Executive Summary

Connecticut Governor Ned Lamont is expected to sign Senate Bill 5, the Connecticut Artificial Intelligence Responsibility and Transparency Act, into law following passage by the House 131 to 17 on May 1, 2026, making Connecticut the most comprehensive state AI regulatory framework in the United States as of this report date.

The 24-hour legislative window ending May 27, 2026 reflects accelerating state-level action on artificial intelligence regulation, data privacy, digital asset structure, and professional responsibility. Louisiana’s Senate Bill 386, the Louisiana Data Privacy Act, awaits gubernatorial signature after unanimous passage on May 21, 2026. The Illinois Senate passed two chatbot safety bills on May 14, 2026. The Senate Banking Committee advanced the Digital Asset Market Clarity Act on May 14, 2026. And the California State Bar Board of Trustees is scheduled to act on proposed AI ethics rule amendments at its May 2026 meeting. Congress has not enacted major federal technology legislation in this 24-hour period, but committee-level activity on the SECURE Data Act and export control measures continues.

From this practice’s vantage point in advising technology companies and startups, the most consequential near-term development is the potential signing of Connecticut SB 5, which will create binding obligations on large generative AI providers and automated employment decision systems effective October 1, 2026. Companies with more than one million monthly users face provenance data embedding requirements and employment AI disclosure duties that no current federal framework imposes.

A. What Is the Current State of Artificial Intelligence Regulation and Liability Legislation?

Connecticut Senate Bill 5, signed into law in May 2026 as the Connecticut Artificial Intelligence Responsibility and Transparency Act, requires large generative AI providers serving more than one million monthly users to embed provenance data into audio, image, and video content and to disclose automated employment decision systems to affected individuals.

Connecticut SB 5 passed the state Senate 32 to 4 and the House 131 to 17. The law takes effect October 1, 2026 and covers generative AI providers, automated employment decision-making tools, AI companion products aimed at minors, and AI programs operated by state agencies. The bill includes a voluntary safe harbor mechanism: AI users who comply with approved program guidelines are deemed compliant with Connecticut’s existing data privacy and consumer protection statutes. This safe harbor structure is a significant departure from Colorado’s litigation-heavy approach and may become a template for other states.

Colorado’s approach faces a different fate. On April 27, 2026, the United States District Court for the District of Colorado granted a joint motion in x.AI LLC v. Weiser to stay enforcement of the Colorado AI Act while the parties and the court assess its constitutional dimensions. That stay means Colorado’s original statute is functionally suspended. Colorado’s legislature separately passed SB 26-189 on May 9, 2026, which would replace the original Colorado AI law with a revised framework, but the governor’s signature is pending.

At the federal level, the White House issued a National Policy Framework for Artificial Intelligence on March 20, 2026, urging Congress to establish a uniform preemptive federal standard. Congress has not acted on that recommendation. Competing bills remain in committee, including H.R. 8094, the AI Foundation Model Transparency Act of 2026, which would direct the Federal Trade Commission to establish public disclosure requirements for training data and algorithms used in foundation models, and S. 3952, the Future of Artificial Intelligence Innovation Act of 2026. H.R. 5388, the American Artificial Intelligence Leadership and Uniformity Act, would preempt inconsistent state AI laws.

Illinois Senate Democrats introduced an eight-bill AI regulation package on May 14, 2026. Two of those bills passed the Senate. Senate Bill 317, the Consumer AI Notice Act, requires companies using customer service chatbots to disclose at the outset of each interaction that the user is communicating with an automated system, with repeated disclosures at three-hour intervals during ongoing conversations. Senate Bill 316, the AI Companion Model Safety Act, requires operators of AI chatbots designed for social or emotional interaction to maintain protocols addressing suicidal ideation and self-harm, and to route users to crisis resources upon recognizing those expressions. Both bills provide private rights of action for injured users and assign enforcement authority to the Illinois Attorney General.

California’s legislative output on AI continues at volume. The California Senate passed SB 1119, which addresses AI transparency in employment, and the Assembly passed AB 1988. The California Senate also passed two healthcare AI bills in the same period. Rhode Island’s Senate passed S. 2197, establishing regulations on the use of artificial intelligence in mental health care treatments.

The EU AI Act’s General Purpose AI provisions entered a compliance phase in 2026. The EU framework creates extraterritorial obligations for U.S. companies serving EU markets and is driving convergence pressure even in states without their own laws. Companies that have invested in EU AI Act compliance programs are finding that Connecticut SB 5’s provenance and transparency requirements are substantially overlapping, reducing the marginal cost of multi-jurisdiction compliance.

