Issue #20 — Actionable Regulatory Intelligence
European supervisors keep raising the price of structurally weak privacy controls — Italy's Garante hit Poste Italiane with €12.5M for SDK bundling, France's CNIL imposed €42M on Free Mobile and Free for credential-stuffing exposure of 24 million subscribers. Maryland became the first US state to outlaw AI-driven personalized pricing. Utah's app-store age-signal regime entered Day 2 of live operation. The FCA's Buy Now Pay Later registration window opens in eight days, the CRA's Chapter IV applies in 35, and EUDAMED's first four modules become mandatory in 21. Plus: Connecticut's AI Act lands on the Governor's desk, the UK's DUAA complaints duty activates 19 June, and China's Drug Administration Law Implementation Regulations take effect next Friday.
At a Glance
Italy hits SDK with €12.5M — Garante: third-party fraud SDK bundled with account access fails on eight GDPR articles.
France fines Free €42M — CNIL combined sanctions for the 24M-subscriber 2024 credential-stuffing breach.
Maryland bans surveillance pricing — HB 895 signed 28 April; first US state to restrict AI-driven dynamic pricing.
EUDAMED T-21 days — Four mandatory modules go live 28 May; no SRN means no new EU device placements.
FCA BNPL window opens 15 May — Eight days to choose authorisation vs. Temporary Permissions Regime.
Utah age signals are live — Apple and Google APIs returning age brackets for new Utah accounts.
EU CRA conformity bodies — Member States must notify CABs from 11 June 2026.
CIRCIA final rule slipping — May target may not hold; 72h reporting still on the way.
Critical Actions
🔴 EUDAMED Modules 1–4 mandatory 28 May 2026 — 21 days
EU · Healthcare · Due 2026-05-28
Per Commission Decision (EU) 2025/2371, Actor Registration, UDI/Devices, Notified Bodies & Certificates, and Market Surveillance modules become compulsory in 21 days. Manufacturers, authorised representatives, and importers without a Single Registration Number (SRN) by 28 May cannot place new MDR/IVDR devices on the EU market. Legacy device registration continues through 28 November 2026; certificates issued before the cut-over must be uploaded by 28 May 2027.
Action: Confirm SRNs for every economic operator in your EU footprint and complete UDI/device registration for any MDR/IVDR device you intend to place after 28 May.
🔴 FCA BNPL registration opens 15 May 2026 — 8 days
UK · Financial · Due 2026-05-15
The FCA's Buy Now Pay Later (Deferred Payment Credit) regime opens its registration window in 8 days, ahead of full Regulation Day on 15 July 2026. Lenders without a consumer-credit permission can use the Temporary Permissions Regime to keep operating, but must lodge a full authorisation application within six months or face automatic TPR removal. Once authorised, DPC providers fall fully under the Consumer Duty, Threshold Conditions, SMCR, and creditworthiness assessments — including for transactions under the £50 threshold.
Action: Decide between authorisation and TPR by 15 May, and map every BNPL transaction (including the under-£50 segment) into a creditworthiness pipeline before 15 July go-live.
🔴 China Drug Administration Law Implementation Regulations effective 15 May — 8 days
China · Healthcare · Due 2026-05-15
The State Council's 2026 revision of the Drug Administration Law Implementation Regulations takes effect in 8 days. Drug, biomedical, and health-tech operators with PRC-marketed products should confirm GxP SOPs, license filings, and pharmacovigilance reporting paths align with the revised obligations. Cross-border data-transfer obligations interlock where clinical-trial or pharmacovigilance data leaves China.
Action: Pharma/biotech and FIE clinical-trial sponsors: validate SOP alignment and revisit cross-border data flows before 15 May.
Enforcement Watch
🔴 Italian Garante fines Poste Italiane and Postepay €12.5 million
EU · Privacy · 17 April 2026
The Italian data protection authority found that Poste Italiane and its subsidiary Postepay embedded the LexisNexis ThreatMetrix SDK in their banking and payments apps and conditioned continued account access on user authorisation of broad device-level data collection. The Garante found violations across eight GDPR articles, including Article 5 (data minimisation, transparency, storage limitation), Article 6 (no valid lawful basis), Article 13 (deficient information at collection), Article 25 (no privacy by design), Articles 26 and 28 (controller–processor irregularities), Article 32 (single-factor authentication on sensitive systems), and Article 35 (no DPIA despite high-risk processing).
Action: Inventory third-party SDKs in mobile apps, map each to a documented lawful basis and Article 13 disclosure, and confirm a DPIA exists for any fraud or anti-abuse SDK that processes device fingerprint, location, or behavioural telemetry.
