Operational Accountability Emerges as a Defining Regulatory Theme
The last 30 days show privacy, cybersecurity, and AI governance converging around operational accountability.
California’s $12.75 million General Motors settlement is the clearest current U.S. enforcement signal, pairing record CCPA penalties with the state’s first data-minimization case and a hard look at connected-vehicle data practices.
The FTC, meanwhile, has continued to police AI-adjacent deception, settling over “active listening” marketing claims and beginning enforcement of the TAKE IT DOWN Act’s fast-turnaround removal obligations for nonconsensual intimate imagery and AI-generated digital forgeries.
At the same time, Congress has put a federal privacy bill back on the table, states are moving aggressively on privacy and AI legislation before session deadlines, and healthcare entities are still preparing for a potentially transformative HIPAA Security Rule overhaul.
The throughline is that regulators are no longer focused only on notice language; they are testing retention, product design, deletion, governance, and cross-functional execution.
Major Privacy News & Enforcement
California Secures $12.75 Million General Motors Settlement, Setting a New CCPA High-Water Mark
What Happened
On May 8, 2026, California Attorney General Rob Bonta announced a $12.75 million settlement with General Motors, described as the largest CCPA penalty in California history to date and the state’s first enforcement action centered on the CCPA’s data-minimization principle. California alleged GM sold names, contact information, geolocation data, and driving-behavior data from hundreds of thousands of Californians to LexisNexis and Verisk, failed to provide adequate notice, and retained and sold data beyond what was needed to operate OnStar. The settlement requires, among other things, deletion of retained driving data within 180 days, a request that the brokers delete the data, a five-year stop on selling driving data to consumer reporting agencies, and a documented privacy program with risk assessments and reporting obligations.
Why It Matters
This is the most important enforcement development of the month because it shows California moving decisively beyond opt-out mechanics and into data minimization, retention, and product-linked data monetization. It also signals that connected devices and connected vehicles remain squarely in scope for privacy enforcement, especially where companies collect data for one service function but later retain, share, or commercialize it for another.
Practical Actions
- Reassess whether location, telemetry, usage, or behavioral data collected through connected products is being retained or shared beyond the user-facing service need.
- Stress-test disclosures and in-product consent flows for any downstream sharing with brokers, insurers, analytics providers, or affiliate ecosystems.
- Document retention limits, deletion triggers, and data-minimization rationales for product data that could be characterized as sensitive or unexpected.
FTC Targets “Active Listening” AI Marketing Claims
What Happened
On May 21, 2026, the FTC announced settlements requiring Cox Media Group and two related firms to pay nearly $1 million over allegations that they deceptively marketed an “active listening” AI-powered advertising service. According to the FTC, the companies falsely claimed the service could target ads using conversations captured through consumers’ smart devices and falsely represented that consumers had opted in.
Why It Matters
The case is notable not because the FTC is endorsing “active listening” as a real advertising practice, but because it reinforces that AI-related marketing claims remain an enforcement priority when they are exaggerated, misleading, or unsupported. For privacy teams, it is also a reminder that sensational or opaque claims about how consumer data is collected and used can trigger both deception risk and broader scrutiny of underlying data practices.
Practical Actions
- Require substantiation for any AI-related marketing claims tied to data collection, ad targeting, personalization, or device sensing.
- Review sales decks and vendor claims for language suggesting consumer opt-in, background listening, or other high-sensitivity data practices unless those statements are fully supportable.
- Coordinate legal and privacy review for AI product messaging, not just the product itself.
FTC Begins Enforcing the TAKE IT DOWN Act
What Happened
On May 19, 2026, the FTC announced that it had begun enforcing Section 3 of the TAKE IT DOWN Act. Covered platforms must provide a way for individuals to request removal of nonconsensual intimate images or videos, including AI-generated “digital forgeries,” and must remove those images and known identical copies within 48 hours of a valid request.
Why It Matters
This is an important AI-and-content-governance development because it operationalizes a rapid removal obligation tied not only to authentic intimate content, but also to synthetic and AI-manipulated imagery. Platforms can no longer treat this as a trust-and-safety issue alone; it is now a live federal compliance obligation with strict turnaround expectations.
Practical Actions
- Confirm whether your platform is covered and whether intake, validation, removal, and hash-matching workflows can meet the 48-hour deadline.
- Align privacy, trust and safety, security, and customer support teams on escalation paths for intimate-image complaints.
- Update incident-response style playbooks for synthetic media and nonconsensual imagery, including logging, repeat uploads, and evidentiary preservation.
Litigation and Enforcement Trends
The Trend
Healthcare cybersecurity obligations may be about to become much more prescriptive. Recent reporting indicates federal regulators are still considering a major overhaul of the HIPAA Security Rule, and the proposal would remove the long-standing distinction between “required” and “addressable” implementation specifications, making measures like encryption and multifactor authentication mandatory except in limited cases. OCR leadership has also indicated reluctance to abandon the proposal altogether given the steady cadence of cyberattacks affecting healthcare.
Practical Actions
- Update HIPAA risk analyses now rather than waiting for final rule text, especially around MFA, encryption, asset inventories, and written documentation.
- Identify where current controls rely on “addressable” flexibility that could become harder to defend.
- Treat vendor and business-associate diligence as part of cybersecurity readiness, not a separate contracting exercise.
The Trend
Privacy enforcement is continuing to migrate from front-end disclosures to architecture, retention, and internal governance. The GM case is especially instructive because the alleged problem was not just what the policy said; it was how the company retained, sold, and governed driving data over time. The FTC’s recent AI-marketing case similarly shows that regulators remain focused on what businesses actually do and can prove, not just what they say in polished product narratives.
