Vermont becomes the 23rd US state with a privacy law, Google changes how Ads receives consent signals, and accessibility enforcement remains active. 5 data privacy and 5 web accessibility updates for 15–19 June 2026.
Here are the most important data privacy and web accessibility updates from the week of 15–19 June 2026.
This week brought new movement in US state privacy law, proposed federal privacy reform in Canada, and an important change to how Google Analytics and Google Ads handle consent data. Universal opt-out signals also remain a growing requirement across US privacy laws.
On the accessibility side, the DOJ’s Title II ADA comment period closes, the European Accessibility Act approaches its first enforcement anniversary, and recent findings show that retail and ecommerce websites still face significant accessibility gaps.
Vermont Governor Phil Scott signed the Vermont Data Privacy and Online Surveillance Act on 16 June 2026, making Vermont the 23rd US state with a comprehensive consumer privacy law.
The law takes effect on 1 January 2028 and includes requirements around opt-out preference signals, data protection impact assessments, and disclosures when personal data is used to train large language models.
On the same day, Vermont also enacted new rules for data broker registration and genetic information privacy, including restrictions on the sale of genetic data by direct-to-consumer testing companies without explicit consent.
The Data (Use and Access) Act 2025 introduced recognised legitimate interest as a new lawful basis under the UK GDPR.
The new basis applies to five pre-approved purposes, including public security, emergency response, crime prevention, and safeguarding vulnerable individuals. Unlike standard legitimate interests, it removes the need for a legitimate interests assessment in these specific cases.
For website operators and platform providers, the change may be relevant to fraud prevention, age verification, safeguarding alerts, and certain data-sharing requests from public authorities.
Canada introduced Bill C-36, the Protecting Privacy and Consumer Data Act, on 16 June 2026, marking a major proposed overhaul of the country’s federal privacy framework.
The bill would recognise privacy as a fundamental right, strengthen consent and deletion rights, add protections for children’s data, and require privacy impact assessments for higher-risk processing.
It would also create a new Digital Safety and Data Protection Commission with powers to issue binding decisions and fines of up to CAD 25 million or five percent of global revenue for the most serious violations.
Google changed how consent data flows between Google Analytics and Google Ads from 15 June 2026.
Google Ads now relies on consent signals sent through a business’s consent management platform via Consent Mode. The Google Signals setting in Analytics no longer acts as a fallback control for advertising data.
Businesses using linked Analytics and Ads accounts should review their CMP setup, privacy notices, and Consent Mode v2 configuration to confirm that consent signals are being passed as intended.
As of January 2026, Connecticut and Oregon joined Colorado, California, and Texas in requiring websites to recognise universal opt-out mechanisms such as Global Privacy Control.
Under these laws, a valid GPC signal must be treated as a consumer opt-out request for data sale or sharing, depending on the applicable state law.
For businesses with users across multiple states, this means opt-out handling cannot rely on banner interactions alone. Consent management setups should be able to detect, process, and honour applicable opt-out preference signals.
The US Department of Justice’s public comment period for its Title II ADA Interim Final Rule closes on 22 June 2026.
The rule extended web and mobile app accessibility deadlines for state and local government entities. Public entities serving 50,000 or more people now have until 26 April 2027 to conform to WCAG 2.1 Level AA, while smaller entities and special districts have until 26 April 2028.
Although the extension applies to the public sector, WCAG 2.1 AA remains a key benchmark in ADA-related digital accessibility cases involving private businesses.
28 June 2026 marks one year since the European Accessibility Act became enforceable for private sector digital products and services.
Over the past year, EU member states have continued building national enforcement frameworks, with regulators moving from guidance and market surveillance toward formal assessments and corrective action.
Financial penalties remain limited so far, but businesses selling digital products or services in the EU should treat the anniversary as a reminder to review their accessibility documentation, testing, and remediation plans.
In February 2026, the US Department of Justice opposed a proposed class action settlement in Alcazar v. Fashion Nova after finding that the claims portal used by the settlement administrator was inaccessible to screen reader users.
The case highlights an important accessibility issue: user-facing third-party tools can create risk even when they sit outside a company’s main website.
Businesses should include accessibility requirements in vendor reviews, contracts, procurement processes, and testing programmes.
Accessibility practitioners are warning that AI-generated web content is not automatically accessible.
Common issues include images without alt text, dynamic content without proper ARIA labelling, and interactive elements that do not support keyboard navigation.
As AI speeds up content production, businesses should build accessibility checks into publishing workflows rather than treating them as a manual review step after content goes live.
This week’s updates show how digital compliance expectations continue to expand across privacy, consent, and accessibility.
Vermont’s new privacy law, Canada’s proposed federal reform, Google’s consent signal changes, and growing universal opt-out requirements all point to a more operational privacy landscape. At the same time, ADA activity, EAA enforcement, vendor accessibility issues, and AI-generated content risks show why accessibility needs to be part of everyday digital governance.
For website operators, marketing teams, and compliance professionals, the message is clear: consent, transparency, and accessibility all need regular review, not occasional attention.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
