Book a call
Book a call

Legislation tracker

Privacy legislation updates

Material changes to EU, UK, and US privacy and AI regulation, in reverse chronological order. Updated when the law changes, not on a schedule. Not legal advice.

By Julian Gage Last reviewed: 7 June 2026

EU AI Act high-risk deadlines revised under Digital Omnibus provisional agreement

EU AI Act · deadline change · pending formal adoption

The European Parliament and Council reached a provisional political agreement in May 2026 under the Digital Omnibus package to amend the EU AI Act timeline. The key deadline changes, if formally adopted, are as follows.

What is changing

  • Stand-alone high-risk AI systems (not embedded in a regulated product): deadline extended from 2 August 2026 to 2 December 2027.
  • High-risk AI embedded in regulated products (medical devices, machinery, vehicles, and similar): deadline extended from 2 August 2026 to 2 August 2028.
  • Machine-readable marking of synthetic content by AI system providers (Article 50(2)): moved to 2 December 2026.
  • All other Article 50 transparency obligations, including chatbot disclosure and deployer deepfake labelling: unchanged at 2 August 2026.

What has not changed

  • General-purpose AI (GPAI) model obligations: in force from 2 August 2025 (no change).
  • Prohibited AI practices: in force from 2 February 2025 (no change).
  • Article 50 chatbot disclosure and deepfake labelling obligations: 2 August 2026 (no change).
  • The high-risk AI classification criteria themselves (Article 6 and Annex I): unchanged.

Current legal status

The Digital Omnibus agreement is provisional. Until formal adoption, the AI Act as originally written, including the 2 August 2026 high-risk application date, remains the law. Companies should not treat the new dates as settled until formal adoption is confirmed.

What this means for your programme

EU AI Act scoping and gap assessments remain worthwhile regardless of the timeline shift, because the substantive requirements (risk management systems, data governance, transparency documentation, human oversight) are unchanged. The extension creates runway to implement properly rather than rush to a nominal compliance date. Companies that have begun conformity assessments should continue. Companies that paused in anticipation of a delay should be aware that the legal position has not yet changed.

The Article 50 date is unaffected. If your product generates or manipulates image, audio, or video content, or deploys a chatbot, the transparency and disclosure obligations still apply from 2 August 2026.

This entry is general information, not legal advice. The Digital Omnibus agreement is subject to formal adoption proceedings.

Minnesota MCDPA: cure period expires, AG can enforce without prior notice

US state privacy law · Minnesota MCDPA · enforcement

Minnesota's Consumer Data Privacy Act took effect on 31 July 2025 with a built-in grace mechanism: until 31 January 2026, the Attorney General had to give businesses written notice and 30 days to cure before bringing an enforcement action. That cure-period provision expired by statute on 31 January 2026. From 1 February 2026, the AG can proceed directly to enforcement without offering a cure window.

The MCDPA applies to controllers processing personal data of 100,000 or more Minnesota consumers annually, or 25,000 where more than 25 percent of gross revenue derives from selling personal data, and, unusually among state privacy laws, most nonprofits are not exempt. The law includes the standard consumer rights set (access, correction, deletion, portability, opt-outs for sale, targeted advertising and profiling) plus Minnesota-specific additions, including a right to question the result of profiling used in significant decisions.

What this means

The runway is gone. If you meet a threshold and have not aligned your programme with the MCDPA, prioritise it: privacy notice coverage, consumer rights workflows, processor contracts, and data protection assessments for high-risk processing.

This is a general update, not legal advice.

Updated CCPA/CPRA regulations take effect: ADMT, risk assessments, cybersecurity audit phase-in

California · CPRA · ADMT · risk assessments · in force

California's updated CPRA regulations covering automated decision-making technology (ADMT) and privacy risk assessments were finalised by the California Privacy Protection Agency (CPPA) and began their phase-in from 1 January 2026. The ADMT rules extend consumers' opt-out rights to certain uses of automated decision-making in significant decisions (employment, credit, housing, insurance, education) and require businesses to provide access to information about the logic used.

