Weekly Compliance Brief: July 6-10, 2026
A Supreme Court ruling raises new EU-U.S. data transfer concerns, California advances CIPA reform, and EAA enforcement gains momentum.
A Supreme Court ruling raises new EU-U.S. data transfer concerns, California advances CIPA reform, and EAA enforcement gains momentum.
This week’s roundup covers new questions about EU-U.S. data transfers, proposed changes to California tracking litigation, approaching EU AI Act deadlines, and growing European Accessibility Act enforcement.
Here are the privacy, accessibility, cybersecurity, and content takedown developments that mattered from July 6 to 10, 2026.

On June 29, 2026, the U.S. Supreme Court ruled in Trump v. Slaughter that the president may remove FTC commissioners without cause. Privacy group noyb argues that the decision weakens a central assumption behind the EU-U.S. Data Privacy Framework: that the FTC operates as an independent enforcement authority.
The ruling did not directly address the GDPR, international data transfers, or the DPF. The European Commission’s adequacy decision remains in effect, so certified businesses may continue relying on the framework. Organizations transferring personal data from the EU to the U.S. should still confirm which safeguards they use, review their Transfer Impact Assessments, and monitor further guidance and legal challenges.
Google says proposed EU competition measures requiring it to share anonymized search data with rivals could create privacy and security risks. The information may include search queries, rankings, clicks, and views, which Google argues could be linked back to individuals when combined with other data or analyzed using AI.
The European Commission is considering the measures under the Digital Markets Act to give competing search and AI services greater access to data controlled by Google. The dispute highlights the challenge of increasing competition while protecting potentially sensitive search information.
On July 1, the California Assembly Committee on Privacy and Consumer Protection advanced an amended Senate Bill 690. The bill would remove the private right of action under California Penal Code Section 638.51, a CIPA provision increasingly used in lawsuits involving analytics tools, chat services, pixels, and session replay technology.
If passed, the change would apply retroactively to claims filed on or after January 1, 2025. Other CIPA provisions covering wiretapping and confidential communications would remain available, so businesses should continue reviewing tracking technologies, consent configurations, and vendor contracts while the bill progresses.
Most transparency requirements under Article 50 of the EU AI Act take effect on August 2, 2026. Providers of AI systems that interact with users, generate synthetic content, or process biometric data will need to provide clear, machine-readable disclosures.
The European Commission has published draft guidelines and a voluntary Code of Practice for AI-generated content. Businesses using chatbots, synthetic media, or biometric tools should review their notices and content-labeling processes before the deadline. Violations may result in fines of up to €15 million or 3% of global annual turnover.
Sweden’s new Cybersecurity Act extends cybersecurity obligations to organizations across 18 sectors, including digital infrastructure, digital services, and public administration. Covered entities may need to register with the Swedish Civil Defence and Resilience Agency, introduce risk-management measures, train senior leadership, and report significant incidents within 24 hours.
Penalties may reach the higher of €10 million or 2% of global annual turnover. Businesses operating in Sweden should assess whether they fall within scope and review their incident-reporting, governance, and cybersecurity processes.

One year after the European Accessibility Act’s June 28, 2025 enforcement deadline, investigations, penalties, and litigation are increasing across the EU. In France, a court ordered Carrefour to improve the accessibility of its website and app within six months, backed by a daily penalty. The court found that 71% conformity with national accessibility standards was insufficient.
Enforcement differs by country. Austrian regulators may impose fines of approximately $92,000 per violation, while some EU countries can restrict inaccessible websites, apps, or services from the market. Businesses serving EU customers should review their accessibility statements, testing processes, and remediation plans.
A Deque Systems analysis explains how EN 17161 could complement WCAG under the European Accessibility Act. WCAG helps assess whether digital content meets accessibility criteria, while EN 17161 focuses on the organizational processes used to manage accessibility across changing products and services.
These processes may include issue tracking, goal setting, procurement requirements, support procedures, and accessibility statements. EN 17161 is being reviewed as a potential harmonized EU standard, so organizations may want to assess how it could fit into their wider accessibility programs.
The American Council of the Blind marked its 65th anniversary on July 7, 2026. Its advocacy has contributed to major U.S. accessibility laws, including the Rehabilitation Act, the Americans with Disabilities Act, and the 21st Century Communications and Video Accessibility Act.
The organization now represents more than 8,000 members through state and special-interest affiliates. The milestone shows how current digital accessibility expectations have been shaped by decades of advocacy and how disability organizations continue to influence policy and enforcement.
The National Federation of the Blind held its national convention in Austin from July 3 to 8, 2026, with sessions covering technology, employment, and disability rights. The event took place as the organization continues its lawsuit against federal agencies over delayed digital accessibility deadlines under ADA Title II and Section 504.
The delayed deadlines affect state and local governments and certain federally funded programs, but the underlying accessibility requirements remain. Organizations serving public-sector or federally funded clients should continue remediation work rather than treating the extension as a reason to pause.

The Take It Down Act’s notice-and-removal requirements took effect on May 19, 2026. The FTC has since sent warning letters to major platforms, including Amazon, Meta, TikTok, and X. Covered services must provide a clear reporting process and remove valid reports of nonconsensual intimate imagery within 48 hours.
The law may also apply to businesses whose user-generated content features are not central to their main service, such as apps with photo-sharing forums. With civil penalties potentially exceeding $53,000 per violation, legal, product, and trust and safety teams should assess whether the law applies and document their takedown procedures.
This week’s developments show enforcement and litigation catching up with rules that have already been in place for months or years. The European Accessibility Act, the Take It Down Act, and California tracking lawsuits are now creating more immediate operational questions for businesses.
Privacy, accessibility, and legal teams should use this moment to verify that data transfer safeguards, accessibility documentation, tracking configurations, and takedown processes remain current.