Dechert Cyber Bits – Issue 98 – June 25, 2026

Connecticut Enacts Comprehensive Artificial Intelligence Law

On June 2, 2026, Connecticut signed into law Public Act 26-15, the Connecticut Artificial Intelligence Responsibility and Transparency Act (“the CART Act”), making Connecticut the latest state to enact a comprehensive artificial intelligence (“AI”) law. The CART Act addresses a variety of topics, including AI regulation, online safety, generative AI provenance requirements and the use of AI in hiring/employment. The law has rolling compliance dates, with some elements of the Act taking effect on October 1, 2026. Notably, the CART Act does not exempt from its requirements financial institutions or data that is subject to the Gramm-Leach-Bliley Act.

With respect to AI in the workplace, the CART Act imposes obligations on developers and deployers of “automated employment-related decision technology” (“AEDT”)—defined in the Act as technology whose output is used as a “substantial factor” in making an “employment-related decision.” Among other requirements, deployers of such technology must: (i) disclose to employees/applicants, in plain language, that they are interacting with automated employment-related decision technology; and (ii) before an employment-related decision is made, provide written notice disclosing (a) that such technology was used, (b) its purpose and the nature of the decision, (c) the trade name of the technology, (d) the categories of personal data analyzed and how it was assessed, (e) the data sources, and (f) the deployer’s contact information.

On AI safety, among other obligations, the CART Act requires that operators of “artificial intelligence companion[s]” implement tools for identifying and responding to threats of self-harm, suicide, or other imminent violence. 

Takeaway: The CART Act is one of the most wide-ranging state AI laws to date and builds off of profiling and automated decision-making obligations currently in effect under the Connecticut Data Privacy Act. Businesses operating in Connecticut (including GLBA financial institutions) will want to prioritize assessment of their compliance obligations given the staggered effective dates that begin in October. We expect many companies to initially focus on the Act’s applicability to their use of AI in the hiring and employment space. Businesses will want to inventory AI tools that generate outputs—scores, rankings, recommendations, or classifications—that could factor into hiring, promotion, discipline, or termination decisions to determine whether they’re in scope of the CART Act requirements, and undertake compliance program and disclosure modifications if they are.

UK Tribunal Holds That Self-Disclosure by a Data Subject Does Not Convert Anonymous Data Into Personal Data

A campaigner made a request to a County Council for data relating to school entrance examination results under theFreedom of Information Act (“FOIA”). Overturning the UK Information Commissioner’s Office’s decision, the UK’s First-Tier Tribunal held that the County Council was wrong to rely on the exemption to FOIA requests for personal data.

The campaigner, Mr. Coombs, made a FOIA request for test results, specifying that certain accompanying data should not be included to avoid the risk that information responsive to the request would constitute personal data and therefore be exempt from disclosure under the FOIA. Kent Council refused the request, arguing that disclosure would involve the release of personal data because the combination of a student’s three test scores was sufficiently unique to be able to identify that they related to specific students even if additional information was removed.

The ICO had agreed with Kent Council, finding that if a student had a unique combination of test scores and had shared their test scores with other people, those people could identify that the scores related to that student. However, on appeal the First-Tier Tribunal overturned the ICO’s decision. According to the First-Tier Tribunal, the risk of identification was too remote for the test scores to constitute personal data. The scenario that the ICO identified in which tests scores related to an identifiable individual depended on either: (a) voluntary self-disclosure of the scores by the student; or (b) relationship-specific prior knowledge held by parents, peers or others. The First-Tier Tribunal emphasized that whether information is personal data is not to be assessed based on remote or hypothetical possibilities of identification but based on whether the individual could be identified by “means reasonably likely to be used.”

Takeaway: The First-Tier Tribunal’s decision reinforces that speculative or highly remote identification risks are unlikely to be sufficient for information to fall within the scope of “personal data” under the GDPR. This is an important and welcome clarification. The Tribunal endorsed approaching cases involving anonymized or aggregated information by considering if an individual would be identifiable to a “motivated intruder” who is reasonably competent and determined and has access to information in the public domain, but does not have specialist technical expertise, insider access or unlawfully obtained information.

