Connecticut's amended Data Privacy Act (SB 1295 / Public Act 25-113) takes effect July 1, 2026 — tomorrow. The law drops the applicability threshold from 100,000 to 35,000 consumers, pulling thousands of mid-sized businesses into scope for the first time. It also removes the entity-level GLBA exemption (data-level only now) and, for consumers a controller knows or wilfully disregards are 13–17, categorically bans targeted advertising and the sale of their personal data — with no consent exception — plus any design feature meant to extend a minor's use. A separate minors'-profiling impact-assessment duty applies to processing created on or after August 1, 2026.

Read Public Act 25-113 (full text)

China's new PIPL standards land the same day. Two national standards — GB/T 46901-2025 (data portability) and GB/T 46903-2025 (compliance audits) — are recorded in China's national-standards registry as effective July 1, 2026 (a date we could not independently corroborate against an English-language primary source). Though "recommended" GB/T standards, they function as the practical benchmark for PIPL Article 45 portability requests and CAC-mandated compliance audits. Align your portability-request handling and audit methodology now.

California's CCPA risk-assessment and ADMT regime is phasing in. The CPPA's finalized regulations took effect January 1, 2026, with no automatic 30-day cure period. Risk-assessment duties for "significant risk" processing are already live; automated decision-making technology (ADMT) obligations begin January 1, 2027, on a staggered timetable. Stand up your risk-assessment workflow and assume no grace period on enforcement.

EU AI Act transparency duties are 33 days out. Article 50 — telling users they're interacting with AI and labelling AI-generated and deep-fake content — applies August 2, 2026. The Commission's Code of Practice on AI-content transparency landed June 10. Inventory every AI-touchpoint and deep-fake output that will need a label.

EU regulators harmonise breach reporting. At its June 10 plenary the EDPB adopted a common personal-data-breach notification template to standardise GDPR Article 33 filings across supervisory authorities; the G7 data protection roundtable in Paris (June 25–26) issued a children/emerging-tech declaration. Both are coordination steps, not binding law. Map your Article 33 workflow to the EDPB's template fields.

Confirm whether Connecticut's lowered 35,000-consumer threshold now brings you into CTDPA scope — and if so, switch off targeted advertising and data sales for known 13–17 users before tomorrow.

AI Governance — EU AI Act implementation, national AI rules, and the global governance race.

CyberEyeQ — Actionable Regulatory Intelligence. Questions or feedback: [email protected]