
Supreme Court clears app-store age checks as seven deadlines hit in three weeks
The Supreme Court declined to block Texas's app-store age-verification law on Monday, the first appellate green light for device-level age checks in the United States — even as a federal judge in Nebraska enjoined that state's parallel mandate days earlier. Meanwhile China quietly promulgated mandatory annual data-security risk assessments, the EDPB reset the anonymisation bar, and seven hard deadlines land between today and August 2.
At a Glance
SCOTUS clears Texas age checks — The Court denied applications to vacate the Fifth Circuit's stay on 6 July, leaving SB 2420's app-store age-category and parental-consent duties fully enforceable during appeal.
China mandates annual data audits — CAC/MIIT/MPS Order No. 24 requires important-data processors to run a risk assessment every year and file it within 20 working days — effective 20 August.
FedRAMP Ready retires 28 July — No new FedRAMP Ready submissions are accepted after 28 July; the sponsorless on-ramp closes and providers must use Ready Conversion.
UK BNPL enters FCA perimeter — From 15 July, deferred payment credit is regulated consumer credit — authorisation, affordability checks, Consumer Duty and Ombudsman jurisdiction all attach.
CIRCIA final rule slips again — The Unified Agenda (RIN 1670-AA04) now projects a September 2026 final rule — nearly a year past the statutory October 2025 deadline.
EDPB resets anonymisation bar — The 8 July plenary adopted draft guidelines on anonymisation and on generative-AI web scraping, and finalised the blockchain guidelines.
Critical Actions
Buy Now Pay Later becomes regulated credit in six days
United Kingdom · Financial · Due: 15 Jul 2026
S.I. 2025/1154 brings deferred payment credit into scope of section 189 of the Consumer Credit Act 1974 from 15 July. Lenders need FCA authorisation or a temporary permission, must run upfront affordability and creditworthiness checks, and fall under the Consumer Duty, section 75 protections and Financial Ombudsman Service jurisdiction. The temporary-permissions notification window closed on 1 July.
Action: Confirm authorisation or temporary-permission status for every BNPL lending entity, and verify affordability, refund and complaints flows meet Consumer Duty outcomes on day one.
CNIL's tracking-pixel grace period closes Tuesday
France · Privacy · Due: 14 Jul 2026
CNIL Deliberation 2026-042 gave organisations three months from the 14 April publication date to tell recipients whose email addresses were collected earlier that tracking pixels are in use, and to offer an easy means to object. That window closes on or about 14 July, after which CNIL says it will verify compliance through its inspection powers. Transactional email and individual deliverability measurement tied to a requested service remain exempt.
Action: Send a pixel-use notice with an easy objection route to every French contact collected before 14 April 2026, and classify each email stream as transactional, consented or marketing.
FedRAMP Ready goes Legacy — last submissions this month
United States · Cloud Security · Due: 28 Jul 2026
Under the Consolidated Rules for 2026, in effect since 4 July, FedRAMP retires the "Ready" designation on 28 July and will accept no new Ready submissions after that date. Existing Ready holders must move through the Ready Conversion path; a Temporary Rev5 Program Certification pipeline opens 10 August for eligible Class B and Class C providers. The 20x Class A pipeline opens 3 August, and CR26 becomes mandatory for every offering on 1 January 2027.
Action: File any remaining FedRAMP Ready package before 28 July and confirm eligibility for the Ready Conversion or Lost Sponsor route.
Enforcement Watch
Texas SB 2420 enforceable during First Amendment appeal (Enforceable) — The Supreme Court's 6 July orders in Nos. 25A1389 and 25A1390 were brief, unsigned and drew no noted dissent. They are not a merits ruling, but Texas may enforce app-store age categorisation and parental consent now.
Nebraska LB 383's age-verification core preliminarily enjoined (Enjoined) — Judge John Gerrard granted NetChoice's motion in part on 27 June, holding that third-party age verification and express parental consent likely violate the First Amendment. Unenjoined provisions took effect 1 July.
EU AI Act penalty powers switch on 2 August (€15M / 3%) — The Commission's power to fine GPAI providers under Article 101 begins 2 August 2026; Article 50 transparency duties start the same day. Prohibited-practice fines under Article 5 reach €35M or 7% of worldwide turnover.