European Data Protection Board Adopts New Mechanism for International Data Transfers

On 16 April 2026, the European Data Protection Board (“EDPB”) adopted two opinions promoting the global expansion of Europrivacy certification. Europrivacy is currently the only officially recognized common certification of GDPR compliance.

Certification is based on an audit by an impartial certification body examining whether selected processing activities are supported by effective organizational controls in line with GDPR. The audit is conducted against defined, objective and demonstrable criteria set by the certification mechanism or seal provider, which must be evidenced to the certification body's satisfaction.

The first opinion (14/2026) authorizes the use of the Europrivacy certification outside of EU and EEA countries, meaning organizations outside of these territories can now request certification to show that their data processing activities are GDPR compliant.

The second opinion (15/2026) approves a specific version of the Europrivacy certification criteria to be used as a mechanism for transferring personal data internationally. Data exporters can rely on a data importer’s Europrivacy certification as providing appropriate safeguards for the international transfer of personal data, provided that the data importer also agrees contractually to comply with the certification requirements.

Takeaway: The new EDPB opinions add substantially to the utility of Europrivacy certification providing a new option for lawfully carrying out international data transfers. However, in many cases Europrivacy is unlikely to replace existing mechanisms for transferring personal data outside the EEA, because certification involves a costly external auditing process.

FTC Invites Public Comment on Fate of X Corp. 2022 Settlement

On June 3, 2026, the Federal Trade Commission (“FTC”) announced that it is seeking public comment on whether it should amend or set aside a 2022 settlement with X Corp. (“X”)—previously, Twitter, Inc. (“Twitter”)—in response to a Petition to Reopen and Set Aside or, in the Alternative, Modify Decision and Order (“Petition”) filed by X on May 15, 2026.

In a March 2, 2011 Complaint (“Complaint I”), the FTC alleged that Twitter had violated the FTC Act by failing to implement adequate security practices, which allowed hackers to gain administrative access to the platform. That same day, in a Decision and Order (“Decision and Order I”) issued by the FTC to resolve Complaint I, Twitter was required to, among other things: (i) create and implement an information security program; and (ii) not misrepresent its privacy and security practices to consumers. Decision and Order I was to remain operative for 20 years.

Subsequently, in 2022, the FTC and Department of Justice (“DOJ”) filed a Complaint (“Complaint II”) in the Northern District of California, alleging that Twitter had violated Decision and Order I and the FTC Act by misrepresenting the security practices surrounding its use of users’ personal information, including emails and phone numbers, by using this information for advertising purposes. To resolve Complaint II, on May 26, 2022, the FTC and Twitter entered into Decision and Order II (“Decision and Order II”), in which Twitter was again implement an information security program and accurately represent its privacy and security practices to consumers, among other things. In addition, Twitter agree to pay $150 million . Like Decision and Order I, Decision and Order II was to operate for 20 years. Twitter did not admit any wrongdoing in connection with Decision and Order I or II.

In its May 15, 2026 Petition, X argued that Decision and Order II should be set aside or modified because, among other reasons: (i) Twitter no longer exists; (ii) the individuals responsible for the allegedly unlawful behavior no longer work at X; (iii) Decision and Order II’s requirements are duplicative of already-existing national and international mandated requirements; and (iv) Decision and Order II impedes innovation by forcing X to divert its attention away from innovation and towards compliance. The public may submit comments until July 2, 2026, at which point the FTC will decide the Petition with a vote.

Takeaway: The FTC's willingness to entertain X's Petition is itself notable as consent orders are typically treated as settled outcomes, and the FTC has rarely reopened them. If the FTC sets aside or materially modifies Decision and Order II, it would mark a shift in how the agency approaches its existing enforcement portfolio and could signal that other companies operating under long-running consent decrees can seek similar relief. Companies subject to FTC consent orders should watch this closely: a favorable outcome for X could open a pathway to renegotiate obligations that have become commercially burdensome or technologically outdated.