🔴 CNIL fines Free Mobile €27M and Free €15M for credential-stuffing failures
France · Privacy · 13 January 2026
The CNIL issued two sanction decisions against Free Mobile (€27M) and Free (€15M) following a 2024 breach in which an attacker accessed personal data tied to 24 million subscriber contracts, including IBANs for individuals who were customers of both entities. The CNIL found security measures inadequate under Article 32 GDPR and noted a particular failure to detect and contain credential-stuffing-style intrusions on customer-portal infrastructure. Combined with the CNIL's €5M France Travail decision (22 January 2026), the start of 2026 confirms the supervisor's posture: large-population breaches with structurally weak controls produce fines an order of magnitude above the typical band.
Action: Stress-test customer-portal authentication against credential-stuffing and account-takeover patterns; confirm breach detection covers anomalous record-level access, not only volume thresholds.
🟠 CFTC orders New York trader to pay $200,000 — Treasury-futures spoofing
US · Financial · 6 May 2026
The CFTC issued an order against New York trader Sidney Lebental for spoofing US Treasury futures on roughly 50 occasions between January and September 2019, primarily in Ultra US Treasury Bond futures, while serving as head of a global bank's linear-rates desk. Penalty: $200,000 civil monetary penalty plus a 30-day commodity-interest trading ban. The case demonstrates the CFTC's continued willingness to bring spoofing cases under the new administration despite a reduced overall enforcement docket.
Action: Refresh trade-surveillance rule sets for layering and spoofing patterns in Treasury futures; confirm trader-attestation cycles cover head-of-desk roles.
Around the World
🇺🇸 Maryland — first state to ban AI-driven personalized pricing
Governor Wes Moore signed HB 895 (the Protection from Predatory Pricing Act) on 28 April 2026, effective 1 October 2026. The Act prohibits use of "dynamic pricing" or personal data to set higher prices for specific consumers or groups, applied to large food retailers (15,000+ sq ft) and third-party food-delivery providers, and limited to tax-exempt food items. Penalties: $10,000 first offence, $25,000 repeat. Loyalty programs and promotional pricing remain permitted. Proponents cited reports that Instacart used AI-based pricing software to raise prices for some customers.
🇺🇸 Connecticut — AI Act passes both chambers
Connecticut's SB 5 (Artificial Intelligence Responsibility and Transparency Act) led by Sen. James Maroney passed the Senate 32–4 and the House 131–17 the week of 1 May 2026. The bill addresses frontier models, chatbots, employment-related AI uses, and provenance/labelling of AI-generated content, and includes workforce-development provisions. Governor Lamont's office has stated he favours the bill with "commonsense protections" and intends to sign it.
🇪🇺 EU CRA Chapter IV applies 11 June 2026 — 35 days
Member State authorities must notify the Commission of designated conformity-assessment bodies (CABs) for products with digital elements from 11 June 2026, opening the CAB infrastructure ahead of the September 2026 vulnerability/incident reporting trigger and full obligations on 11 December 2027. Manufacturers should confirm which CAB will assess their hardware/software products and validate cyber-risk documentation now.
🇺🇸 CIRCIA final rule still in May 2026 publication window — slipping
CISA's self-imposed May 2026 deadline for publishing the Cyber Incident Reporting for Critical Infrastructure Act final rule has not been met as of 7 May. The rule will impose 72-hour covered-incident and 24-hour ransomware-payment reporting on an estimated 300,000 entities across 16 critical-infrastructure sectors. Postponed sector-specific virtual town halls (disrupted by the autumn 2025 appropriations lapse) are still being rescheduled, increasing the chance of further extension past May.
🇬🇧 UK DUAA complaints procedure activates 19 June 2026 — 43 days
The Data (Use and Access) Act 2025 inserts new §164A into the DPA 2018, creating a statutory data-protection complaints duty for every controller. From 19 June, controllers must facilitate complaints (including an electronic complaints route), acknowledge complaints within 30 days, and respond "without undue delay". The ICO has signalled it will route complainants to the controller's own procedure first — making a working in-house process a practical pre-condition for ICO engagement.
Deadline Watch
# | Item | Jurisdiction | Date | Days |
|---|---|---|---|---|
1 | EDPB 119th plenary | EU | 11 May 2026 | 4 |
2 | FCA BNPL registration opens | UK | 15 May 2026 | 8 |
3 | China Drug Admin Law revision in force | China | 15 May 2026 | 8 |
4 | NERC CIP-003-11 effective | US | 26 May 2026 | 19 |
5 | EUDAMED Modules 1–4 mandatory | EU | 28 May 2026 | 21 |
6 | EU CRA Chapter IV (CAB notifications) | EU | 11 June 2026 | 35 |
7 | UK DUAA complaints procedure live | UK | 19 June 2026 | 43 |
8 | PIPL first audit cycle (≥10M PI processors) | China | 30 June 2026 | 54 |
9 | Louisiana ASAA + CT/CO/NE minors' data laws | US | 1 July 2026 | 55 |
10 | FCA BNPL Regulation Day | UK | 15 July 2026 | 69 |
Deep Dive #1: Italian Garante's €12.5M SDK Verdict — Why 'All-or-Nothing' In-App Consents Just Died
When the Italian Garante announced its €12.5M sanction against Poste Italiane and Postepay on 17 April, the headline was the number. The story, for every controller that ships a mobile app, is the architecture finding underneath it.