Korea's amended Network Act now live (KRW 1B) — Effective 7 July, large-scale service providers must manage illegal or manipulated information, publish semi-annual transparency reports and honour objection rights. Courts may award punitive damages up to five times actual harm.
Deadline Watch
Date | Development | Jurisdiction | Who's affected |
|---|---|---|---|
Jul 10 | AMLA Single Rulebook standards due to Commission | European Union | Banks, obliged entities |
Jul 14 | CNIL email tracking-pixel notice window closes | France | Any email marketer |
Jul 15 | UK BNPL becomes regulated deferred payment credit | United Kingdom | BNPL lenders, merchants |
Jul 15 | China's AI anthropomorphic interaction measures take effect | China | Companion-AI providers |
Jul 17 | Member States must identify critical entities under the CER Directive | European Union | Critical infrastructure |
Jul 18 | GENIUS Act stablecoin final-rule statutory deadline | United States | Stablecoin issuers |
Jul 18 | Canada's Bill C-16 comes into force | Canada | Online services reaching minors |
Jul 25 | Ofcom's statutory age-assurance report due under OSA s.157 | United Kingdom | Category 1 / 2A services |
Jul 28 | FedRAMP Ready designation retires | United States | Cloud service providers |
Jul 31 | FTC comment window on AI accuracy policy statement closes | United States | AI providers |
Aug 02 | EU AI Act Article 50 + GPAI penalty powers apply; CA SB 942 operative | EU / California | GenAI providers |
Aug 02 | CAC consultation on Internet Information Services rewrite closes | China | Platforms, AI services |
Aug 05 | EDPB common breach-notification template consultation closes | European Union | All GDPR controllers |
Aug 20 | CAC Order No. 24 network data risk assessments take effect | China | Important-data processors |
Aug 31 | CMS CY 2027 OPPS/ASC proposed rule comments close | United States | Hospitals, 340B entities |
Sep 11 | EU Cyber Resilience Act vulnerability + incident reporting begins | European Union | Product manufacturers |
Around the World
🇨🇳 China — Two registry-level gaps closed at once. Order No. 24 (Network Data Security Risk Assessment Measures) was promulgated 18 June and takes effect 20 August. Separately, CAC reopened consultation on a rewrite of the Administrative Measures for Internet Information Services adding a dedicated "intelligent information services" section covering AI applications, algorithmic push and AI-agent distribution; comments close 2 August.
🇪🇺 European Union — The Council gave final adoption to the Digital Omnibus on AI on 29 June, deferring stand-alone Annex III high-risk duties to 2 December 2027 and embedded high-risk to 2 August 2028; Official Journal publication is still pending. The Commission also presented an EU Action Plan on Cybersecurity and AI on 7 July, tying advanced-model evaluation to AI Act market entry.
🇬🇧 United Kingdom — Ofcom must publish its first statutory report on the use and effectiveness of age assurance by 25 July under section 157 of the Online Safety Act, covering the first year of the child-safety duties. The register of categorised services is also expected around July, triggering risk-assessment duties for Category 1 and 2A providers on publication.
🇺🇸 United States — CMS published the CY 2027 OPPS/ASC proposed rule on 7 July, proposing to pay 340B-acquired drugs at ASP−33.4% — an estimated $4.55B cut to Original Medicare drug payment — with comments closing 31 August. The House passed the KIDS Act (H.R. 7757) 267–117 on 29 June, folding in a federal SCREEN Act age-verification requirement.
🇰🇷 South Korea — The amended Network Act took effect 7 July, imposing illegal-content management duties, semi-annual transparency reports and user objection rights on large-scale service providers, with punitive damages up to 5× actual harm. Korea's PIPA overhaul follows on 11 September, adding an aggravated-violation tier of up to 10% of total turnover.
Deep Dive
CAC Order No. 24: Annual Risk Assessments, or Your Data Processing Stops
China · Data Security
On 18 June 2026 the Cyberspace Administration of China, together with MIIT and the Ministry of Public Security, promulgated the Network Data Security Risk Assessment Measures as Order No. 24. The 25-article instrument was adopted at the CAC's 12th office meeting on 1 June and takes effect on 20 August 2026. It implements the Data Security Law and the Network Data Security Management Regulations, and it is the first Chinese instrument to convert "risk assessment" from a principle into a dated, filed, auditable annual obligation with a named consequence for failure.