B. What New Data Privacy Legislation Has Been Introduced or Passed in the Last 24 Hours?

Louisiana Senate Bill 386, the Louisiana Data Privacy Act, was passed unanimously by the state legislature on May 20 to 21, 2026, and is now awaiting signature by the Governor, with a ten-day review window that places a decision on or before May 31, 2026.

The Louisiana Data Privacy Act follows the Texas model closely but adds a standalone $25 million annual revenue applicability threshold. The Louisiana Attorney General holds exclusive enforcement authority under the state’s existing consumer protection framework, with no private right of action. If signed, Louisiana becomes the third state, following Oklahoma and Alabama, to enact comprehensive consumer data privacy legislation in 2026, and approximately the twentieth state overall to have a comprehensive law.

Delaware’s House Bill 380, which significantly amends Delaware’s existing consumer data privacy law, passed the state House and is advancing. Vermont’s S. 71 passed out of a House committee after earlier Senate passage. California’s SB 1106 passed the Senate, amending the state’s data broker law to reduce the required response time from 45 days to 30 days.

At the federal level, the SECURE Data Act, formally titled the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act, H.R. 8413, was released by the House Energy and Commerce Committee on April 22, 2026. The bill would establish comprehensive federal privacy rights, preempt state privacy laws, create a national data broker registry at the Federal Trade Commission, and give enforcement authority to the FTC and state attorneys general. The bill includes consumer rights to access, correct, delete, and port personal data, and an opt-out right for targeted advertising and significant decision profiling. Congressional observers note that the preemption provision has drawn opposition from states with strong existing privacy regimes, including California, and that timeline for floor consideration remains uncertain. The bill also proposes a parental consent standard for personal data collected from individuals under eighteen.

The AI data usage nexus is the primary driver of state privacy legislative velocity in 2026. States are not regulating data in the abstract: they are targeting the use of personal data as AI training material and the use of AI to generate consumer-facing decisions. Connecticut SB 5 fuses these two threads into a single omnibus framework. Louisiana SB 386, by contrast, addresses data without directly addressing AI, which means Louisiana companies using personal data to train AI systems face compliance under SB 386 for the data piece and will face separate requirements if federal AI legislation advances.

C. What Are the Latest Cybersecurity Liability and Disclosure Legislative Developments?

The Health Care Cybersecurity and Resiliency Act of 2026, S. 3315, was introduced in the 119th Congress and targets the critical vulnerability exposure that healthcare entities face following high-profile ransomware incidents, imposing new minimum cybersecurity standards and incident response obligations on covered healthcare organizations.

S. 3315 addresses a gap left by the existing Health Insurance Portability and Accountability Act cybersecurity framework, which predates modern ransomware economics. The bill would require covered healthcare organizations to implement minimum cybersecurity standards, conduct regular audits, and respond to incidents within defined timeframes. The State and Local Cybersecurity Grant Program Reauthorization Act, S. 3251, reauthorizes the federal grant program supporting state, local, tribal, and territorial government cybersecurity investment.

The United Kingdom’s Cyber Security and Resilience (Network and Information Systems) Bill reached Report Stage in Parliament on May 14, 2026. That bill is not U.S. legislation, but it governs network and information systems used for essential activities and creates compliance obligations for U.S. companies operating in or selling into the UK market. Its passage would create a third major regulatory cybersecurity regime alongside the EU’s NIS2 Directive and the United States’ sector-specific frameworks.

The SEC cyber disclosure rules adopted in 2023 under 17 C.F.R. Part 229 remain the operative federal standard for public company cybersecurity incident disclosure. No legislation modifying those rules was introduced in the 24-hour period ending May 27, 2026. Board-level fiduciary exposure following material breaches continues to generate litigation risk for companies that fail to disclose material cybersecurity incidents within the four business day window required under the SEC rules. Ransomware response remains complicated by the Office of Foreign Assets Control’s sanctions framework, which prohibits ransom payments to designated entities and applies even when the company is acting under duress.

D. What Is Happening With Content Moderation and Platform Liability Legislation?

No major federal Section 230 reform legislation was introduced or advanced in the 24-hour period ending May 27, 2026, though the TAKE IT DOWN Act, signed into federal law in May 2025, reached its first platform compliance milestone on May 19, 2026, requiring platforms to remove reported intimate images within 48 hours of receiving notice.

The TAKE IT DOWN Act, signed by President Trump, represents the most significant federal platform liability expansion in years and establishes Federal Trade Commission enforcement authority over noncompliant platforms. The 48-hour removal window places operational demands on platforms that go beyond any existing state notice-and-takedown framework and creates measurable liability exposure for platforms that fail to meet the statutory timeline.

