Weekly Compliance Brief: May 18-22, 2026

Here are the most important data privacy, web accessibility, and content takedown updates from the week of May 18 to 22, 2026. US state legislatures were especially active on privacy: Louisiana's Data Privacy Act passed the House 94-0 and headed for a Senate concurrence vote, Colorado formally repealed its AI Act in favour of a narrower disclosure-based framework, and New York and California both advanced multiple privacy bills in the same week. On the accessibility front, Global Accessibility Awareness Day arrived on May 21 alongside fresh data showing web compliance is moving in the wrong direction for the first time in six years. And on May 19, the TAKE IT DOWN Act's civil enforcement provisions took effect, marking a new era of accountability for online platforms hosting user-generated content.

Data privacy law news

Did you know?

Global compliance fines in Q1 2026 reached $542 million, a 22% increase year-over-year, driven largely by data privacy and cybersecurity enforcement actions across Europe and the US.

Colorado repeals landmark AI Act and replaces it with a narrower disclosure framework

Colorado Governor Jared Polis signed SB 189 on May 14, repealing the Colorado AI Act and replacing it with a narrower transparency-focused law governing automated decision-making technologies used for consequential consumer decisions.

The new law removes the CAIA’s broader obligations, including duties of care, risk management programmes, and impact assessments, and instead focuses on disclosure requirements and limited consumer rights.

Consumers receiving adverse decisions can request access to the data used, correction of inaccurate information, and meaningful human review. The law takes effect January 1, 2027, and marks a significant shift away from Colorado’s earlier AI governance approach.

Read more

Louisiana Data Privacy Act passes House 94-0 as Senate prepares concurrence vote

Louisiana’s Senate Bill 386, the Louisiana Data Privacy Act, has now passed both the House and Senate and has been sent to Governor Jeff Landry for signature, putting Louisiana on track to become the latest US state with comprehensive consumer privacy legislation.

The bill applies to businesses operating in Louisiana that meet at least one of three thresholds: annual gross revenues exceeding $25 million, processing the personal data of 75,000 or more consumers or households, or deriving 50% or more of annual revenue from selling personal information.

SB 386 grants consumers rights over sensitive data, requires a universal opt-out mechanism, and includes a 30-day right to cure from January 1 through July 31, 2027. During that period, businesses can avoid enforcement action by remedying identified violations and notifying affected consumers.

Enforcement authority rests exclusively with the Louisiana Attorney General, with no private right of action. If signed into law, the legislation will take effect January 1, 2027.

Read more

New York advances two biometric privacy bills in the same week

New York lawmakers advanced two major biometric privacy bills during the week of May 18, signaling growing momentum for stricter biometric data regulation in the state.

S 2539 passed the full Senate and would require retailers to display clear notices when electronic devices are used to collect or track customers’ biometric data in-store. Meanwhile, the Senate Consumer Protection Committee advanced S 1422, the Biometric Identifier Privacy Act, which would introduce BIPA-style consent requirements for businesses collecting biometric identifiers.

Together, the bills indicate New York is positioning itself as a leading state for biometric privacy regulation, particularly impacting retailers and businesses with physical locations.

Read more

California clears 17 privacy and AI bills through Appropriations in a single week

California’s Appropriations committees advanced 17 privacy and AI-related bills on May 15, marking a major week for consumer privacy legislation in the state.

Among the most notable is AB 2561, which passed the full Assembly unanimously and would prohibit operating systems and apps from reversing a user’s privacy settings without explicit consent, targeting opt-out reset practices that can undermine CCPA rights.

Lawmakers also advanced two additional CCPA amendment bills that expand protections for sensitive data and update enforcement procedures.

The volume of legislation moving forward reinforces California’s position as the leading US privacy regulator, with potential ripple effects for businesses operating nationwide.

Read more

Global compliance fines surged to $542 million in Q1 2026

A report published by FinTech Global on May 14 found regulators issued approximately $542 million in compliance fines during Q1 2026, with data privacy and cybersecurity violations driving most enforcement activity.

European data protection authorities received an average of 443 breach notifications per day during the quarter, marking a 22% year-over-year increase as both incident volumes and reporting obligations continue to grow.

Cumulative GDPR fines have now exceeded €7.1 billion since enforcement began in 2018, highlighting the continued global expansion of privacy and cybersecurity enforcement risk.

Read more

Web accessibility news

Did you know?

The 2026 WebAIM Million report found that 95.9% of the top one million homepages have detectable accessibility failures, the first regression in six years, with the average number of errors per page rising 10.1% year-over-year.

Global Accessibility Awareness Day 2026 calls for design, development, and delivery

Global Accessibility Awareness Day (GAAD) marked its 15th year on May 21 under the theme “Design, Develop, Deliver,” encouraging organisations to build accessibility into every stage of the product lifecycle rather than treating it as a final-step fix.

