What changed

EDPB FAQ on Data Privacy Framework — Verification and Onward-Transfer Flow-Down Obligations (January 2026)

On 2026-01-15, the European Data Protection Board announced publication of Version 2.0 of its FAQ for European businesses on the EU-U.S. Data Privacy Framework, with reported scope covering certification verification procedures, HR data transfers, and onward-transfer flow-down obligations under the DPF Accountability for Onward Transfer Principle; the full text of the FAQ has not been independently verified and specific content should not be relied upon until confirmed.

EU AI Act — General Purpose AI Model obligations now in force for providers above threshold

In August 2025, the EU AI Act's General Purpose AI chapter, Regulation (EU) 2024/1689 Arts. 51-56, entered into force, imposing obligations on providers of general-purpose AI models with EU market exposure.

CISA proposes 72-hour cyber incident reporting for critical infrastructure — CIRCIA NPRM

On April 4, 2024, CISA published a Notice of Proposed Rulemaking at 89 Fed. Reg. 23644 under the Cyber Incident Reporting for Critical Infrastructure Act proposing a 72-hour window for covered entities to report substantial cyber incidents; CISA's May 2026 supplemental guidance confirms that cloud and IT service providers to critical infrastructure owners are likely covered entities under the proposed rule.

Connecticut SB 4 — CTDPA Amendments: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing, Genetic Data

EEOC v. Dana Sealing Manufacturing — GINA Complaint (Collecting Family Medical History at Pre-Employment Physical)

EEOC v. LeachGarner — $2.8 Million Sex/Pay Discrimination Consent Decree (E.D. Mass.)

Louisiana Data Privacy Act (SB 386) — 22nd State Comprehensive Privacy Law

Oregon SB 1587 — Prohibition on Public Body Disclosures to Data Brokers for Federal Immigration Enforcement

Vermont Data Privacy and Online Surveillance Act (S.71) — 23rd State Comprehensive Privacy Law

Connecticut Comprehensive AI Law — Companion Chatbots, Frontier Model Governance, and Employment AI

Connecticut enacted a comprehensive artificial intelligence law, signed May 27, 2026, establishing regulatory frameworks for companion chatbot design and disclosure, frontier AI model governance, and AI use in employment decisions; specific obligations, effective dates by provision, and enforcement mechanisms have not been confirmed from the primary statutory text. [UNVERIFIED — bill text not retrieved.]

FTC Enforcement Authority — Take It Down Act (Non-Consensual Intimate Images)

The Take It Down Act became effective May 19, 2026, requiring covered online platforms to establish a process for receiving and acting on notices of non-consensual intimate images (NCII), including AI-generated deepfakes, within 48 hours of notice; the FTC is authorized to enforce the Act against non-compliant platforms, and Hunton Privacy Blog reports that technology companies should be preparing for possible enforcement actions. [UNVERIFIED — statutory text not retrieved from primary source.]

NYDFS Industry Letter — Cybersecurity Risks from Frontier AI Models (May 2026)

The New York Department of Financial Services issued an industry letter on May 21, 2026, warning regulated entities that emerging frontier AI models may significantly increase cyber risk by enabling threat actors to identify and exploit vulnerabilities with greater speed, scale, and sophistication than previously possible; the specific guidance, required controls, and applicable compliance expectations in the letter have not been confirmed from the primary text. [UNVERIFIED — letter text not retrieved.]

9th Circuit En Banc — Copyright 'Total Concept and Feel' Test Under Review (Sedlik v. Von Drachenberg)

The Ninth Circuit has granted en banc rehearing in Sedlik v. Von Drachenberg to reconsider the copyright 'total concept and feel' test — the intrinsic portion of the Ninth Circuit's two-part infringement analysis — placing the circuit's predominant standard for assessing visual and other copyright infringement in flux; the en banc briefing schedule, composition of the panel, and scope of questions accepted have not been confirmed from a primary source. [UNVERIFIED — docket and order not retrieved.]

Irish DPC — Final Decision, Permanent TSB Inquiry (GDPR)

The Irish Data Protection Commission issued a final decision in its GDPR inquiry into Permanent TSB, a financial institution, in 2026, following an inquiry conducted under the Commission's supervisory remit.