Broader Section 230 reform remains stalled. Bills including the EARN IT Act, the SAFE TECH Act, and the PACT Act have not advanced to floor votes. The principal legislative tension is between conservative members who argue that Section 230 enables platforms to suppress conservative speech and members who argue that immunity reform requires careful First Amendment calibration. That tension has prevented consensus on a narrowing framework even as public pressure for action grows.

The European Union’s Digital Services Act created enforceable content moderation obligations for designated Very Large Online Platforms as of 2024, and those obligations continue to create friction with the Section 230 framework for U.S. companies operating globally. Algorithmic amplification liability, squarely addressed in the DSA, has no direct U.S. federal statutory analog, leaving U.S. platforms to manage EU enforcement risk while operating under U.S. immunity protections domestically.

E. What Is the Status of Intellectual Property Legislation Governing AI-Generated Works and Training Data?

The Copyright Labeling and Ethical AI Reporting Act, introduced in the Senate in February 2026 by Senators Adam Schiff and John Curtis, would require companies developing generative AI platforms to file a summary with the U.S. Copyright Office of every copyrighted work included in their training dataset, within 30 days before commercial release.

The CLEAR Act creates a private cause of action for copyright owners who can show that a developer failed to file required notice regarding their works. The bill would require the notice to include the URL for any publicly available training dataset, creating a disclosure chain that copyright holders could use to identify potential infringement claims. The bill sits in committee as of this report date and has not been scheduled for floor consideration.

The Transparency and Responsibility for Artificial Intelligence Networks Act, introduced in January 2026 by Representatives Madeleine Dean and Nathaniel Moran, gives copyright holders access to training records used to train AI models. The TRAIN Act would allow creators to determine whether their copyrighted material was used without authorization and would create a right to audit training datasets that is not currently available under existing copyright law.

California’s AB 412 would prohibit the use of copyrighted materials in AI training without authorization from the rights holder and is advancing through the California legislature. The bill would create state-level liability for unauthorized AI training, a standard more aggressive than current federal copyright law as interpreted in pending litigation.

The litigation front is moving faster than the legislative front. Multiple cases challenging AI training datasets under the Copyright Act are pending in federal courts. The outcome of those cases will shape the legislative response, as courts resolve what existing copyright law already prohibits before Congress acts on what it should newly prohibit.

F. What Crypto and Digital Asset Legislation Has Advanced in the Past 24 Hours?

The Senate Banking Committee advanced the Digital Asset Market Clarity Act on May 14, 2026, setting the stage for a full Senate vote on comprehensive crypto market structure legislation that would resolve the jurisdictional conflict between the Securities and Exchange Commission and the Commodity Futures Trading Commission over digital asset classification.

The Digital Asset Market Clarity Act establishes a framework for tokenization of securities, treats tokenized financial instruments the same as the underlying instrument for regulatory purposes, prohibits interest and yield on payment stablecoins with carveouts to be determined in rulemaking, and creates voluntary cybersecurity standards based on National Institute of Standards and Technology frameworks. The substitute bill must be reconciled with the Senate Agriculture Committee’s Digital Commodity Intermediaries Act and then with the House version, the CLARITY Act, before enrollment.

The GENIUS Act of 2025, which established the first comprehensive federal stablecoin framework, was signed into law in July 2025. That law requires stablecoin issuers to maintain 100 percent backing with segregated assets, including United States dollars, short-term Treasury securities, and overnight reverse repurchase agreements. The GENIUS Act resolved the basic issuance framework question. The Digital Asset Market Clarity Act addresses the larger market structure question of which agency regulates which instruments.

Mississippi Governor Tate Reeves signed House Bill 1625 into law during the 2026 legislative session, establishing statewide oversight and consumer safeguards for cryptocurrency kiosks. AARP Mississippi supported the bill as a consumer fraud prevention measure, addressing documented cases of elderly residents losing retirement savings through cryptocurrency kiosk scams. The law creates the first comprehensive state-level kiosk oversight framework in the southeastern United States.

G. What Export Control and Technology National Security Legislation Is Moving?

The House Foreign Affairs Committee advanced the Chip Security Act in an April 22, 2026 markup, targeting the illicit smuggling of advanced AI chips to foreign adversaries designated under the Export Administration Regulations, including China, Iran, North Korea, and Russia.

The Chip Security Act works in tandem with the MATCH Act, which coordinates export controls on AI hardware with allied nations, and the Export Controls Enforcement Act, H.R. 4505, which increases civil penalties for Bureau of Industry and Security violations. The AI OVERWATCH Act, advanced by the House Foreign Affairs Committee in January 2026, would treat advanced semiconductor exports similarly to weapons sales and prohibit the sale of Nvidia Blackwell-class chips to foreign entities of concern for a two-year period.

