A quiet Tuesday for net-new law, but the mid-July-to-August compliance calendar is stacking up. Two hard deadlines land inside 30 days, and one lands in 11.
Today's Top Story
EU AI Act transparency rules go live 2 August
The EU AI Act's Article 50 transparency obligations take effect 2 August 2026 (26 days): you must tell people when they are interacting with an AI system and clearly label AI-generated content and deep fakes. The AI Act's penalty architecture switches on the same day. Its top tier reaches €35 million or 7% of global turnover — above GDPR's €20 million / 4% ceiling — though an Article 50 labelling breach specifically sits in a lower band (up to €7.5 million or 1.5%). Either way, it is a second penalty layer over privacy-adjacent processing. Primary source
Also Today
Canada's Bill C-16 comes into force 18 July. The Protecting Victims Act restores mandatory minimum penalties and strengthens duties to shield children from online predators. It is primarily criminal law, but it touches children's-data handling and mandatory-reporting duties for online services. Review your child-safety reporting and data procedures for Canadian operations now. Primary source
California's opt-out enforcement wave keeps rolling. The state Attorney General settled with Disney/ABC for $2.75 million in February; CalPrivacy (the CPPA) fined PlayOn Sports $1.1 million in March — both over failed opt-out mechanisms and Global Privacy Control signals. Mandatory risk assessments and ADMT rules took effect 1 January, and the CPPA's new Audits Division can now open exams with no consumer complaint. Verify GPC honoring and cross-context opt-out propagation. Primary source
EDPB's common breach-notification template consultation closes 5 August. The draft form — roughly 120 fields across seven sections, intended for adoption by every EU DPA under Article 33 GDPR — is open for comment before the EDPB sets a rollout timeline. Submit feedback and map your breach-response fields to the template. Primary source
Korea's PIPA overhaul lands 11 September. The amendment adds an aggravated-violation tier of up to 10% of total turnover (above the existing 3% baseline) and makes the CEO formally accountable for data-protection compliance. Model your turnover-based fine exposure now. Primary source
⏰ Deadline Alert
Canada Bill C-16 — 18 July 2026 (11 days). The nearest hard deadline on the board. If you run online services reaching Canadian minors, finalize child-safety reporting and data-handling procedures this week.
One Thing to Do Today
Confirm your AI-interaction disclosures and synthetic-content labelling controls are live and testable before 2 August — the AI Act's transparency clock and its penalty regime start together.
Tomorrow's Focus
Wednesday: AI Governance — the EU AI Act's 2 August enforcement turn-on, from the regulator's side.
CyberEyeQ — Actionable Regulatory Intelligence. Questions or feedback: [email protected]