Weekly Compliance Brief: Data Privacy & Web Accessibility News – May 4-8, 2026

Connecticut’s sweeping data privacy bill passed the House on a 141-6 vote and heads to the Governor for signature. On the federal front, House Republicans introduced the SECURE Data Act, which would create a national privacy baseline while preempting stronger state laws. On the accessibility front, the HHS Section 504 deadline for large healthcare organisations arrived on May 11, and enforcement under the European Accessibility Act is spreading across member states. Here is everything website teams need to know from May 4–8, 2026.

Data privacy law news

Did you know?

There are now 20 US states with comprehensive consumer privacy laws in effect in 2026. Website operators with users across all 20 states face at least 14 distinct variations of core consumer rights obligations, from opt-out mechanisms to data minimisation requirements. (MultiState, 2026)

Connecticut SB 4 passes the House: data broker registry and geolocation ban heading to Governor Lamont

On May 4, 2026, the Connecticut House passed SB 4 on a 141-6 vote, completing the bill's passage through both chambers. The legislation establishes a formal data broker registry, provides consumers with a mechanism to delete their personal data from broker databases, restricts the use of geolocation data and facial recognition, bans surveillance pricing, and strengthens protections for biometric and genetic data.

The bill now heads to Governor Ned Lamont, who is widely expected to sign it. Website operators collecting data on Connecticut residents should treat the law as near-final and begin assessing compliance gaps now.

Read more

House Republicans introduce the SECURE Data Act: a federal privacy bill that would preempt state law

House Republicans introduced the SECURE Data Act in late April 2026, positioning it as the first significant federal consumer privacy bill in years following 14 months of stakeholder engagement. The bill sets baseline rules on data minimisation, consent, and transparency, but includes no private right of action, meaning individuals could not sue to enforce their rights directly.

Critics, including the EFF and EPIC, argue it would preempt stronger state laws, including California's CPRA, weakening existing consumer protections rather than adding to them. Website operators should monitor the bill: if passed in its current form, it would create a single federal compliance baseline while removing more demanding state-level obligations many businesses currently maintain.

Read more

Colorado passes age attestation bill; Michigan Senate advances Kids Code Act

Colorado's SB 51 (Age Attestation on Computing Devices), modelled in part on California's Digital Age Assurance Act, passed the legislature on May 1, requiring device manufacturers and app stores to implement age-verification mechanisms. Michigan's Kids Code Act (SB 758) passed the state Senate by a 20-17 vote, advancing age-appropriate design requirements for digital products accessed by minors.

Both bills reflect a growing wave of state-level action on children's digital safety as federal progress on the issue remains stalled. Operators of websites and apps whose users include or could include minors should assess whether these state-level design standards apply to their products.

Read more

California AB 2561 advances: apps barred from reversing user privacy settings without consent

California's AB 2561 advanced to a third reading this week, targeting a common dark pattern in which apps or system updates silently reset privacy settings that users have deliberately chosen. If passed, the bill would prohibit operating systems and applications from undoing a user's affirmative privacy configuration without explicit consent.

The legislation builds on California's existing CCPA framework and reflects the state's ongoing focus on making privacy controls meaningful in practice, not just in policy. Developers and product teams should review how their products handle privacy preference resets during updates or reinstallations.

Read more

Privacy Rights Clearinghouse releases 2026 edition of 50-state data breach notification survey

The Privacy Rights Clearinghouse released its 2026 Data Breach Notification Laws 50-State Survey, mapping notification obligations, timelines, and covered entity definitions across all US states and territories. All 50 states now have some form of breach notification law in effect, but specifics vary significantly: timelines range from 30 to 90 days, covered data categories differ, and many states have additional requirements around attorney general reporting and risk-of-harm thresholds.

For website operators handling personal data across multiple states, the survey is a practical reference for confirming that breach response plans meet the requirements of every jurisdiction where users are located. Any organisation that has not reviewed its breach notification procedures in the past 12 months should treat this publication as a prompt.