The Bureau of Industry and Security revised its export review policy for advanced computing commodities on January 15, 2026, under Federal Register document 2026-00789. That revision tightened the review process for advanced AI chips destined for China and Macau and established a presumption of denial for license applications from entities on the Entity List. The legislative measures advancing in committee would codify and expand elements of that administrative policy change, giving them greater durability across administrations.

H. What CFIUS and Foreign Investment Developments Affect Technology Sectors?

The Committee on Foreign Investment in the United States is developing a Known Investor Program to create a pre-clearance pathway for allied-nation investors in artificial intelligence, semiconductor, biotechnology, and data infrastructure companies, following the directive in the America First Investment Policy issued on February 21, 2025.

The public comment period on the Known Investor Program closed March 18, 2026. Implementation is ongoing. The program is designed to reduce friction for investors from allied nations, such as Japan, the United Kingdom, South Korea, and Australia, while maintaining full review authority for investors from countries of concern. For AI and biotech startups handling sensitive data, voluntary CFIUS filing prior to closing a funding round continues to be the most effective risk mitigation tool, providing a safe harbor against post-closing review.

The FY 2026 National Defense Authorization Act, signed December 18, 2025, incorporated the BIOSECURE Act, which restricts federal contractors from using biotechnology equipment and services from certain Chinese entities. That restriction creates supply chain restructuring obligations for biotech companies dependent on Chinese genomic sequencing or laboratory services infrastructure. The NDAA provision applies to federal contractors, but it is already driving commercial clients to review their own supply chains to avoid downstream disruption.

I. What Healthcare Regulation and AI in Medicine Legislation Is Advancing?

Vermont Governor Phil Scott signed House Bill 814 on May 18, 2026, establishing neurological rights as a protected class in Vermont and creating the nation’s first comprehensive regulatory framework for artificial intelligence in health and human services delivery, including mental health chatbots and clinical decision support systems.

Vermont H. 814 requires informed consent before AI systems may be used to make or inform decisions affecting individuals’ access to services. The law mandates disclosure when generative AI is used for patient communications related to clinical information and restricts AI in utilization review decisions. The neurological rights provisions govern AI systems that access or process brain and nervous system data.

Rhode Island’s Senate passed S. 2197 establishing regulations for AI in mental health care treatments in the same legislative period. Louisiana’s legislature is on the verge of passing a separate bill requiring health care professionals to disclose to patients the use of an AI transcription recording device during clinical encounters.

The Food and Drug Administration rejected a proposal from Harrison.ai in early 2026 that would have reduced premarket review requirements for certain AI-enabled medical devices. The FDA’s position is that prior authorization of one AI device does not demonstrate that future products by the same developer will perform safely or effectively. That position aligns with the Quality Management System Regulation updates the FDA is implementing in 2026 and reflects an agency posture of maintaining oversight authority even as commercial AI deployment in diagnostics accelerates.

Congress has not enacted direct health AI legislation in the current session. Approximately 200 state AI bills tracked in 2026 address health AI, concentrated around four areas: mental health chatbot safety, patient disclosure and consent requirements, prohibitions on AI systems presenting as clinical providers, and insurer use of AI in coverage determination. The bipartisan Protecting and Transforming Cyber Health Act remains pending in committee.

J. What Is the Status of Biometric Data and Surveillance Legislation?

Maryland Governor Wes Moore signed Senate Bill 141 in 2026, making Maryland the 30th state to enact election deepfake legislation, with the law prohibiting the knowing or reckless creation, use, or dissemination of deepfakes designed to produce materially false information and taking effect June 1, 2026.

As of spring 2026, 46 states have enacted laws targeting AI-generated synthetic media. Most laws focus on disclosure rather than prohibition, requiring political advertisements containing AI-generated content to carry clear disclaimers. Maryland SB 141 goes further, creating an affirmative duty on the state administrator of elections to act on credible reports of election misinformation and requiring public correction of false information.

The ICE Out of Our Faces Act, introduced February 5, 2026, by Senators Ed Markey, Mark Warner, and Jeff Merkley and Representative Pramila Jayapal, would prohibit the acquisition and use of facial recognition and other biometric technologies by Immigration and Customs Enforcement and U.S. Customs and Border Protection, and would require deletion of all biometric data collected by those agencies. The bill has not advanced out of committee.

New York advanced a facial recognition study bill in the state Senate in March 2026, directing a comprehensive study of facial recognition technology use, accuracy disparities, and privacy implications before any statewide deployment authorization. The Illinois Biometric Information Privacy Act continues to be the most litigated biometric privacy statute in the country, with class action exposure for violations reaching into nine-figure settlement territory. State legislatures considering biometric legislation are watching Illinois BIPA litigation outcomes to calibrate their own enforcement structures.

