Privacy & Cybersecurity Law Blog

On May 27, 2026, Connecticut Governor Ned Lamont signed Senate Bill 4 into law, which amends the Connecticut Data Privacy Act to create data broker registration and compliance requirements, ban the sale of geolocation data, and set limits on surveillance pricing and the processing of genetic data.

On May 21, 2026, the New York Department of Financial Services issued an industry letter warning regulated entities that emerging frontier AI models may significantly increase cyber risk by enabling threat actors to identify and exploit vulnerabilities with greater speed, scale, and sophistication.

On May 21, 2026, the FTC announced settlements with three marketing firms, requiring them to pay a total of $930,000 to settle allegations that they deceived customers by falsely claiming to offer an AI-powered service that could target localized ads based on conversations captured from consumers’ smart devices, and that consumers had opted into such targeting.

On May 25, 2026, a new Memorandum of Understanding between the UK AI Security Institute and the Australian AI Safety Institute was announced, aimed at strengthening bilateral cooperation on AI security and safety.

On May 1, 2026, the cybersecurity authorities of Australia, Canada, New Zealand, United States and the United Kingdom published joint guidance on the secure adoption of agentic artificial intelligence systems.

On May 14, 2026, Colorado Governor Polis signed SB 189, which revises Colorado’s original AI law and delays the effective date from June 30, 2026, to January 1, 2027, while significantly scaling back its original requirements.

On May 19, 2026, the European Commission published draft guidelines on the classification of high-risk AI systems under the EU AI Act.

On May 18, 2026, the UK Information Commissioner’s Office announced that it had provided advice to the UK government on possible changes to the Privacy and Electronic Communications Regulations in relation to online advertising

On May 11, 2026, the Texas Attorney General  announced a lawsuit against Netflix, Inc. under the Texas Deceptive Trade Practices Act, alleging that the company collected personal information, including that of children, based on misleading and deceptive disclosures and engaged in dark patterns by designing its platform to be addictive.

On May 8, 2026, the California Attorney General announced a record $12.75 million settlement with General Motors to resolve allegations that it illegally sold Californians’ location and driving behavior data without adequate notice or consent, in violation of the California Consumer Privacy Act and California’s Unfair Competition Law.