This year’s event came amid growing concern following the 2026 WebAIM Million report, which found the first decline in homepage accessibility scores in six years, raising questions about whether industry practices are keeping pace with evolving US and EU accessibility requirements.

More than 130 events were held worldwide, bringing together universities, government bodies, and accessibility professionals to discuss the future of digital accessibility and the need for long-term structural change.

Read more

GAAD 2026: "Evinced 500" Study Exposes Enterprise Accessibility Gaps

Released on May 21, 2026, accessibility software firm Evinced launched the “Evinced 500,” a new benchmark assessing the homepages of Fortune 500 companies.

The report found that 90% of Fortune 500 homepages still contain at least one critical accessibility issue, with an average of roughly 20 errors per page. While that is significantly better than the broader internet average of 56 errors per page reported by WebAIM, the findings highlight persistent accessibility and compliance gaps across major enterprises.

Financial services companies ranked highest for accessibility performance, while technology companies surprisingly recorded some of the highest error rates.

The report reinforces that even large organisations with mature compliance programmes continue to face accessibility and legal risk when full WCAG conformance is not achieved.

Read more

Early EAA enforcement across Europe is already happening, Deque analysis finds

New analysis from Deque shows enforcement of the European Accessibility Act (EAA) is already becoming active across several EU member states, with disability advocacy groups filing lawsuits against major retailers and regulators launching market surveillance programmes.

Most countries are currently prioritising remediation orders over immediate fines as organisations continue building their accessibility programmes, though legal experts warn this adjustment period is likely temporary.

The analysis also highlights that the EAA applies to US-based organisations serving European customers, regardless of where they are headquartered, with e-commerce, financial services, and travel emerging as the sectors facing the greatest regulatory scrutiny.

Read more

ADA website lawsuit filings hit 3,117 in 2025 with 2026 pace accelerating

New data from Seyfarth Shaw’s ADA Title III litigation tracker shows federal website accessibility lawsuits reached 3,117 cases in 2025, a 27% year-over-year increase. Including state court filings in New York and California, total digital accessibility litigation surpassed 5,000 cases.

E-commerce and retail businesses accounted for roughly 70% of all filings, while the Fashion Nova class action remains one of the year’s most closely watched cases following a DOJ Statement of Interest opposing a proposed settlement.

Despite the DOJ extending ADA Title II compliance deadlines for government entities in April 2026, private accessibility litigation continues to accelerate, reinforcing the importance of proactive and well-documented accessibility remediation programmes.

Read more

UK Digital Accessibility Week 2026 brings public sector together around "design, develop, deliver"

The UK government’s Digital Accessibility Week took place from May 18 to May 21 alongside Global Accessibility Awareness Day, bringing together public sector departments and agencies to promote accessible digital service design.

The week included workshops, training sessions, and case studies focused on embedding accessibility into the design and development process rather than treating it as a final-stage audit requirement.

The event also echoed broader industry concerns following the recent WebAIM Million report regression, reinforcing that accessibility awareness must be supported by structured processes and organisational accountability.

The UK government continues to publish annual accessibility statements under the Public Sector Bodies Accessibility Regulations, offering a transparency model that many private sector organisations can learn from.

Read more

##Content takedown news

Did you know?

The FTC can now impose civil penalties of up to $53,088 per violation on platforms that fail to remove nonconsensual intimate images within 48 hours of a valid request, with each unremoved image potentially counting as a separate violation.

TAKE IT DOWN Act civil enforcement begins May 19, 2026

The TAKE IT DOWN Act’s civil enforcement provisions officially took effect on May 19, 2026, making content removal obligations legally enforceable for platforms hosting user-generated content.

Covered platforms, including social media services, messaging apps, image and video hosts, and gaming platforms, must now provide a process for victims of nonconsensual intimate images (NCII), including AI-generated deepfakes, to request removal. Platforms are required to remove the content and known copies within 48 hours of receiving a valid request.

Non-compliance can result in FTC civil penalties of up to $53,088 per violation, with each unremoved image or video potentially treated as a separate violation.

The FTC has also launched TakeItDown.ftc.gov to monitor complaints and support enforcement efforts.

Read more

Until next week

This week's updates reflect a compliance environment growing more demanding on every front: states are racing to enact new privacy and AI laws, from Louisiana's forthcoming Data Privacy Act to Colorado's revised AI framework, while accessibility benchmarks are heading in the wrong direction even as enforcement deadlines tighten across the US and EU.

The FTC's Take It Down Act enforcement launch adds a further layer of platform accountability that legal and compliance teams cannot afford to overlook. Use this roundup to focus your priorities and ensure your organisation is prepared for the obligations taking effect on January 1, 2027 and beyond.