K. What Deepfake, Digital Speech, and Election Law Developments Are Occurring?

The federal TAKE IT DOWN Act, enacted in May 2025 and effective as of May 19, 2026, requires online platforms to remove reported non-consensual intimate images, including AI-generated deepfakes, within 48 hours of receiving notice, with Federal Trade Commission enforcement authority over noncompliant platforms.

The TAKE IT DOWN Act represents the most significant federal platform speech obligation enacted in recent years and establishes a notice-and-takedown regime for intimate imagery that goes beyond what any state law requires. Platform compliance obligations became enforceable on May 19, 2026. Platforms that fail to remove reported content within 48 hours face FTC enforcement action.

State election deepfake legislation has reached near-universal adoption, with 46 of 50 states having enacted some form of synthetic media disclosure or prohibition law. Maryland’s SB 141, effective June 1, 2026, is the most recent enactment. The legislative trend ahead of the 2026 midterm elections reflects bipartisan recognition that AI-generated political deception poses a credible threat to electoral integrity, even as the precise constitutional boundaries between permissible restriction and protected speech remain contested.

No comprehensive federal synthetic media legislation has been enacted addressing political deepfakes. The Protecting Consumers From Deceptive AI Act, introduced April 23, 2026, would direct the National Institute of Standards and Technology to develop watermarking, digital fingerprinting, and provenance metadata standards for AI-generated audio and visual content and to support labeling standards for AI-modified content on platforms.

L. What Legal Ethics and Professional Responsibility Developments Affect AI Use by Attorneys?

The California State Bar’s Standing Committee on Professional Responsibility and Conduct proposed amendments to six Rules of Professional Conduct governing attorney AI use in March 2026, with the public comment period closing May 4, 2026, and the proposed changes scheduled for Board of Trustees consideration at the Board’s May 2026 meeting.

The California Bar’s approach is architecturally significant. Rather than drafting a standalone AI rule, the committee wove new obligations into six existing rules: Rule 1.1 on competence, Rule 1.4 on client communication, Rule 1.6 on confidential information, Rule 3.3 on candor to the tribunal, Rule 5.1 on managerial and supervisory responsibilities, and Rule 5.3 on nonlawyer assistants. The proposed amendments would make California’s 2023 practical guidance, which was advisory only, enforceable through the disciplinary rules. An attorney who fails to verify AI-generated output before filing would face potential discipline under the competence rule.

The proposed Rule 1.1 amendment requires lawyers to verify every AI output before relying on it in any filing or client communication. The proposed Rule 1.6 amendment addresses the confidentiality risk of inputting client information into third-party AI systems without adequate safeguards. The proposed Rule 5.3 amendment extends supervisory responsibility to AI tools used by nonlawyer staff, meaning partners and supervising attorneys are responsible for the AI conduct of their support staff.

From the practice perspective of this attorney, who has been advising clients on AI tool deployment since 2022, the California amendments reflect a mature and practical approach. The highest risk from AI use in legal practice is not hallucination in isolation: it is the combination of hallucination with inadequate verification, inadequate client disclosure, and inadequate supervision. Those are exactly the failure modes that Rules 1.1, 1.4, and 5.3 address. Making them enforceable rather than advisory is the correct policy choice.

The American Bar Association’s existing ethics guidance under Rules 1.1, 1.6, and 5.3 applies nationally. California’s proposed amendments are more specific and more aggressive than the current ABA framework. If the California Board of Trustees adopts the amendments at the May 2026 meeting, California will become the first state to have enforceable AI-specific ethics rules for attorneys, and other state bars are likely to follow.

Contested and Unverified Issues

Several claims in this report depend on governmental action that was pending as of the report date. Connecticut Governor Lamont’s signature on SB 5 was described as expected but not confirmed as of press time. Louisiana’s SB 386 remained in the ten-day gubernatorial review window. The California Bar Board of Trustees meeting and vote on proposed ethics amendments was scheduled for May 2026 but the outcome was not confirmed in sources available to this research. Colorado’s SB 26-189 awaited gubernatorial signature. The precise scope of the Digital Asset Market Clarity Act’s stablecoin yield prohibition remains subject to rulemaking.

The 46-state figure for synthetic media laws is drawn from the most recent tracker data available as of May 25 to 26, 2026. Individual state enactment counts shift as governors sign or veto legislation at the close of state legislative sessions.