The Garante did not just say Poste Italiane bundled too much data into one consent. The decision found violations across eight separate GDPR articles — Article 5 (data minimisation, transparency, storage limitation), Article 6 (no valid lawful basis), Article 13 (deficient information at collection), Article 25 (no privacy by design), Articles 26 and 28 (controller–processor irregularities), Article 32 (single-factor authentication on sensitive systems), and Article 35 (no DPIA despite high-risk processing). It is the kind of structural finding that does not survive on a single-paragraph fix in the privacy notice. The third-party SDK at issue — LexisNexis ThreatMetrix — is a fraud and anti-abuse tool used in banking and payments apps across the EU. The Garante accepted that anti-fraud is a legitimate purpose. What it rejected was Poste Italiane's design pattern: continued account access conditioned on the user authorising broad device-level data collection.
Here's why this matters beyond Italy. Almost every regulated mobile app in the EU embeds at least one third-party SDK whose function — fraud scoring, behavioural biometrics, ad-fraud prevention, bot detection — sounds defensible in the abstract. The Garante's reasoning attacks a specific implementation pattern that has become quietly universal: the app refuses to function unless the user agrees to the SDK's full telemetry collection. That pattern is now sitting on the wrong side of an EDPB-member supervisor's published decision. Other DPAs read each other's enforcement posture closely; the EDPB itself has been pushing similar lines through its 2026 Coordinated Enforcement Framework on transparency. Expect the same logic to surface in CNIL, AEPD, and Datatilsynet decisions through the rest of 2026.
🔒 This analysis continues for CyberEyeQ Pro subscribers — including the SDK Inventory Audit checklist and the recommended decoupled-consent architecture. Contact us →
Deep Dive #2: Utah's "Day 2" — Live Age Signals in Production, and Your Louisiana Build Is 55 Days Out
As of yesterday, 6 May 2026, both Apple's Declared Age Range API on iOS, iPadOS and macOS, and Google's Play Age Signals API on Android, are returning live age-bracket signals — under 13, 13–15, 16–17, 18+ — for new accounts associated with Utah. Utah SB 73's VPN-bypass liability provision, which makes covered websites liable even if Utah users mask their location with a VPN, is also in its second day in force. Apple has begun blocking 18+ app downloads for accounts whose age signal returns under-18 in scope-states; Google's enforcement is scoped through the Play Console policy.
The interesting part of Day 2 is what is not working as cleanly as expected. App developers are reporting inconsistent signal availability for migrated accounts (versus net-new accounts), unclear behaviour when the same Apple ID is used across multiple jurisdictions, and a documented gap in Texas — where state API responses remain paused under the 23 December 2025 federal preliminary injunction. That Texas pause is the live experiment for what happens when an app-store-driven regime is enjoined mid-build.
The forward-looking compliance story is Louisiana on 1 July 2026 (55 days). Louisiana's app-store law deliberately diverges from Utah and Texas on one key point: there is no developer safe harbour for reasonable reliance on app-store-provided information. Utah and Texas grant developers a safe harbour. Louisiana does not. That means Louisiana-targeted apps need an independent age-verification path that does not rely solely on the platform-provided signal. Add Connecticut's PA 25-113, Colorado's SB25-201, and Nebraska's LB 383 — all effective the same 1 July 2026 date — and you have four state regimes hitting on a single Wednesday, none of them mechanically interchangeable.
🔒 This analysis continues for CyberEyeQ Pro subscribers — including the Louisiana fallback architecture pattern, suggested signal-validation logic, and the Texas-injunction contingency build. Contact us →
What to Do This Week
SDK inventory — Pull every third-party SDK shipped in your EU-facing mobile apps. For each, document lawful basis, Article 13 disclosure, processor agreement (Art. 28), and DPIA. Flag any SDK whose telemetry is conditioned on continued account access.
EUDAMED dry run — Confirm SRNs for every EU economic operator in your group. Confirm UDI/device registration submitted for products you intend to place after 28 May. Stage legacy device data for the November 2026 wave.
FCA BNPL go/no-go — Decide between full authorisation and the Temporary Permissions Regime by 15 May. Document the decision and assign an owner for the six-month authorisation runway.
🔒 Items 4 and 5 — including the Connecticut SB 5 readiness checklist and the EU CRA Chapter IV CAB-selection workflow — continue for CyberEyeQ Pro subscribers. Contact us →
CyberEyeQ — Actionable Regulatory IntelligencePublished every Thursday · Issue #20 · 7 May 2026Reply to this email or write to [email protected].