Weekly Compliance Brief: June 22-26, 2026

This week’s compliance updates show regulators, courts, and advocacy groups putting more pressure on privacy and accessibility programs.

In the UK, the ICO issued a major nuisance marketing fine. In Europe, a French court ordered Carrefour to fix accessibility issues on its website and app under EAA-related national law. In the US, disability advocates challenged delayed ADA web accessibility deadlines.

Here are the key updates compliance, legal, marketing, and digital teams should know.

Data privacy law news

ICO fines UK firm £300,000 over 5.5 million unlawful marketing texts

The UK ICO fined KRA Consultancy Ltd £300,000 after the company sent more than 5.5 million unsolicited marketing texts to people in financial difficulty. Some messages falsely warned recipients about bailiff visits, and the campaign led to more than 60,000 complaints.

The ICO found that the firm did not verify consent and continued unlawful activity after regulatory action. For marketing teams, this is a clear reminder that consent must be checked before sending direct marketing messages.

Learn more

Article 27 enforcement expands against non-EU businesses

EU regulators are increasingly taking action against non-EU businesses that fail to appoint an Article 27 representative. This obligation applies to many companies that process EU personal data but do not have an EU establishment.

Regulators can identify this gap quickly, making it an easy starting point for enforcement. Businesses using analytics, consent tools, ecommerce, or other website-based data collection should confirm whether an EU representative is required.

Learn more

Vermont updates data broker law with KYC rules and higher penalties

Vermont has strengthened its data broker law through H.211, signed in June 2026. From January 1, 2027, data brokers must identify data recipients and certify the intended use of personal data before disclosure.

The law also increases penalties, including fines for materially incorrect filings and a new surety bond requirement. Businesses that buy, sell, or share third-party marketing data should review their Vermont obligations before the effective date.

Learn more

Ireland’s EU council presidency brings new scrutiny to GDPR enforcement

Ireland takes over the rotating EU Council presidency on July 1, 2026. Its role will include work on Digital Omnibus negotiations, which critics say could affect parts of the GDPR.

Because Ireland is home to the European headquarters of major technology companies, its approach to digital regulation is likely to face close attention. Compliance teams should watch how GDPR-related discussions develop over the next six months.

Learn more

Alberta issues new guidance on privacy management programs

Alberta’s privacy regulator has published new guidance for public bodies implementing privacy management programs and privacy impact assessments. The guidance covers privacy officer responsibilities, AI and automated decision-making policies, employee training, and high-risk processing reviews.

Although it focuses on the Canadian public sector, it reflects broader accountability expectations seen in many privacy laws. Organizations building formal privacy programs may find the framework useful as a reference point.

Learn more

Web accessibility news

French court orders Carrefour to fix website and app accessibility

A French court ordered Carrefour France to make its ecommerce website and mobile app accessible to people with disabilities. The court gave Carrefour six months to comply and attached daily financial penalties if it fails to do so.

Carrefour argued that it already met 71% of the relevant criteria, but the court rejected partial conformance as insufficient. The case is an important signal that courts may expect businesses to show complete and documented accessibility progress.

Learn more

NFB lawsuit challenges delayed ADA web accessibility deadlines

The National Federation of the Blind filed a federal lawsuit challenging delayed ADA Title II and Section 504 web accessibility deadlines. The original deadlines for state and local government websites to meet WCAG 2.1 Level AA have been pushed to April 2027 and April 2028.

The NFB argues the delay was arbitrary and violated the Administrative Procedure Act. Public sector teams should follow this case closely because it may affect when formal website accessibility deadlines take effect.

Learn more

EAA enforcement builds across Europe one year after deadline

One year after the European Accessibility Act became enforceable, enforcement activity is increasing across EU member states. Germany has seen warning letters sent to ecommerce operators, Sweden has opened regulatory cases, and Dutch authorities are moving toward formal enforcement later in 2026.

No monetary fines have been confirmed yet, but national penalty frameworks are already in place. Businesses should keep accessibility audits, statements, and remediation plans current and documented.

Learn more

WebAIM 2026 report shows accessibility errors are rising again

WebAIM’s 2026 analysis found detectable WCAG failures on 95.9% of the top one million home pages. That is higher than 2025 and reverses six years of gradual improvement.

The most common issues remain low contrast text, missing alternative text, and unlabeled form inputs. The report shows that many websites still need stronger accessibility testing before issues reach users, regulators, or courts.

Learn more

Why accessibility programs should look beyond WCAG

A June 2026 analysis from Deque highlights EN 17161, the European “Design for All” management standard, as a useful complement to WCAG. WCAG focuses on technical requirements for digital content, while EN 17161 focuses on how organizations build accessibility into planning, procurement, design, and delivery.

This matters because technical conformance alone does not always capture real-world usability barriers. For mature accessibility programs, process, governance, and user involvement are becoming harder to ignore.

Learn more

Until next week

Compliance expectations are becoming more practical, more visible, and more enforceable. This week’s updates show that regulators and courts are looking beyond policies and public statements. They are asking whether businesses can prove consent, document privacy governance, respond to accessibility obligations, and show real remediation progress. We’ll continue tracking the privacy and accessibility developments that matter most for digital teams.