Open Questions the Industry Has Not Resolved

Three questions remain unresolved and will define the next phase of technology law development. First: will Congress enact federal AI preemption before the patchwork of state laws reaches a point of operational impossibility for companies trying to comply uniformly? The SECURE Data Act’s preemption provision and H.R. 5388’s AI uniformity approach both attempt this, but neither has the political support for passage as of May 2026. Second: how will courts resolve the question of whether training a large language model on copyrighted works without a license constitutes infringement under 17 U.S.C. Section 107’s fair use doctrine? Multiple cases are pending in the Northern District of California and the Southern District of New York, and a circuit-level ruling will likely be required before legislative pressure produces a definitive statutory answer. Third: what legal framework will govern the liability of AI-assisted medical decision tools when those tools contribute to patient harm? Vermont H. 814 makes the first attempt to answer that question for health and human services AI, but no state or federal law has addressed the product liability and malpractice intersection directly.

The next piece in this series will examine how the Senate Banking Committee’s Digital Asset Market Clarity Act resolves the SEC-CFTC jurisdictional conflict over tokenized securities and what the reconciliation process with the House CLARITY Act means for companies that have been operating under the existing ambiguous framework.

Bibliography

1. Connecticut Senate Bill 5, Connecticut Artificial Intelligence Responsibility and Transparency Act, 2026 Connecticut General Assembly, effective October 1, 2026.

2. Colorado SB 26-189, Colorado General Assembly, passed May 9, 2026.

3. x.AI LLC v. Weiser, United States District Court for the District of Colorado, joint motion to stay enforcement of Colorado AI Act granted April 27, 2026.

4. White House National Policy Framework for Artificial Intelligence, March 20, 2026.

5. H.R. 8094, AI Foundation Model Transparency Act of 2026, 119th Congress.

6. S. 3952, Future of Artificial Intelligence Innovation Act of 2026, 119th Congress.

7. H.R. 5388, American Artificial Intelligence Leadership and Uniformity Act, 119th Congress.

8. Illinois Senate Bill 317, Consumer AI Notice Act, passed Illinois Senate May 2026.

9. Illinois Senate Bill 316, AI Companion Model Safety Act, passed Illinois Senate May 2026.

10. California Senate Bill 1119, employment AI transparency, passed California Senate, May 2026.

11. Rhode Island S. 2197, AI in mental health care regulations, passed Rhode Island Senate, May 2026.

12. Louisiana Senate Bill 386, Louisiana Data Privacy Act, passed legislature unanimously May 20 to 21, 2026, pending gubernatorial signature.

13. H.R. 8413, SECURE Data Act (Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act), released by House Energy and Commerce Committee, April 22, 2026.

14. Delaware House Bill 380, amending Delaware’s consumer data privacy law, passed Delaware House, May 2026.

15. California Senate Bill 1106, amending California’s data broker law, passed California Senate, May 2026.

16. S. 3315, Health Care Cybersecurity and Resiliency Act of 2026, 119th Congress.

17. S. 3251, State and Local Cybersecurity Grant Program Reauthorization Act, 119th Congress.

18. Cyber Security and Resilience (Network and Information Systems) Bill, UK Parliament, Report Stage, May 14, 2026.

19. 17 C.F.R. Part 229, SEC cybersecurity incident disclosure rules.

20. TAKE IT DOWN Act, signed into federal law May 2025, platform compliance effective May 19, 2026.

21. EARN IT Act, 119th Congress, pending committee consideration.

22. CLEAR Act (Copyright Labeling and Ethical AI Reporting Act), introduced by Senators Schiff and Curtis, February 2026.

23. TRAIN Act (Transparency and Responsibility for Artificial Intelligence Networks Act), introduced by Representatives Dean and Moran, January 2026.

24. California AB 412, generative AI training data, copyrighted materials, California Legislature, 2025 to 2026 session.

25. Digital Asset Market Clarity Act, advanced by Senate Banking Committee, May 14, 2026.

26. S. 1582, GENIUS Act (Guiding and Establishing National Innovation for U.S. Stablecoins), signed into law July 2025.

27. Mississippi House Bill 1625, cryptocurrency kiosk oversight law, signed by Governor Tate Reeves, 2026 session.

28. Chip Security Act, advanced by House Foreign Affairs Committee markup, April 22, 2026.

29. MATCH Act, advanced by House Foreign Affairs Committee, April 22, 2026.

30. H.R. 4505, Export Controls Enforcement Act, 119th Congress.

31. AI OVERWATCH Act, advanced by House Foreign Affairs Committee, January 21, 2026.

32. Bureau of Industry and Security, Revision to License Review Policy for Advanced Computing Commodities, Federal Register, January 15, 2026, 2026-00789.

33. America First Investment Policy, Executive Directive, February 21, 2025.

34. BIOSECURE Act, incorporated into FY 2026 National Defense Authorization Act, signed December 18, 2025.

35. Vermont House Bill 814, neurological rights and AI in health and human services, signed by Governor Phil Scott, May 18, 2026.

