Weekly Compliance Brief: June 8-12, 2026

Here are the most important data privacy and web accessibility updates for the week of 8-12 June 2026. This edition covers GDPR transparency enforcement, the ongoing tension between state and federal privacy law in the US, new CCPA litigation risk from third-party tracking, and a series of ADA and HHS accessibility deadlines that digital and compliance teams should be tracking.

Data privacy law news

Did you know?

Complaints to Canada's Privacy Commissioner rose sharply in 2025-2026, with PIPEDA complaints up 109% and Privacy Act complaints up 62%.

EDPB launches 2026 coordinated enforcement action on GDPR transparency

The EDPB has launched its 2026 Coordinated Enforcement Framework action, with 25 European data protection authorities focusing on GDPR transparency and information obligations under Articles 12–14. Regulators will review how organisations explain their data processing activities, including privacy notices, cookie banners, and consent flows.

The action puts renewed focus on whether disclosures are clear, accurate, and kept up to date when technologies, tracking practices, or data uses change. Organisations should review privacy notices, consent mechanisms, tracking disclosures, and third-party data sharing descriptions to check whether they reflect actual practice.

Read more

18 state AGs urge Congress to reject the SECURE Data Act

California Attorney General Rob Bonta led a coalition of 18 state attorneys general and consumer-protection authorities urging Congress to reject the proposed SECURE Data Act. The coalition argued that the bill would broadly preempt stronger state privacy laws and weaken consumer protections.

The letter warned that the proposal could limit privacy rights, give businesses more flexibility to retain and use consumer data, and undermine state data broker registries, breach notification laws, and comprehensive privacy statutes. The coalition called for any federal privacy framework to set a baseline, while preserving states’ ability to respond to new data practices and privacy risks.

Read more

US courts expand CCPA private right of action to cover third-party tracking

Two recent federal court rulings have allowed CCPA claims to proceed against companies that use third-party tracking technologies, even without a traditional data breach. In one case, a mortgage lender faced claims after installing a third-party tracking code that allegedly shared users’ personal information.

The rulings suggest that businesses using tools such as Google Analytics, Meta Pixel, or other client-side tracking technologies may face CCPA litigation risk if data sharing is not properly controlled or disclosed. Website teams should review tracking scripts, consent flows, and vendor disclosures to better understand what data is being collected and shared.

Read more

Connecticut enacts SB 4: new omnibus privacy law with geolocation and data broker rules

Connecticut signed SB 4 into law on 27 May 2026, introducing significant changes to the Connecticut Data Privacy Act. The amendments add new obligations for data brokers, genetic testing companies, and businesses using facial recognition technology.

Key updates include a ban on selling consumers’ precise geolocation data, new data broker registration requirements, and an accessible deletion mechanism modelled on the California Delete Act by July 2028. The CTDPA amendments and geolocation restrictions take effect on 1 October 2026, giving website operators and marketing teams a limited window to review data collection, profiling, and sharing practices.

Read more

ICO advises UK government to relax consent rules for low-risk online advertising

The UK Information Commissioner’s Office published formal advice on 18 May 2026, recommending targeted changes to PECR consent rules for online advertising. The ICO’s preferred approach would allow certain low-risk advertising activities, such as ad delivery, city-level targeting, frequency capping, brand safety, and aggregated measurement, to operate without explicit user consent.

Consent would still be required for behavioural targeting and cross-site profiling. For now, the existing PECR rules remain in place, and any change would require government action followed by updated ICO guidance.

Read more

Web accessibility news

Did you know?

Around 69% of ADA web accessibility lawsuits target e-commerce businesses and online retailers.

DOJ extends ADA Title II web accessibility compliance deadlines; comment period closes 22 June

The US Department of Justice issued an interim final rule in April 2026 extending the compliance deadlines for its Title II ADA web accessibility rule. Large public entities now have until 26 April 2027 to align websites and mobile apps with WCAG 2.1 Level AA, while smaller entities and special district governments have until 26 April 2028.

The public comment period closes on 22 June 2026. State and local government organisations, as well as private companies working with public sector clients, should monitor the outcome as it may shape the broader web accessibility enforcement environment.

Read more

HHS Section 1557 digital accessibility deadline now in effect for healthcare organisations

The US Department of Health and Human Services’ Section 1557 digital accessibility requirements took effect on 11 May 2026 for federally funded healthcare organisations with 15 or more employees. Covered websites, mobile apps, kiosks, patient portals, telehealth platforms, and health insurance tools must now support WCAG 2.1 Level AA accessibility expectations.

This includes requirements related to keyboard navigation, screen reader support, captions, and colour contrast. Smaller covered organisations have until 10 May 2027, while HHS’s Office for Civil Rights can investigate complaints and take enforcement action.

Read more

ADA Title III web accessibility lawsuits bounce back: 3,117 federal cases filed in 2025

Federal website accessibility lawsuits under Title III of the ADA rebounded in 2025, with 3,117 cases making up 36% of all ADA Title III federal litigation. E-commerce businesses remained the most targeted sector, accounting for around 69% of web accessibility lawsuits.

The data, published by Seyfarth Shaw in March 2026, shows that digital accessibility litigation remains a material risk for businesses with public-facing websites. Reported settlement costs often range from USD 25,000 to USD 75,000, while larger class action settlements can reach significantly higher amounts.

Read more

EN 301 549 update underway to incorporate WCAG 2.2, affecting EAA compliance benchmarks

The harmonised European accessibility standard EN 301 549, used as a technical benchmark for European Accessibility Act compliance, is being updated to incorporate WCAG 2.2. This means organisations currently auditing against WCAG 2.1 Level AA may need to account for additional success criteria once the updated standard is published.

The changes are expected to cover areas such as pointer cancellation, focus appearance, and dragging movements. Businesses offering digital products or services in the EU should monitor the update and factor the transition into their accessibility roadmaps.

Read more

Until next week

This week reinforces that the distance between policy and enforcement is narrowing on both sides of the Atlantic. The EDPB's coordinated transparency action and the growing CCPA litigation exposure from third-party tracking are the most immediate priorities for privacy and marketing teams, while the combination of rising ADA lawsuits, active HHS enforcement, and the incoming EN 301 549 update signals that accessibility can no longer be treated as a one-time project. Building proactive programmes across both areas is the most practical way to manage risk and demonstrate accountability to users.