflows, the UK is turning online-safety oversight into both evidentiary and financial obligations, and US states are moving from debate to concrete restrictions on location data and teen-facing social features.

The broader point is that digital law is no longer confined to privacy or AI. It now reaches product defaults, fee presentation, revenue calculations, cross-border trade rules, and the conditions for using sensitive data. Legal teams need to track those issues as one operational program, not as isolated specialist silos.

Dates to Watch

30 April 2026: ENISA's public consultation on the draft EU Digital Wallet certification scheme closes.
9 June 2026: The EDPB consultation on its DPIA template closes.
25 June 2026: The EDPB consultation on its scientific-research guidelines closes.
1 July 2026: Virginia's precise-geolocation sale ban takes effect.
18 May 2026: FTC comments on online food and grocery delivery fee rulemaking are due.

Sources

Primary / Official Sources

Secondary / News Sources

Digital Law Worldwide Update is produced for legal professionals, in-house counsel, compliance officers, and consultants.