36. Rhode Island S. 2197, AI in mental health care treatments, passed Rhode Island Senate, May 2026.

37. Food and Drug Administration, rejection of Harrison.ai premarket review exemption proposal, 2026.

38. Maryland Senate Bill 141, election deepfake law, signed by Governor Wes Moore, effective June 1, 2026.

39. ICE Out of Our Faces Act, introduced February 5, 2026, by Senators Markey, Warner, and Merkley and Representative Jayapal.

40. Illinois Biometric Information Privacy Act, 740 ILCS 14.

41. Protecting Consumers From Deceptive AI Act, introduced April 23, 2026.

42. California State Bar, Standing Committee on Professional Responsibility and Conduct, proposed amendments to Rules of Professional Conduct 1.1, 1.4, 1.6, 3.3, 5.1, and 5.3, public comment period closed May 4, 2026.

43. American Bar Association Rules of Professional Conduct, Rules 1.1, 1.4, 1.6, 5.1, and 5.3.

44. 17 U.S.C. Section 107, fair use doctrine.

45. EU AI Act, Regulation (EU) 2024/1689, General Purpose AI provisions.

46. EU Digital Services Act, Regulation (EU) 2022/2065.

Published by The Innovation Attorney | May 17, 2026

Executive Summary: What Happened?

The Instructure Canvas data breach, confirmed on May 1, 2026, stands as the largest educational sector security incident in history. Orchestrated by threat actor ShinyHunters, the breach exfiltrated 3.65 terabytes of sensitive data from 8,809 educational institutions across 130 countries, directly impacting approximately 275 million students, educators, and staff.

The Ransom Receipt and the Illusion of Deletion

On May 11, 2026, Instructure announced it had negotiated an agreement with ShinyHunters, claiming that the compromised data had been entirely destroyed. Unverified market reports place the total ransom payment at approximately $10 million.

However, cybersecurity researchers and compliance experts warn that this statement cannot be independently verified. From a technical and auditing standpoint, it is impossible to verify a threat actor’s representation that exfiltrated data has been securely deleted. For educational entities, relying on a criminal enterprise’s ‘receipt’ is a catastrophic compliance strategy.

Is a Ransom Payment Enough to Satisfy FERPA Compliance?

No. The critical legal question facing affected school boards, universities, and legal counsels is whether accepting Instructure’s narrative satisfies independent institutional obligations under the Family Educational Rights and Privacy Act (FERPA) and state-level data breach notification statutes.

Why a Vendor’s Deletion Claims Fail Regulatory Scrutiny:

· No Independent Verification: FERPA strictly mandates that educational agencies and their third-party contractors implement rigorous controls to safeguard protected education records.

· Deficient Audit Trail: Federal regulatory investigations (such as those led by the U.S. Department of Education) do not credit unverified verbal assurances from a threat actor as a documented security verification or remediation plan.

· Strict State Penalties: Accepting a vendor’s statement without standalone, objective technical forensic validation leaves the institution exposed to substantial administrative penalties and enforcement actions.

Class Action Litigation and Technical Discrepancies

Class action plaintiffs’ attorneys launched immediate investigations into Instructure following the initial disclosure. The legal theories tracking this historic education tech breach primarily ground themselves in:

· Negligence: Failing to maintain adequate technical safeguards against common attack vectors.

· State Privacy Statutes: Violations of explicit state-level consumer and student privacy frameworks.

· State Breach Notification Laws: Failing to properly notify individuals in an actionable timeline, as defined by individual state jurisdictions.

Discovery procedures will heavily focus on a glaring timeline mismatch. While Instructure’s initial statements on May 1 claimed the breach was completely resolved, the Canvas LMS platform went completely offline again on May 7, 2026. This six-day discrepancy highlights an ongoing trend in large edtech incidents: the significant gap between corporate public relations and operational reality.

What to Expect Next

This incident marks a turning point for edtech vendor risk assessments. In our next brief, we will analyze the formal FERPA and state regulatory investigations currently being initiated across multiple jurisdictions.

Disclaimer: This briefing note is prepared by The Innovation Attorney for informational and educational purposes only. It does not constitute legal advice and does not establish an attorney-client relationship.

On May 4, 2026, the Federal Trade Commission entered a landmark consent order against Kochava, Inc., establishing the most rigorous and detailed location data compliance framework issued to date. Following an initial complaint filed in August 2022—which alleged that Kochava sold granular geolocation data from hundreds of millions of mobile devices, revealing sensitive visits to places of worship and medical facilities—this final 2-0 ruling fundamentally restructures industry requirements for supplier assessments, consumer transparency, and risk mitigation.

