Originally published May 2013. Updated June 2026.
Internet privacy is now a cybersecurity problem. The 2013 version of this page warned about Google search, social media oversharing, and WHOIS lookups. Those concerns were real and remain real. They are also no longer the main thing. In 2026, the meaningful threats to personal privacy are large-scale data breaches, AI training-data ingestion, surveillance-vendor proliferation, biometric tracking, and state-adjacent telecommunications intrusion. Each of these is, at root, a security failure — and each is now reshaping how regulators, enterprises, and individuals think about privacy as a category.
The scale of the shift is measurable. The Identity Theft Resource Center logged more than 3,200 publicly reported U.S. data breaches in 2023, exposing roughly 350 million records — both record highs. The European Union's AI Act entered into force in August 2024. Apple withdrew its Advanced Data Protection iCloud feature from the United Kingdom in early 2025 after a UK government order. The Salt Typhoon intrusion campaign — a Chinese state-aligned operation targeting major U.S. telecommunications carriers — compromised infrastructure at AT&T, Verizon, Lumen, and T-Mobile and exposed the lawful-intercept systems used for U.S. wiretap authority. Each of these is a privacy story written in cybersecurity terms.
The Five Pressure Points
One — large-scale breaches. Privacy loss now happens at the breach scale, not the post-by-post scale. The 23andMe breach exposed the genetic data of nearly seven million users. The Change Healthcare attack compromised the protected health information of an estimated 100 million Americans. The National Public Data breach put 2.7 billion records — including Social Security numbers — into criminal markets. The individual cannot decline to participate; the breach happens to the institution holding their data, and the individual's privacy ends with it.
Two — AI training data. The privacy debate has moved from what you posted to what was scraped. The New York Times v. OpenAI and Microsoft suit, the Authors Guild class action, the Getty Images suit against Stability AI, and the image-artist class action against Midjourney and Stability all turn on the same question — what was harvested from the open web and what rights the publisher, the artist, or the individual retained. Settlement and licensing deals (News Corp, Atlantic, Vox, Reddit) have built the commercial framework. Litigation is still defining the legal one.
Three — surveillance-vendor proliferation. The NSO Group Pegasus case made commercial spyware a public category. Citizen Lab's continuing research has documented the spread of similar tools — Predator, Reign, Quadream — to state and non-state buyers. The U.S. Treasury added several of these vendors to the Entity List. The threat moved from theoretical to operational; journalists, dissidents, lawyers, and corporate executives are routinely targeted with zero-click exploits delivered through everyday messaging apps.
Four — biometric and location tracking. Clearview AI's facial-recognition database — built by scraping billions of public images — has been litigated across multiple jurisdictions. The Illinois Biometric Information Privacy Act has driven the most significant U.S. case law on biometric collection. Location data brokers continue to package and sell device-level movement data, and the FTC has pursued enforcement against several. The pattern is consistent — biometric and location data, once collected, escape effective consent.
Five — telecommunications and infrastructure intrusion. Salt Typhoon's compromise of U.S. carriers is the headline case, but the category is wider. The U.S. Treasury BeyondTrust intrusion, the LastPass breach, the MOVEit campaign, and the Snowflake credential-stuffing wave each broke privacy at infrastructure scale — exposing data the individual never directly shared with the attacker.
The Regulatory Map in 2026
The 2013 piece could not have anticipated how legislation would catch up.
European Union. GDPR remains the floor. The EU AI Act adds risk-tiered obligations for AI systems, with the highest tier — unacceptable-risk applications including social scoring and untargeted biometric scraping — banned outright. The Digital Services Act and Digital Markets Act extend platform obligations on transparency and interoperability.
United States. No comprehensive federal privacy law in 2026. The American Privacy Rights Act stalled in 2024. The patchwork now covers more than 20 states with comprehensive consumer-privacy statutes — California (CCPA/CPRA), Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Tennessee, and a growing list. The FTC has used Section 5 authority to pursue privacy enforcement in the absence of federal legislation. The HHS Office for Civil Rights has tightened HIPAA enforcement around healthcare breaches.
United Kingdom. The post-Brexit UK GDPR remains in force. The Apple Advanced Data Protection withdrawal in early 2025 — following a government order under the Investigatory Powers Act — became the year's most prominent encryption-versus-access dispute.
China. The Personal Information Protection Law (PIPL), the Data Security Law, and the Cybersecurity Law form one of the more extensive privacy regimes by text. Enforcement is selective and aligned with state priorities.
Israel, Singapore, Brazil, Japan, South Korea, India. All have substantive privacy regimes in active enforcement.
The Cybersecurity-Communications Convergence
Three implications for operators.
Breach communications is now a privacy discipline. The notification clock — 72 hours under GDPR, 60 days for healthcare under HHS — runs alongside the SEC's four-business-day disclosure requirement for material cybersecurity incidents at public companies. The communications response is being audited against statutory privacy obligations. The line between "what happened" and "what we are required to disclose" is being written by enforcement actions.
AI announcements are privacy events. Every model release, every training-data deal, every retrieval-augmented generation product touches privacy regulation somewhere. Communications operators handling AI announcements for clients now need privacy-counsel review on a par with what M&A announcements have always required.
Vendor-trust positioning has commercial value. The cybersecurity-vendor landscape is being reshaped by which companies position credibly on customer-data stewardship. Apple's privacy-as-a-feature framing has cost in product but yielded in brand. The category is now contested across enterprise as well — Cloudflare, 1Password, Bitwarden, and ProtonMail have all built market position on privacy-first messaging that holds up under audit.
Related EPR coverage: Malware City · Cybersecurity Vendor Citation Share Index 2026 · Who Controls AI Answers in Cybersecurity · Microsoft Security Deep Dive · Cybersecurity on Everything-PR.