Irish DPC — Final Decision, University of Limerick Inquiry (GDPR)

On 2026-06-21, the Irish Data Protection Commission issued a final decision concluding its GDPR inquiry into the University of Limerick; the specific articles found to be infringed, any financial penalty, and required corrective measures have not been publicly confirmed.

A G Equipment — EEOC Religious and Disability Discrimination Settlement (Vaccine Mandate)

The EEOC announced a consent resolution of charges against A G Equipment Company, a Broken Arrow, Oklahoma manufacturer, resolving religious and disability discrimination claims arising from the company's COVID-19 vaccine mandate, with reported monetary relief of $4,250,000 covering a class of more than 40 employees. [Announcement date unverified — confirm from primary source before publishing.]

EEOC Federal-Sector Appellate Decision — Religious Accommodation to COVID-19 Vaccine Mandate (Bureau of Indian Education)

On 2026-06-21, the EEOC's Office of Federal Operations reportedly issued an appellate decision finding that the U.S. Department of the Interior, Bureau of Indian Education, violated Title VII of the Civil Rights Act of 1964 in connection with the denial of religious accommodation requests from three federal employees subject to a COVID-19 vaccine mandate; the specific holding, reasoning, and relief have not been confirmed from a primary source.

Central Transport — EEOC Sex Discrimination in Hiring Resolution (Female Truck Drivers)

The EEOC reached an early resolution of charges against Central Transport, LLC under Title VII of the Civil Rights Act, with the Michigan-based trucking company agreeing to pay $5.5 million to settle allegations that it systematically refused to hire qualified female truck drivers across its more than 200 facilities nationwide.

EU AI Office — Forthcoming Guidelines Supporting Implementation of the AI Act

The European Commission's AI Office announced that it will issue implementation guidelines under the EU AI Act, according to the agency's announcement; the date of the announcement has not been confirmed from the source text, and the guideline text has not been published.

NLRB Modification of Procedures in Representation Cases (2020 Rule)

The NLRB published a final rule at 84 FR 69524 (Dec. 13, 2019) modifying representation case procedures, with an effective date ultimately set to May 31, 2020 following a COVID-19-related delay from the originally scheduled April 16, 2020 date.

NLRB Blocking Charge Policy, Voluntary Recognition Bar, and Section 9(a) Construction Industry Rule (2020)

On April 1, 2020, the NLRB published a final rule at 85 FR 18353, effective June 1, 2020, amending 29 C.F.R. Part 103 to revise the blocking charge policy, restore a 45-day open election period following voluntary recognition, and require affirmative majority-support evidence for Section 9(a) relationships in the construction industry.

Kaiser Permanente — EEOC Religious Discrimination Settlement (Vaccine Mandate)

The EEOC announced a settlement resolving 12 charges of religious discrimination against Kaiser Permanente arising from the company's vaccine mandate policy, with Kaiser agreeing to $358,000 in monetary relief plus injunctive relief whose specific terms have not been publicly confirmed. [NOTE TO EDITOR: Announcement date must be verified from primary source before publication — the date '2026-06-20' could not be confirmed and is likely erroneous.]

EEOC Additional Instructions for MD-715 Reporting, FY2026

On 2026-01-01, the EEOC issued additional instructions governing federal agencies' FY2026 submissions under Management Directive 715, the directive that requires federal agencies to establish and maintain effective equal employment opportunity and affirmative employment programs.

EEOC National Enforcement Plan FY2025-2029

In or around early 2025, the EEOC approved a National Enforcement Plan covering fiscal years 2025 through 2029, according to agency reporting; the full text of the plan has not been independently confirmed.

Northwestern Medicine — EEOC Religious Discrimination Conciliation (Vaccine Exemptions)

The EEOC resolved religious discrimination charges against Northwestern Medical Group under Title VII of the Civil Rights Act, with Northwestern agreeing to pay a reported $325,000 in monetary relief to a class of employees who were denied vaccine-exemption requests based on religious beliefs. The resolution date has not been confirmed from the cited source.

Irish DPC — Final Decision, Midlands Regional Hospital Tullamore Inquiry (GDPR)

On or around 2026-06-21, the Irish Data Protection Commission issued a final decision in its inquiry into Midlands Regional Hospital Tullamore under the General Data Protection Regulation; the specific findings, infringed articles, and any penalty amount have not been publicly confirmed.