What is the core compliance requirement of the 2026 FTC Kochava order?
The FTC’s Kochava order mandates that data brokers and advertising technology companies can no longer passively rely on contractual representations. Instead, they must actively implement documented upstream supplier consent verification to prove affirmative express consent before any location data enters the digital supply chain.

1. Mandatory Upstream Supplier Assessments

The provision generating the most substantial operational compliance work across the ad tech ecosystem is the newly defined supplier assessment architecture. Kochava is legally required to verify that every upstream vendor from whom it acquires data has obtained explicit, affirmative consent.

• Beyond Contractual Warranties: Passive reliance on vendor representations or boilerplate ‘warrants and representations’ is no longer sufficient to survive regulatory examination.

• Documented Audit Trails: Procurement channels must now incorporate comprehensive, discoverable verification workflows to test and prove actual compliance at the point of data ingestion.

2. Consumer Transparency & Consent Infrastructure

The order introduces groundbreaking mechanisms ensuring consumer agency and historical downstream data clarity:

• Purchaser Traceability: Kochava must accept and fulfill consumer requests identifying the specific corporate entities that have purchased their device’s historical location metrics.

• Accessible Consent Withdrawal: A streamlined, frictionless infrastructure must be provided for users to seamlessly opt out and rescind data processing permissions.

3. Strategic Industry Outlook & Next Steps

This framework establishes a permanent baseline that the Federal Trade Commission will project as the standard in all subsequent negotiations with data brokers and aggregators. In our upcoming briefing, we will provide an exhaustive technical breakdown exploring how leading location intelligence providers are adjusting their engineering pipelines to comply with this new supplier assessment framework.

By: The Innovation Attorney | Published: May 17, 2026

Executive Summary: The record-breaking $12.75 million CCPA settlement with General Motors signals a critical shift in privacy enforcement. Regulators are moving past simple policy audits to directly penalize companies whose actual data collection practices exceed user-approved service boundaries.

The Core of the Settlement: Record Penalties and First-of-Its-Kind Action

On May 8, 2026, California Attorney General Rob Bonta, alongside the California Privacy Protection Agency (CPPA), announced a landmark $12.75 million settlement with General Motors (GM). This historic enforcement action marks a pivotal turning point in privacy compliance, establishing two major precedents:

· It represents the largest California Consumer Privacy Act (CCPA) penalty ever recorded.

· It is the very first enforcement action brought by the CPPA utilizing a strict data minimization theory.

What is Data Minimization under the CCPA?

The California Consumer Privacy Act (CCPA) mandates that businesses must limit their data collection, use, and retention strictly to what is reasonably necessary and proportionate to achieve the specific disclosed purpose for which it was gathered.

How GM’s Connected Vehicle Practices Triggered the Violation

The regulatory investigation targeted GM’s handling of consumer telematics data. Between 2020 and 2024, General Motors collected highly precise geolocation records and driving behavior data through its proprietary OnStar connected vehicle platform. This information was subsequently sold to major data broker platforms, including LexisNexis Risk Solutions and Verisk Analytics.

Regulators alleged that GM’s corporate privacy disclosures led consumers to believe their data would solely be utilized to deliver requested vehicle services. Instead, the downstream data was commercialized for third-party insurance underwriting, creating a massive discrepancy between consumer expectations and actual business practices.

“The data minimization violation is the most conceptually significant component of this enforcement action. California regulators found that GM retained driver data far beyond what was required for OnStar service delivery, then leveraged that data for secondary purposes entirely different from what consumers consented to.”

Why This Settlement Redefines Corporate Privacy Compliance

This landmark enforcement marks a structural evolution in privacy law oversight. For years, corporate privacy compliance focused primarily on the existence of comprehensive disclosures. This order radically shifts the regulatory focus.

The critical standard is no longer whether a company has a published privacy policy; it is whether actual day-to-day data practices strictly match the narrow scope of the services that consumers agreed to receive.

A Direct Warning to the Connected Tech and Telematics Industry

The legal implications extend far beyond the automotive sector. Every telematics platform operating within the state of California—including those in fitness tracking, insurance technology, smart logistics, and automotive tech—must treat this consent order as an immediate, direct warning.

Furthermore, this marks an unprecedented surge in aggressive enforcement. This settlement is the third consecutive record-setting CCPA penalty within a five-month window, following a $1.35 million action against Tractor Supply and a $2.75 million penalty against a major streaming company.

Looking Ahead: Is Your Platform Compliant?

As regulatory scrutiny intensifies, businesses must audit their telemetry architectures and third-party data pipelines. The next critical question for the industry is whether the GM order will initiate parallel investigations into other connected vehicle manufacturers and telematics operators across California.

Disclaimer: This note is prepared by The Innovation Attorney for informational and educational purposes only. It does not constitute formal legal advice and does not establish an attorney-client relationship.