Practical Actions
- Test whether privacy choices, retention schedules, and internal approvals actually map to technical reality.
- Preserve implementation evidence showing what data was collected, why it was retained, where it flowed, and who approved the use case.
- Push governance upstream so product, security, and legal teams assess new data uses before monetization or rollout.
Legislative and Regulatory Updates
The Update
On June 2, President Trump signed “Promoting Advanced Artificial Intelligence Innovation and Security.” It is the latest in a series of federal AI executive actions that began with the revocation of the previous administration’s AI order in Jan. 2025 and continued through the Dec. 2025 order directing the DOJ to challenge state AI laws it deems inconsistent with federal policy.
The June 2 order focuses on AI security rather than state preemption, establishing a voluntary framework under which AI developers can submit frontier models for government cybersecurity review up to 30 days before public release. It also directs agencies to develop benchmarks for assessing AI models’ cyber capabilities and creates an AI cybersecurity clearinghouse for sharing vulnerability information. An earlier version requiring a 90-day mandatory review window was scrapped last month following industry pushback. We will be covering the full scope and compliance implications of this order in a dedicated article shortly.
Practical Actions
- Monitor whether voluntary pre-release participation becomes an informal industry expectation despite the lack of a mandate.
- Assess whether your AI development or deployment activities touch critical infrastructure sectors prioritized by the order.
- Track DOJ activity under the December 2025 state-preemption order in parallel, as the two orders together define the administration’s current federal AI posture.
The Update
Federal comprehensive privacy legislation is back in play. On April 22, 2026, House Republicans released the SECURE Data Act, which IAPP described as the first major attempt in the 119th Congress to establish comprehensive consumer privacy rules. The bill would create a national framework and re-center the debate over federal preemption versus the state patchwork.
Practical Actions
- Continue treating state laws as the operative baseline, but track how federal proposals address preemption, sensitive data, consumer rights, and enforcement.
- Avoid pausing state implementation work based on renewed federal momentum alone.
- Use the reemergence of a federal bill as an opportunity to identify where current programs depend on state-specific workarounds.
The Update
State privacy and AI legislative activity remains unusually intense heading into late-session deadlines. As of May 25, Illinois lawmakers had advanced a consumer privacy bill, two chatbot bills, and a frontier-model bill; California had moved multiple chatbot, healthcare AI, employment AI, and AI transparency measures; New York advanced consumer health privacy and algorithmic discrimination bills; Vermont signed a healthcare AI bill into law; and Delaware moved a bill to significantly amend its consumer privacy law. Louisiana also passed a consumer privacy bill, and California advanced a bill shortening certain data-broker time periods from 45 days to 30.
Practical Actions
- Track state privacy and AI bills rather than waiting for post-session summaries.
- Pay particular attention to chatbot disclosures, health AI, employment AI, data-broker amendments, and algorithmic pricing or discrimination proposals.
- Design governance so it can absorb state-by-state AI obligations without splintering privacy and product compliance processes.
The Update
Colorado’s AI compliance picture changed significantly after our last issue. On April 27, 2026, a federal magistrate judge stayed enforcement of SB 24-205 following a constitutional challenge by xAI and a DOJ intervention, the first time the federal government has moved to invalidate a state AI law.
Two weeks later, the stay became moot when Governor Polis signed SB 26-189 on May 14, repealing SB 24-205 entirely and replacing it with a narrower disclosure-and-rights framework before the original law ever took effect. The new law drops mandatory risk management programs, annual impact assessments, and the duty of care against algorithmic discrimination, and instead requires consumer notice when AI influences a consequential decision, post-adverse-outcome explanations, correction rights, and meaningful human review. It takes effect Jan. 1, 2027, with enforcement contingent on AG rulemaking that has not yet formally begun.
Practical Actions
- Treat SB 24-205 compliance work as superseded. The original law will not be enforced.
- Map SB 26-189’s disclosure and human review obligations against AI use cases affecting Colorado residents in employment, housing, credit, insurance, healthcare, or education.
- Begin scoping consumer-facing workflows now, before AG rulemaking defines implementation specifics ahead of the January 1, 2027 effective date.
The Update
Governments are also treating AI as a cybersecurity governance issue, not just an innovation or consumer-protection issue. On May 25, 2026, the UK and Australia announced a new memorandum of understanding connecting the UK AI Security Institute and the Australian AI Safety Institute to cooperate on AI safety and security, technical evaluation, and emerging risk-sharing. In parallel, CISA highlighted new guidance on minimum elements for a software bill of materials for AI. Together, these moves reinforce that AI governance is increasingly being operationalized through security, testing, and supply-chain transparency.
Practical Actions
- Fold AI systems into security governance, including third-party diligence, model/component inventories, and testing expectations.
- Ask vendors not only what the model does, but how it is built, what components it depends on, and how security changes are tracked.
- Coordinate privacy, security, and procurement teams so AI governance includes supply-chain visibility and incident response planning.
The Privacy Filter Podcast
Every month, Barnes & Thornburg’s attorneys explore the evolving world of data security and privacy in their podcast.
In our latest episode, “Your Users Don’t Think About Privacy the Way You Do,” Owen Agho explores generational perspectives on privacy, focusing on location sharing, social media, and AI. Featuring students from Georgetown University, it highlights how different age groups perceive privacy risks and social norms in the digital age.
Recent Thought Leadership
FBI Cyber Officials Suggest Best Practices and Potential Benefits of Promptly Reporting Cybersecurity Incidents to Law Enforcement
Recently, FBI Cyber convened a meeting of outside counsel to discuss recent cybercrime trends, the potential benefits to organizations that promptly report cybersecurity incidents to law enforcement, and the FBI’s suggested best practices to mitigate vulnerabilities from the latest cybersecurity threats.
