This website uses cookies

Read our Privacy policy and Terms of use for more information.

Supreme Court clears app-store age checks as seven deadlines hit in three weeks

The Supreme Court declined to block Texas's app-store age-verification law on Monday, the first appellate green light for device-level age checks in the United States — even as a federal judge in Nebraska enjoined that state's parallel mandate days earlier. Meanwhile China quietly promulgated mandatory annual data-security risk assessments, the EDPB reset the anonymisation bar, and seven hard deadlines land between today and August 2.

At a Glance

  • SCOTUS clears Texas age checks — The Court denied applications to vacate the Fifth Circuit's stay on 6 July, leaving SB 2420's app-store age-category and parental-consent duties fully enforceable during appeal.

  • China mandates annual data audits — CAC/MIIT/MPS Order No. 24 requires important-data processors to run a risk assessment every year and file it within 20 working days — effective 20 August.

  • FedRAMP Ready retires 28 July — No new FedRAMP Ready submissions are accepted after 28 July; the sponsorless on-ramp closes and providers must use Ready Conversion.

  • UK BNPL enters FCA perimeter — From 15 July, deferred payment credit is regulated consumer credit — authorisation, affordability checks, Consumer Duty and Ombudsman jurisdiction all attach.

  • CIRCIA final rule slips again — The Unified Agenda (RIN 1670-AA04) now projects a September 2026 final rule — nearly a year past the statutory October 2025 deadline.

  • EDPB resets anonymisation bar — The 8 July plenary adopted draft guidelines on anonymisation and on generative-AI web scraping, and finalised the blockchain guidelines.

Critical Actions

Buy Now Pay Later becomes regulated credit in six days

United Kingdom · Financial · Due: 15 Jul 2026

S.I. 2025/1154 brings deferred payment credit into scope of section 189 of the Consumer Credit Act 1974 from 15 July. Lenders need FCA authorisation or a temporary permission, must run upfront affordability and creditworthiness checks, and fall under the Consumer Duty, section 75 protections and Financial Ombudsman Service jurisdiction. The temporary-permissions notification window closed on 1 July.

Action: Confirm authorisation or temporary-permission status for every BNPL lending entity, and verify affordability, refund and complaints flows meet Consumer Duty outcomes on day one.

CNIL's tracking-pixel grace period closes Tuesday

France · Privacy · Due: 14 Jul 2026

CNIL Deliberation 2026-042 gave organisations three months from the 14 April publication date to tell recipients whose email addresses were collected earlier that tracking pixels are in use, and to offer an easy means to object. That window closes on or about 14 July, after which CNIL says it will verify compliance through its inspection powers. Transactional email and individual deliverability measurement tied to a requested service remain exempt.

Action: Send a pixel-use notice with an easy objection route to every French contact collected before 14 April 2026, and classify each email stream as transactional, consented or marketing.

FedRAMP Ready goes Legacy — last submissions this month

United States · Cloud Security · Due: 28 Jul 2026

Under the Consolidated Rules for 2026, in effect since 4 July, FedRAMP retires the "Ready" designation on 28 July and will accept no new Ready submissions after that date. Existing Ready holders must move through the Ready Conversion path; a Temporary Rev5 Program Certification pipeline opens 10 August for eligible Class B and Class C providers. The 20x Class A pipeline opens 3 August, and CR26 becomes mandatory for every offering on 1 January 2027.

Action: File any remaining FedRAMP Ready package before 28 July and confirm eligibility for the Ready Conversion or Lost Sponsor route.

Enforcement Watch

  • Texas SB 2420 enforceable during First Amendment appeal (Enforceable) — The Supreme Court's 6 July orders in Nos. 25A1389 and 25A1390 were brief, unsigned and drew no noted dissent. They are not a merits ruling, but Texas may enforce app-store age categorisation and parental consent now.

  • Nebraska LB 383's age-verification core preliminarily enjoined (Enjoined) — Judge John Gerrard granted NetChoice's motion in part on 27 June, holding that third-party age verification and express parental consent likely violate the First Amendment. Unenjoined provisions took effect 1 July.

  • EU AI Act penalty powers switch on 2 August (€15M / 3%) — The Commission's power to fine GPAI providers under Article 101 begins 2 August 2026; Article 50 transparency duties start the same day. Prohibited-practice fines under Article 5 reach €35M or 7% of worldwide turnover.