Read more

Web accessibility news

Did you know?

Automated accessibility testing tools catch only 30-40% of WCAG failures. Manual expert review and testing with disabled users are required to identify the majority of real-world barriers on any website or app. (ReasonOne, 2026)

HHS Section 504 May 11 deadline arrives: what large healthcare organisations face from today

The May 11, 2026, compliance deadline under the HHS Section 504 digital accessibility rule took effect this week for all organisations with 15 or more employees receiving federal financial assistance from HHS. Covered entities that are not yet compliant now face potential enforcement by the HHS Office for Civil Rights, including investigations, compliance reviews, and, in serious cases, loss of federal funding.

Organisations that did not achieve full WCAG 2.1 AA conformance by the deadline should document remediation work in progress, prioritise the most significant patient-facing barriers, and maintain a clear remediation roadmap. Evidence of good-faith, systematic progress is the most defensible posture if a complaint is filed.

Read more

EAA enforcement spreads across the EU: France, Sweden, Netherlands, and Czech Republic are all active

New analysis published by Deque documents early enforcement patterns of the European Accessibility Act, confirming that market surveillance authorities across multiple member states are taking active steps. France has issued legal proceedings against major grocery retailers; Sweden's Post and Telecom Authority has launched its first regulatory cases against e-commerce operators; the Netherlands is prioritising audits against organisations that submitted incomplete or no compliance reports; and the Czech Republic has begun publishing lists of non-compliant products.

The pattern across member states is consistent: enforcement starts with notification, moves to formal action, and escalates toward fines when companies fail to remediate within the given window. Businesses selling to European consumers who have not yet produced an accessibility statement or assessed conformance under EN 301 549 should treat these cases as a direct signal.

Read more

E-commerce carries the highest litigation exposure: 69% of web accessibility lawsuits target retailers

Data published this week confirms that e-commerce and retail websites account for approximately 69% of all digital accessibility lawsuits filed in the US. The concentration reflects the ease with which retail sites can be tested, the consistency of barriers across large product catalogues, and the viability of class actions when a site-wide issue affects a large number of users.

Settlement costs for individual ADA Title III web accessibility cases range from $5,000 to $25,000, rising to more than $6 million for class actions. Any e-commerce operator without a current WCAG 2.1 AA audit and a documented remediation programme is carrying unquantified legal risk.

Read more

AAPD calls DOJ Title II extension a "major step backward" for disability rights

The American Association of People with Disabilities published a formal statement criticising the DOJ's decision to extend ADA Title II web accessibility compliance deadlines to 2027 and 2028, describing it as a major step backward for the rights of disabled Americans. The AAPD argues that many covered government entities were already close to compliance and that the extension removes both the urgency and the accountability that the original deadline provided.

The statement encourages disability advocates and allies to submit formal comments during the public comment period, which closes June 22, 2026. Public sector website operators who had invested in compliance work ahead of the original deadline should not interpret the extension as permission to pause.

Read more

How to meet the 2026 accessibility deadline: ReasonOne step-by-step implementation guide

ReasonOne published a practical implementation guide for organisations working to meet accessibility compliance deadlines in 2026, covering both HHS Section 504 and ADA Title II requirements. The guide recommends an audit-first approach combining automated testing, manual expert review, and user testing with disabled individuals, noting that automated tools alone catch only 30-40% of WCAG failures.

From audit findings, the guide walks through prioritisation, remediation planning, and ongoing monitoring to maintain conformance over time. For teams in the early stages of their accessibility programme, the guide provides a structured framework for scoping and sequencing the work.

Read more

Until next week

That is your compliance brief for May 4–8, 2026. Connecticut’s comprehensive data privacy law is heading to the Governor, a federal privacy bill is putting state-level protections at risk, and the HHS Section 504 deadline has now passed for large healthcare organisations. With EAA enforcement accelerating across Europe and e-commerce litigation at record levels, staying current on compliance requirements is no longer optional for any website team.