Privacy risk assessments are now mandatory for businesses that engage in processing activities posing significant risk to consumers, including sale of personal data, ADMT in significant decisions, and large-scale processing of sensitive data. The regulations also require businesses to designate named individuals responsible for privacy, AI, and cybersecurity practices, with certain filings submitted to the CPPA under penalty of perjury. Cybersecurity audit obligations for high-risk businesses are also in phase-in. The CPPA retains enforcement authority.

What this means

California-regulated businesses should audit whether any ADMT use cases require opt-out mechanisms, confirm whether a risk assessment obligation is triggered, and check whether the cybersecurity audit threshold applies.

This is a general update, not legal advice.

New US state privacy laws take effect: Indiana, Kentucky, Rhode Island

US state privacy law · Indiana · Kentucky · Rhode Island · in force

Three US state consumer privacy laws took effect on 1 January 2026: Indiana's Consumer Data Protection Act, Kentucky's Consumer Data Protection Act, and Rhode Island's Data Transparency and Privacy Protection Act. Indiana and Kentucky follow the Virginia model: they apply to controllers processing personal data of at least 100,000 state consumers annually, or 25,000 where more than 50 percent of gross revenue derives from the sale of personal data; both provide a 30-day cure period and penalties up to $7,500 per violation.

Rhode Island stands out on enforcement: it provides no cure period before penalties apply, with fines up to $10,000 per violation, and adds distinctive disclosure requirements for sharing personal data with third parties. The Rhode Island law applies to controllers processing personal data of at least 35,000 Rhode Island consumers annually, or at least 10,000 consumers where more than 20 percent of gross revenue derives from the sale of personal data.

None of the three includes a private right of action; enforcement sits with each state's Attorney General. All three require privacy notices, opt-outs for sale, targeted advertising and certain profiling, opt-in consent for sensitive data, processor contracts, and data protection assessments for high-risk processing.

What this means

If you serve consumers in these states, check the thresholds, confirm your privacy notice covers them, and note Rhode Island especially: with no cure period, the first contact from the AG can be an enforcement action.

This is a general update, not legal advice.

European Commission publishes Digital Omnibus package proposing GDPR, ePrivacy, NIS2, and Data Act amendments

EU legislative proposal · GDPR · AI Act · Data Act · ePrivacy · pending adoption

The European Commission published its Digital Omnibus package on 19 November 2025, proposing targeted amendments to the GDPR, the ePrivacy Directive, the NIS2 Directive, and the Data Act, alongside a separate Digital Omnibus on AI amending the EU AI Act. The headline GDPR proposals: narrowing how pseudonymised data is treated under the definition of personal data; raising the Records of Processing Activities exemption threshold from 250 to 750 employees; extending breach notification from 72 to 96 hours with a single entry point for reporting; refinements to Article 22 automated decision-making; moving cookie and terminal-equipment rules into the GDPR with support for machine-readable consent signals; and a new provision clarifying that legitimate interests can support processing for AI development.

These are proposals, not law: they require negotiation and adoption by the Parliament and Council. The EDPB and EDPS have criticised the personal-data definition change, and Council compromise texts have reportedly walked parts of it back. The AI portion reached provisional agreement on 7 May 2026 (see that entry); the rest remains in the legislative process.

What this means

No compliance action yet. Track the RoPA threshold and breach-notification changes if you are an SME, and do not loosen pseudonymisation practices on the strength of a proposal.

This is a general update, not legal advice.

EU AI Act: GPAI model obligations begin applying

EU AI Act · GPAI · obligations in force

The EU AI Act's obligations for providers of general-purpose AI (GPAI) models began applying on 2 August 2025, twelve months after the Regulation entered into force on 1 August 2024. Providers of GPAI models must comply with transparency requirements: publishing a summary of training data, following EU copyright law, and making technical documentation available to downstream providers. Providers of GPAI models with systemic risk face additional obligations including adversarial testing, incident reporting to the AI Office, and cybersecurity measures. The AI Office, established within the Commission, is responsible for supervision and enforcement of GPAI obligations at the EU level. Member state authorities retain responsibility for supervising high-risk AI obligations, whose timeline has since been revised (see the 7 May 2026 Digital Omnibus entry).

What this means

If your product is built on or includes a GPAI model, confirm your upstream provider's compliance status. If your company develops or fine-tunes foundation models released externally, verify whether the GPAI transparency rules apply to you and whether systemic-risk classification is triggered.

This is a general update, not legal advice.