  • Korea's amended Network Act now live (KRW 1B) — Effective 7 July, large-scale service providers must manage illegal or manipulated information, publish semi-annual transparency reports and honour objection rights. Courts may award punitive damages up to five times actual harm.

Deadline Watch

Date

Development

Jurisdiction

Who's affected

Jul 10

AMLA Single Rulebook standards due to Commission

European Union

Banks, obliged entities

Jul 14

CNIL email tracking-pixel notice window closes

France

Any email marketer

Jul 15

UK BNPL becomes regulated deferred payment credit

United Kingdom

BNPL lenders, merchants

Jul 15

China's AI anthropomorphic interaction measures take effect

China

Companion-AI providers

Jul 17

Member States must identify critical entities under the CER Directive

European Union

Critical infrastructure

Jul 18

GENIUS Act stablecoin final-rule statutory deadline

United States

Stablecoin issuers

Jul 18

Canada's Bill C-16 comes into force

Canada

Online services reaching minors

Jul 25

Ofcom's statutory age-assurance report due under OSA s.157

United Kingdom

Category 1 / 2A services

Jul 28

FedRAMP Ready designation retires

United States

Cloud service providers

Jul 31

FTC comment window on AI accuracy policy statement closes

United States

AI providers

Aug 02

EU AI Act Article 50 + GPAI penalty powers apply; CA SB 942 operative

EU / California

GenAI providers

Aug 02

CAC consultation on Internet Information Services rewrite closes

China

Platforms, AI services

Aug 05

EDPB common breach-notification template consultation closes

European Union

All GDPR controllers

Aug 20

CAC Order No. 24 network data risk assessments take effect

China

Important-data processors

Aug 31

CMS CY 2027 OPPS/ASC proposed rule comments close

United States

Hospitals, 340B entities

Sep 11

EU Cyber Resilience Act vulnerability + incident reporting begins

European Union

Product manufacturers

Around the World

🇨🇳 China — Two registry-level gaps closed at once. Order No. 24 (Network Data Security Risk Assessment Measures) was promulgated 18 June and takes effect 20 August. Separately, CAC reopened consultation on a rewrite of the Administrative Measures for Internet Information Services adding a dedicated "intelligent information services" section covering AI applications, algorithmic push and AI-agent distribution; comments close 2 August.

🇪🇺 European Union — The Council gave final adoption to the Digital Omnibus on AI on 29 June, deferring stand-alone Annex III high-risk duties to 2 December 2027 and embedded high-risk to 2 August 2028; Official Journal publication is still pending. The Commission also presented an EU Action Plan on Cybersecurity and AI on 7 July, tying advanced-model evaluation to AI Act market entry.

🇬🇧 United Kingdom — Ofcom must publish its first statutory report on the use and effectiveness of age assurance by 25 July under section 157 of the Online Safety Act, covering the first year of the child-safety duties. The register of categorised services is also expected around July, triggering risk-assessment duties for Category 1 and 2A providers on publication.

🇺🇸 United States — CMS published the CY 2027 OPPS/ASC proposed rule on 7 July, proposing to pay 340B-acquired drugs at ASP−33.4% — an estimated $4.55B cut to Original Medicare drug payment — with comments closing 31 August. The House passed the KIDS Act (H.R. 7757) 267–117 on 29 June, folding in a federal SCREEN Act age-verification requirement.

🇰🇷 South Korea — The amended Network Act took effect 7 July, imposing illegal-content management duties, semi-annual transparency reports and user objection rights on large-scale service providers, with punitive damages up to 5× actual harm. Korea's PIPA overhaul follows on 11 September, adding an aggravated-violation tier of up to 10% of total turnover.

Deep Dive

CAC Order No. 24: Annual Risk Assessments, or Your Data Processing Stops

China · Data Security

On 18 June 2026 the Cyberspace Administration of China, together with MIIT and the Ministry of Public Security, promulgated the Network Data Security Risk Assessment Measures as Order No. 24. The 25-article instrument was adopted at the CAC's 12th office meeting on 1 June and takes effect on 20 August 2026. It implements the Data Security Law and the Network Data Security Management Regulations, and it is the first Chinese instrument to convert "risk assessment" from a principle into a dated, filed, auditable annual obligation with a named consequence for failure.