EDPB FAQ on Data Privacy Framework — Verification and Onward-Transfer Flow-Down Obligations (January 2026)

On 2026-01-15, the European Data Protection Board announced publication of Version 2.0 of its FAQ for European businesses on the EU-U.S. Data Privacy Framework, with reported scope covering certification verification procedures, HR data transfers, and onward-transfer flow-down obligations under the DPF Accountability for Onward Transfer Principle; the full text of the FAQ has not been independently verified and specific content should not be relied upon until confirmed.

EU AI Act — General Purpose AI Model obligations now in force for providers above threshold

In August 2025, the EU AI Act's General Purpose AI chapter, Regulation (EU) 2024/1689 Arts. 51-56, entered into force, imposing obligations on providers of general-purpose AI models with EU market exposure.

CISA proposes 72-hour cyber incident reporting for critical infrastructure — CIRCIA NPRM

On April 4, 2024, CISA published a Notice of Proposed Rulemaking at 89 Fed. Reg. 23644 under the Cyber Incident Reporting for Critical Infrastructure Act proposing a 72-hour window for covered entities to report substantial cyber incidents; CISA's May 2026 supplemental guidance confirms that cloud and IT service providers to critical infrastructure owners are likely covered entities under the proposed rule.

Connecticut SB 4 — CTDPA Amendments: Data Broker Rules, Geolocation Sale Ban, Surveillance Pricing, Genetic Data

EEOC v. Dana Sealing Manufacturing — GINA Complaint (Collecting Family Medical History at Pre-Employment Physical)

EEOC v. LeachGarner — $2.8 Million Sex/Pay Discrimination Consent Decree (E.D. Mass.)

Louisiana Data Privacy Act (SB 386) — 22nd State Comprehensive Privacy Law

Oregon SB 1587 — Prohibition on Public Body Disclosures to Data Brokers for Federal Immigration Enforcement

Vermont Data Privacy and Online Surveillance Act (S.71) — 23rd State Comprehensive Privacy Law

Connecticut Comprehensive AI Law — Companion Chatbots, Frontier Model Governance, and Employment AI

Connecticut enacted a comprehensive artificial intelligence law, signed May 27, 2026, establishing regulatory frameworks for companion chatbot design and disclosure, frontier AI model governance, and AI use in employment decisions; specific obligations, effective dates by provision, and enforcement mechanisms have not been confirmed from the primary statutory text. [UNVERIFIED — bill text not retrieved.]

FTC Enforcement Authority — Take It Down Act (Non-Consensual Intimate Images)

The Take It Down Act became effective May 19, 2026, requiring covered online platforms to establish a process for receiving and acting on notices of non-consensual intimate images (NCII), including AI-generated deepfakes, within 48 hours of notice; the FTC is authorized to enforce the Act against non-compliant platforms, and Hunton Privacy Blog reports that technology companies should be preparing for possible enforcement actions. [UNVERIFIED — statutory text not retrieved from primary source.]

NYDFS Industry Letter — Cybersecurity Risks from Frontier AI Models (May 2026)

The New York Department of Financial Services issued an industry letter on May 21, 2026, warning regulated entities that emerging frontier AI models may significantly increase cyber risk by enabling threat actors to identify and exploit vulnerabilities with greater speed, scale, and sophistication than previously possible; the specific guidance, required controls, and applicable compliance expectations in the letter have not been confirmed from the primary text. [UNVERIFIED — letter text not retrieved.]

9th Circuit En Banc — Copyright 'Total Concept and Feel' Test Under Review (Sedlik v. Von Drachenberg)

The Ninth Circuit has granted en banc rehearing in Sedlik v. Von Drachenberg to reconsider the copyright 'total concept and feel' test — the intrinsic portion of the Ninth Circuit's two-part infringement analysis — placing the circuit's predominant standard for assessing visual and other copyright infringement in flux; the en banc briefing schedule, composition of the panel, and scope of questions accepted have not been confirmed from a primary source. [UNVERIFIED — docket and order not retrieved.]

Irish DPC — Final Decision, Permanent TSB Inquiry (GDPR)

The Irish Data Protection Commission issued a final decision in its GDPR inquiry into Permanent TSB, a financial institution, in 2026, following an inquiry conducted under the Commission's supervisory remit.

