In a week marked by heightened scrutiny over digital privacy, watchdog agencies across Europe and the United States have sounded alarms about the handling of personal data by some of the world’s most influential companies and institutions. From the YouTube stardom of MrBeast to the high-security corridors of Irish government, and even the bustling terminals of Milan’s airports, a series of investigations and regulatory actions have exposed troubling lapses in the protection of sensitive information.
On September 18, 2025, the Children’s Advertising Review Unit (CARU), operating under BBB National Programs, announced its findings that Jimmy Donaldson—better known as MrBeast, the globe’s most-followed YouTuber with a staggering 436 million subscribers—had improperly collected data from children without parental consent. According to CARU, the violations centered on sweepstakes competitions promoted on MrBeast’s channel. Children, some under the age of 13, were encouraged to enter for a chance to win $10,000 by providing personal details such as their full names, phone numbers, addresses, and email addresses. This process, watchdogs said, did not include any method for collecting verifiable parental consent, as required by the federal Children’s Online Privacy Protection Rule (COPPA).
The issue extended to the Feastables website, an affiliate business tied to MrBeast. Here, users were met with persistent pop-ups urging them to submit their email addresses with the enticing message, “MrBeast Wants You to Join the Crew.” If a user complied, a second pop-up requested their phone number, and both pieces of information were subsequently sent to third parties. The watchdog’s investigation revealed that these practices left children’s data exposed and potentially accessible to advertisers and marketers without the safeguards mandated by law.
Faced with these findings, Donaldson moved quickly to work with CARU to overhaul his channel’s data collection and advertising practices. The watchdog confirmed that the problematic systems had been updated and the specific issues rectified. In a statement, Feastables acknowledged CARU’s mission, saying it “appreciates CARU’s mission to promote responsible children’s advertising.” However, the company added, “it did not agree with all the conclusions made in the decision or the premises on which they were based.” Nevertheless, MrBeast and Feastables committed to considering CARU’s concerns in future advertising efforts directed at children.
While the MrBeast episode unfolded in the United States, a parallel drama was playing out in Ireland, where the Data Protection Commission (DPC) expressed “extreme concern” over revelations from RTÉ Prime Time’s undercover investigation. The exposé, aired on September 19, 2025, uncovered that location data from tens of thousands of Irish smartphones was available for purchase on the open market. The data, which included minute-by-minute movements of 64,000 devices over a two-week period, offered an unprecedented window into the daily routines and private lives of ordinary citizens—sometimes with chilling precision.
RTÉ journalists, posing as data analytics entrepreneurs, were able to obtain a large sample of this data for free from one broker, who also offered a constantly updated feed with a short delay. The information detailed the movements of individuals into and out of high-security prisons, military bases, Leinster House (the seat of the Irish parliament), hospitals, and mental health facilities. In one striking example, the data allowed the identification of a government worker’s home address and daily commute, simply by tracking the device’s repeated journeys between sensitive locations and a residential address.
Barry Ward, a parliamentary official, voiced his alarm to RTÉ Prime Time: “What has really shocked me is the extent to which you can take that data parcel, break it down to an individual, trace the individual’s movements to the extent that you can identify where they live, where they work… or where they go on a day-to-day basis. The notion that the information about their movements is free and available to buy for anyone is frightening, totally inappropriate, and definitely dangerous.”
Data brokers, when questioned, maintained that no privacy breach had occurred, arguing that smartphone owners had consented to such use via app terms and conditions, and that the data was anonymized. However, the DPC was not convinced. In a statement, the agency said, “Location data can reveal a significant amount of information about individuals, including information about an individual’s habits and personality, and information that is inherently sensitive. Information about an individual’s location can also pose a serious risk to their security and wellbeing.” The DPC is now working to identify the data broker involved and has pledged to take action or coordinate with other EU data protection authorities, depending on where the company is based.
Meanwhile, in Italy, the country’s privacy watchdog GPDP intervened decisively in the use of facial recognition technology at Milan’s Linate and Malpensa airports. On September 11, 2025, the GPDP ordered the suspension of SEA’s ‘Faceboarding’ system, which had allowed passengers to board flights by simply scanning their faces—no boarding passes or travel documents required. The decision, made public on September 17, 2025, cited serious concerns regarding data control, encryption, storage, and retention.
According to the GPDP, SEA’s system failed to provide passengers with active control over their biometric data, which instead remained the exclusive property of the airport operator. Even more troubling, the biometric templates were stored without encryption for up to 12 months, a practice the watchdog said was in violation of EU data protection regulations. The GPDP had previously invited SEA to explore alternative, more privacy-conscious solutions as early as December 2024, but found the company’s approach incompatible with European law.
SEA, for its part, asserted that it “believed itself to be compliant with the applicable regulations” and stated it was “actively cooperating with the Authority to clarify all aspects related to data processing.” The GPDP clarified that there is no general ban on facial recognition at airports, but that any implementation must employ technology that ensures proper data protection and user control.
Taken together, these three cases underscore the persistent tension between technological innovation, business interests, and the fundamental right to privacy. Whether it’s the lure of viral sweepstakes, the invisible trade in location data, or the promise of seamless airport experiences, each scenario reveals how easily personal information can slip into the hands of third parties—sometimes without individuals even realizing it. As regulators tighten their grip and public awareness grows, the spotlight is now firmly fixed on companies and institutions to prove that convenience and profit need not come at the expense of privacy.
With watchdogs on high alert and the public increasingly wary, the future of data privacy in the digital age hangs in the balance—demanding vigilance, transparency, and, above all, respect for the individuals whose data powers our connected world.