The mechanics are specific. Article 5 requires every important-data processor to conduct a risk assessment once a year, and to re-assess promptly whenever a material component changes; general data processors are encouraged, not required, to assess at least once every three years. Article 16 requires the resulting report to be filed with the competent authority within 20 working days of completion, defaulting to the provincial or national cyberspace authority where no competent department has been designated. Article 15 sets a three-year minimum retention period for the reports.

Two provisions deserve more attention than they are getting. Article 12 bars the same assessor — or any of its affiliates — from performing more than three consecutive annual assessments, and Article 11 prohibits sub-delegating the work. Together they import an auditor-rotation logic borrowed from financial audit into data security, which means multinationals cannot simply retain one consultancy indefinitely and must build a bench. Article 19 supplies the enforcement edge: authorities may order remediation and, on refusal, suspend important-data processing entirely. That is not a fine — it is an operational kill switch, and it is the reason this rule outranks most of what else landed this week. The threshold question, and the one almost nobody has answered internally, is whether any of your PRC entities actually process "important data" under the applicable sectoral catalogue. Here is what organisations need to do about it…

🔒 This analysis continues for CyberEyeQ Pro subscribers. Contact Us →

  1. Run an important-data determination against the applicable sectoral catalogues for every PRC legal entity, and document the negative findings as carefully as the positive ones. (Owner: China Legal + Data Governance · Timeline: By 20 August 2026)

  2. Stand up the annual assessment cycle and the 20-working-day filing path to the provincial or national cyberspace authority; identify the competent department per entity now, not at filing time. (Owner: Regional Privacy Officer · Timeline: By 20 August 2026)

  3. Check assessor rotation exposure under Article 12 — no third consecutive annual engagement with the same firm or its affiliates — and pre-qualify a second assessor. (Owner: Procurement + Compliance · Timeline: Q3 2026)

  4. Confirm three-year retention and retrievability of assessment reports under Article 15, and align with existing PIPL audit evidence retention. (Owner: Records Management · Timeline: Q3 2026)

  5. Model the Article 19 suspension scenario in business-continuity planning: what stops if important-data processing is ordered halted in-country? (Owner: BCP / Risk · Timeline: Before year-end 2026)

Regulatory Frontline

Two Federal Courts, Nine Days, Opposite Answers on Age Verification

United States · Regulatory Frontline

Nine days apart, the American judiciary said two different things about the same idea. On 27 June, Judge John Gerrard preliminarily enjoined the age-verification and parental-consent core of Nebraska's LB 383, holding it likely violated the First Amendment rights of users and platforms alike. On 6 July, the Supreme Court declined to vacate the Fifth Circuit's stay protecting Texas's SB 2420, leaving app-store age categorisation and parental consent enforceable while the constitutional challenge proceeds. The distinction the courts appear to be drawing is not about age verification in the abstract but about where in the stack it sits: a duty imposed on the app store or device layer, several steps removed from expressive content, is surviving scrutiny that identical duties imposed directly on social platforms are not. Utah's app-store regime took effect 6 May and Louisiana's follows on 1 July 2027; the House meanwhile passed H.R. 7757 on 29 June, 267–117, folding a federal SCREEN Act age check into a COPPA expansion. If the store-layer/platform-layer line holds, the compliance burden for 2027 lands squarely on Apple, Google and the developers who publish through them — and the platform-level statutes that dominated 2024–25 legislative sessions become the losing branch of the tree.

What to Do This Week

  1. Confirm your BNPL authorisation or temporary-permission status before 15 July. Operating outside authorisation or the TPR after go-live is a criminal offence under S.I. 2025/1154.

  2. Send the CNIL pixel-use notice to French contacts collected before 14 April. The three-month progressive-compliance window closes on or about 14 July; CNIL will then inspect.

  3. File any outstanding FedRAMP Ready package before 28 July. After that date the designation is Legacy and only the Ready Conversion path remains.

  4. 🔒 Determine whether any PRC entity processes "important data" under the sectoral catalogues. Order No. 24's annual assessment duty and Article 19 suspension power attach from 20 August.

  5. 🔒 Lock the 2 August readiness list: Article 50 labelling, GPAI documentation, SB 942 detection tooling. EU AI Act penalty powers and California's AI Transparency Act land on the same day.

CyberEyeQ — Actionable Regulatory Intelligence. This newsletter is for informational purposes only and does not constitute legal advice.

Keep Reading