Irish DPC — Final Decision, University of Limerick Inquiry (GDPR)

On 2026-06-21, the Irish Data Protection Commission issued a final decision concluding its GDPR inquiry into the University of Limerick; the specific articles found to be infringed, any financial penalty, and required corrective measures have not been publicly confirmed.

A G Equipment — EEOC Religious and Disability Discrimination Settlement (Vaccine Mandate)

The EEOC announced a consent resolution of charges against A G Equipment Company, a Broken Arrow, Oklahoma manufacturer, resolving religious and disability discrimination claims arising from the company's COVID-19 vaccine mandate, with reported monetary relief of $4,250,000 covering a class of more than 40 employees. [Announcement date unverified — confirm from primary source before publishing.]

EEOC Federal-Sector Appellate Decision — Religious Accommodation to COVID-19 Vaccine Mandate (Bureau of Indian Education)

On 2026-06-21, the EEOC's Office of Federal Operations reportedly issued an appellate decision finding that the U.S. Department of the Interior, Bureau of Indian Education, violated Title VII of the Civil Rights Act of 1964 in connection with the denial of religious accommodation requests from three federal employees subject to a COVID-19 vaccine mandate; the specific holding, reasoning, and relief have not been confirmed from a primary source.

Central Transport — EEOC Sex Discrimination in Hiring Resolution (Female Truck Drivers)

The EEOC reached an early resolution of charges against Central Transport, LLC under Title VII of the Civil Rights Act, with the Michigan-based trucking company agreeing to pay $5.5 million to settle allegations that it systematically refused to hire qualified female truck drivers across its more than 200 facilities nationwide.

EU AI Office — Forthcoming Guidelines Supporting Implementation of the AI Act

The European Commission's AI Office announced that it will issue implementation guidelines under the EU AI Act, according to the agency's announcement; the date of the announcement has not been confirmed from the source text, and the guideline text has not been published.

NLRB Modification of Procedures in Representation Cases (2020 Rule)

The NLRB published a final rule at 84 FR 69524 (Dec. 13, 2019) modifying representation case procedures, with an effective date ultimately set to May 31, 2020 following a COVID-19-related delay from the originally scheduled April 16, 2020 date.

NLRB Blocking Charge Policy, Voluntary Recognition Bar, and Section 9(a) Construction Industry Rule (2020)

On April 1, 2020, the NLRB published a final rule at 85 FR 18353, effective June 1, 2020, amending 29 C.F.R. Part 103 to revise the blocking charge policy, restore a 45-day open election period following voluntary recognition, and require affirmative majority-support evidence for Section 9(a) relationships in the construction industry.

Kaiser Permanente — EEOC Religious Discrimination Settlement (Vaccine Mandate)

The EEOC announced a settlement resolving 12 charges of religious discrimination against Kaiser Permanente arising from the company's vaccine mandate policy, with Kaiser agreeing to $358,000 in monetary relief plus injunctive relief whose specific terms have not been publicly confirmed. [NOTE TO EDITOR: Announcement date must be verified from primary source before publication — the date '2026-06-20' could not be confirmed and is likely erroneous.]

EEOC Additional Instructions for MD-715 Reporting, FY2026

On 2026-01-01, the EEOC issued additional instructions governing federal agencies' FY2026 submissions under Management Directive 715, the directive that requires federal agencies to establish and maintain effective equal employment opportunity and affirmative employment programs.

EEOC National Enforcement Plan FY2025-2029

In or around early 2025, the EEOC approved a National Enforcement Plan covering fiscal years 2025 through 2029, according to agency reporting; the full text of the plan has not been independently confirmed.

Northwestern Medicine — EEOC Religious Discrimination Conciliation (Vaccine Exemptions)

The EEOC resolved religious discrimination charges against Northwestern Medical Group under Title VII of the Civil Rights Act, with Northwestern agreeing to pay a reported $325,000 in monetary relief to a class of employees who were denied vaccine-exemption requests based on religious beliefs. The resolution date has not been confirmed from the cited source.

Irish DPC — Final Decision, Midlands Regional Hospital Tullamore Inquiry (GDPR)

On or around 2026-06-21, the Irish Data Protection Commission issued a final decision in its inquiry into Midlands Regional Hospital Tullamore under the General Data Protection Regulation; the specific findings, infringed articles, and any penalty amount have not been publicly confirmed.