Weekly Compliance Brief: June 1-5, 2026
California issued a record CCPA fine, Louisiana businesses prepared for new privacy obligations, EAA enforcement expanded across Europe, and the FTC began enforcing the Take It Down Act.
Weekly Compliance Brief: Jun 1-5, 2026
This week underscored a growing global trend: regulators are increasingly focused on enforcement rather than education. California issued the largest CCPA fine in the law’s history, the Netherlands confirmed the end of its telemarketing soft opt-in exception, and businesses received further clarity on the obligations they will need to meet before the Louisiana Data Privacy Act takes effect on January 1, 2027.
On the accessibility front, European Accessibility Act enforcement continued to gain momentum across the EU, with regulators beginning audits, requesting accessibility documentation, and increasing scrutiny of digital products and services. Businesses were also reminded that EAA requirements extend beyond websites to many mobile applications.
Meanwhile, the FTC began enforcing the Take It Down Act, introducing new obligations for platforms that host user-generated content and signaling a more aggressive approach to content moderation enforcement.
Data privacy law news
Did you know?
The US now has 22 active comprehensive state privacy laws, with 21 of them sharing the same core structure, according to testimony submitted to the House Energy and Commerce Subcommittee on June 3, 2026.
California’s record CCPA fine sends a clear message on data minimization
California issues record $12.75M CCPA fine against GM
California regulators have fined General Motors $12.75 million, the largest CCPA penalty to date, for collecting and selling drivers’ location and behavior data through its OnStar platform. The case also marks the state’s first major data minimization enforcement action.
According to the settlement, GM shared data with third parties that used it for insurance-related purposes while allegedly failing to clearly disclose those practices to consumers. GM must stop sharing driving data with consumer reporting agencies for five years and delete data that is not necessary for its stated purposes.
Louisiana Data Privacy Act: What businesses need to do before January, 2027
Louisiana’s new privacy law takes effect on January 1, 2027, introducing consumer rights, GPC recognition, sensitive data consent requirements, and enforcement by the Attorney General. Businesses meeting the law’s revenue or data-processing thresholds should begin preparing now.
SECURE Data Act advances as debate over federal privacy law intensifies
The SECURE Data Act received its first congressional hearing this week, highlighting a growing divide over the future of US privacy regulation. Supporters argue the bill would create a long-awaited national privacy framework, while critics warn it could weaken stronger protections already in place at the state level.
The proposed legislation would establish a federal standard enforced by the FTC and preempt many existing state privacy laws. While its path to enactment remains uncertain, the hearing signals that federal privacy legislation will remain a major focus in Washington throughout 2026.
The Netherlands ends soft opt-in exception for telemarketing from Jul 1, 2026
From July 1, 2026, businesses in the Netherlands will need explicit consent before making marketing calls, including to existing customers. The change removes the long-standing “soft opt-in” exception that allowed companies to promote similar products or services without separate consent.
Regulators have confirmed active enforcement from day one, and businesses must be able to demonstrate valid consent records upon request. The rules also apply when telemarketing is outsourced, with responsibility remaining with the company being promoted.
UK ICO confirms affiliate tracking pixels require consent
The ICO has clarified that affiliate tracking pixels require user consent, rejecting the argument that they are strictly necessary for website functionality. The guidance also reinforces that consent banners must offer users a genuine choice, with rejection presented as prominently as acceptance. Businesses using affiliate marketing should review their tracking and consent practices accordingly.
Web accessibility news
Did you know?
95.9% of the top one million websites fail to meet basic WCAG standards according to the 2026 WebAIM Million report, yet ADA website accessibility lawsuits rose 27% year over year in 2025 to 3,117 federal cases, with over 5,000 when state court filings are included.
EAA enforcement enters active phase across the EU
European Accessibility Act enforcement is now actively underway across EU member states, with regulators requesting accessibility documentation, investigating complaints, and requiring remediation from non-compliant organisations. Businesses that have not yet assessed their EAA obligations or published an accessibility statement should expect increased regulatory scrutiny throughout 2026 and beyond.
EAA penalties and market restrictions now in focus
EAA enforcement can carry significant financial consequences, with some EU member states allowing fines reaching millions of euros for serious violations. Regulators may also order non-compliant products or services to be withdrawn from the market, making accessibility a business continuity issue as well as a compliance concern.
EAA accessibility requirements extend to mobile apps
The European Accessibility Act applies to many mobile applications, including banking, e-commerce, and transport services. With enforcement activity increasing across the EU, organizations should ensure mobile accessibility is assessed and documented alongside their websites and other digital products.
W3C prepares updated accessibility audit methodology
The W3C plans to release WCAG Evaluation Methodology 2.0 this quarter, introducing updated guidance for assessing modern websites and applications. The framework is expected to improve consistency in accessibility audits and provide a clearer foundation for documenting conformance claims.
Take it Down Act news
FTC begins Take It Down Act enforcement and sends warning letters to 15 platforms
The FTC has started enforcing the Take It Down Act, requiring covered platforms to remove non-consensual intimate imagery and AI-generated deepfakes within 48 hours of a valid request. The agency has already issued warning letters to major technology companies and launched a public reporting portal for non-compliant platforms.
Organizations that host user-generated content should review their content moderation and takedown procedures, as violations can result in significant financial penalties.
Until next week
The pace of compliance enforcement continues to accelerate across privacy, accessibility, and digital platform regulation. Record fines, active investigations, new enforcement powers, and upcoming laws such as Louisiana’s Data Privacy Act are creating a regulatory environment where preparation matters more than ever.
Whether your organization is reviewing consent practices, evaluating accessibility obligations, preparing for new privacy requirements, auditing tracking technologies, or strengthening content governance processes, now is the time to identify and address potential gaps.
We’ll continue tracking the most important compliance developments each week to help you stay informed, prepared, and ahead of regulatory change.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
