Data Privacy Frontline Report

Here are key highlights from May 2026 detailing global news and regulatory updates.

US & Canada

• California’s data protection agency announces a record USD 12.75 million CCPA settlement with a major automotive company—the agency’s largest fine to date—over allegations the company collected, retained and sold Californians’ driving behavior and precise geolocation data without proper consent.
  

• California's attorney general files a lawsuit against a genetic testing company, alleging it failed to implement reasonable security measures, ignored known system vulnerabilities, and misled consumers about a 2023 data breach that exposed the sensitive genetic and personal data of nearly seven million users.
  

• Canadian provincial data protection authorities meet to discuss their jurisdiction-specific guidance on medical AI scribe tools, emphasizing privacy-compliant deployment, vendor relationships, and consent considerations.
  

• Canadian government releases guidance on agentic AI that stresses responsible use through clear scope, human oversight, strong governance, and safeguards to manage risks from more autonomous systems.
  

• Colorado amends its AI law to apply to automated decision making, significantly reducing employer obligations and requiring notice to individuals, record retention and an adverse action and human review process.
  

• US Department of Health and Human Services (HHS) announces a restructuring of its Office for Civil Rights that establishes a new Health Information Privacy, Data, and Cybersecurity Division and strengthens oversight of health data security and cybersecurity.
  

• US healthcare marketplaces are found to have shared sensitive application data—including citizenship status and race—with major ad tech companies via embedded tracking pixels, raising concerns about privacy risks affecting millions of users of state-run insurance exchanges. 

EMEA

• EU European Parliament and Council reach a provisional agreement to amend the AI Act by delaying key compliance deadlines and clarifying overlaps with sectoral laws—most notably exempting machinery from direct AI Act requirements where existing rules apply.

• EU European Commission releases delayed draft guidelines for identifying “high-risk” AI systems under the AI Act, offering a three-phase framework with illustrative examples and opening a public consultation.

• EU European Commission launches a public consultation on draft guidelines clarifying transparency obligations under the AI Act to help providers and deployers prepare for rules taking effect in August 2026.

• EU and Japan commit to deepening cooperation across AI and digital technologies—including data governance, semiconductors, quantum and online platforms—while promoting secure data flows, interoperable systems, and trustworthy AI through joint research and regulatory alignment. (also in APAC)

• German regulators publish a roadmap for AI in medical devices, outlining how the EU AI Act and Medical Device Regulation interact to guide companies and support the safe use of AI in medicine.

• UK data protection authority reminds that businesses have until June 19 to prepare for new requirements under the Data (Use and Access) Act 2025 and offers guidance to support businesses ahead of the start date.