State Privacy Laws Are Back and Spreading

Following a lull in new U.S state privacy laws in 2025, Louisiana and Vermont have become the most recent states to implement comprehensive consumer data privacy laws.

On May 29, 2026, Governor Jeff Landry signed into law the Louisiana Data Privacy Act (“LDPA”). The LDPA will apply to any person or entity doing business within Louisiana and who (i) exceeds $25 million in annual gross revenue; (ii) buys, receives, sells, or shares personal data of 75,000 consumers annually; or (iii) derives from the sale of consumers’ personal information at least 50% of its annual revenue. Under the LDPA, controller obligations will include, among other things, providing clear consumer privacy notices, implementing and maintaining reasonable security safeguards, and minimizing data retention. Louisiana residents will have the right to request deletion of their personal data and the right to opt out of targeted advertising, personal data sales, and profiling, among others. The LDPA is set to take effect on January 1, 2027.

On the same date as the LDPA’s enactment, the Vermont legislature passed the Vermont Data Privacy and Online Surveillance Act (“S71”), and, on June 16, 2026, Governor Phil Scott signed S71 into law. S71 will apply to any person or entity (i) conducting business in Vermont or (ii) offering products or services to residents of Vermont, and who, in the preceding year: (a) controlled or processed at least 35,000 consumers’ personal data; (b) controlled or processed at least 3,000 consumers’ sensitive personal data—such as racial, sexual orientation, or genetic data; or (c) offered to sell at least 3,000 consumers’ personal data. S71 will impose obligations on controllers, including, for example, the requirements to establish reasonable security practices and to obtain consent prior to processing or selling consumers’ sensitive personal data. It will also grant Vermont residents certain rights, including, among other things, the right to correct personal data inaccuracies and the right to request the deletion of their personal data. S71 will take effect on January 1, 2028.

Notably, both the LDPA and S71 will be enforceable only by each respective state’s Attorney General.

Takeaway: With Louisiana's and Vermont’s enactments, 23 states now have comprehensive data privacy laws on the books, a threshold that effectively means no large business operating across the United States can treat state privacy compliance as a regional concern. For companies already operating under a CPRA-based or multi-state compliance framework, these laws are unlikely to require a ground-up rebuild. But companies should pressure-test whether their existing program adequately covers the specific requirements of each new law, such as Vermont's 35,000-consumer processing threshold and 3,000-consumer sensitive data threshold.

Dechert Tidbits

New Common Data Breach Notification Template Adopted by EDPB

The European Data Protection Board (EDPB) has adopted a proposed common GDPR data breach notification template aimed at harmonizing data breach reporting across Europe. The template is open for consultation until August 5, 2026. The template is a welcome step for streamlining the preparation of breach notifications across multiple EU member states.

UK Government Announces Social Media Ban for Under-16s

The UK Government announced plans to ban children under 16 from accessing social media platforms that enable live streaming or the ability to communicate with strangers. These measures, which the UK government says are intended to “give kids their childhood back”, will see under-16s blocked from Facebook, Instagram, X and Snapchat, among other platforms.

Five Eyes Alliance Issues Agentic AI Warning

The Five Eyes alliance cybersecurity agencies issued a warning on Monday, June 22, 2026 that swift action is needed to defend against threat actors leveraging generative and agentic AI to operate attacks with significantly greater speed, scale, and sophistication—rapidly transforming the cyber threat landscape over the course of months. The agencies encourage organizations to take the following steps now: (i) reduce your attack surface by limiting unnecessary system access and external connections, as well as isolating systems where possible; (ii) accelerate patching processes; (iii) address legacy systems, given unsupported systems can become easy targets; (iv) review and strengthen identity and access controls by limiting who can access critical systems and enforcing strong authentication; and (v) prepare for incidents in advance by testing response plans, assuming breaches will occur, and focusing on fast containment and recovery. Lastly, the cybersecurity agencies encourage defenders to integrate AI tools into their security operations to detect and respond to threats more quickly.