The mechanics are specific. Article 5 requires every important-data processor to conduct a risk assessment once a year, and to re-assess promptly whenever a material component changes; general data processors are encouraged, not required, to assess at least once every three years. Article 16 requires the resulting report to be filed with the competent authority within 20 working days of completion, defaulting to the provincial or national cyberspace authority where no competent department has been designated. Article 15 sets a three-year minimum retention period for the reports.
Two provisions deserve more attention than they are getting. Article 12 bars the same assessor — or any of its affiliates — from performing more than three consecutive annual assessments, and Article 11 prohibits sub-delegating the work. Together they import an auditor-rotation logic borrowed from financial audit into data security, which means multinationals cannot simply retain one consultancy indefinitely and must build a bench. Article 19 supplies the enforcement edge: authorities may order remediation and, on refusal, suspend important-data processing entirely. That is not a fine — it is an operational kill switch, and it is the reason this rule outranks most of what else landed this week. The threshold question, and the one almost nobody has answered internally, is whether any of your PRC entities actually process "important data" under the applicable sectoral catalogue. Here is what organisations need to do about it…
🔒 This analysis continues for CyberEyeQ Pro subscribers. Contact Us →
Run an important-data determination against the applicable sectoral catalogues for every PRC legal entity, and document the negative findings as carefully as the positive ones. (Owner: China Legal + Data Governance · Timeline: By 20 August 2026)
Stand up the annual assessment cycle and the 20-working-day filing path to the provincial or national cyberspace authority; identify the competent department per entity now, not at filing time. (Owner: Regional Privacy Officer · Timeline: By 20 August 2026)
Check assessor rotation exposure under Article 12 — no third consecutive annual engagement with the same firm or its affiliates — and pre-qualify a second assessor. (Owner: Procurement + Compliance · Timeline: Q3 2026)
Confirm three-year retention and retrievability of assessment reports under Article 15, and align with existing PIPL audit evidence retention. (Owner: Records Management · Timeline: Q3 2026)
Model the Article 19 suspension scenario in business-continuity planning: what stops if important-data processing is ordered halted in-country? (Owner: BCP / Risk · Timeline: Before year-end 2026)
Regulatory Frontline
Two Federal Courts, Nine Days, Opposite Answers on Age Verification
United States · Regulatory Frontline
Nine days apart, the American judiciary said two different things about the same idea. On 27 June, Judge John Gerrard preliminarily enjoined the age-verification and parental-consent core of Nebraska's LB 383, holding it likely violated the First Amendment rights of users and platforms alike. On 6 July, the Supreme Court declined to vacate the Fifth Circuit's stay protecting Texas's SB 2420, leaving app-store age categorisation and parental consent enforceable while the constitutional challenge proceeds. The distinction the courts appear to be drawing is not about age verification in the abstract but about where in the stack it sits: a duty imposed on the app store or device layer, several steps removed from expressive content, is surviving scrutiny that identical duties imposed directly on social platforms are not. Utah's app-store regime took effect 6 May and Louisiana's follows on 1 July 2027; the House meanwhile passed H.R. 7757 on 29 June, 267–117, folding a federal SCREEN Act age check into a COPPA expansion. If the store-layer/platform-layer line holds, the compliance burden for 2027 lands squarely on Apple, Google and the developers who publish through them — and the platform-level statutes that dominated 2024–25 legislative sessions become the losing branch of the tree.
What to Do This Week
Confirm your BNPL authorisation or temporary-permission status before 15 July. Operating outside authorisation or the TPR after go-live is a criminal offence under S.I. 2025/1154.
Send the CNIL pixel-use notice to French contacts collected before 14 April. The three-month progressive-compliance window closes on or about 14 July; CNIL will then inspect.
File any outstanding FedRAMP Ready package before 28 July. After that date the designation is Legacy and only the Ready Conversion path remains.
🔒 Determine whether any PRC entity processes "important data" under the sectoral catalogues. Order No. 24's annual assessment duty and Article 19 suspension power attach from 20 August.
🔒 Lock the 2 August readiness list: Article 50 labelling, GPAI documentation, SB 942 detection tooling. EU AI Act penalty powers and California's AI Transparency Act land on the same day.
CyberEyeQ — Actionable Regulatory Intelligence. This newsletter is for informational purposes only and does not constitute legal advice.
