EU Withdrawal Button, NJ Data Broker Law & HIPAA Delay (07/09/2026)
- › The EU withdrawal-button rule (Article 11a) took effect June 19 and reaches US and global sellers serving EU consumers.
- › New Jersey enacted A5328, the nation's costliest data-broker law, with annual fees from $5,000 to $1.5 million.
- › HHS postponed the major HIPAA Security Rule overhaul, giving regulated entities more time to prepare.
- › The EU published its Code of Practice on Transparency of AI-Generated Content, setting labeling expectations.
- › Only 26% of companies say their governance frameworks are fully aligned with their AI adoption.
Three new obligations landed for operators today. The EU’s withdrawal-button rule is now in force for anyone selling to European consumers, New Jersey enacted the country’s most expensive data-broker law, and healthcare entities got a reprieve on the HIPAA Security Rule overhaul. Each one adds something you now have to prove to a regulator, and the smart move on all three is to assess your exposure before someone else does it for you.
Top 5 Critical Compliance Alerts
1. EU Withdrawal Button Now in Force
Article 11a of EU Directive 2023/2673 took effect on 19 June 2026, requiring online sellers to give EU consumers a prominent withdrawal button to cancel distance contracts, and it reaches US and global sellers serving EU customers (JD Supra). If your checkout takes the order in three clicks while cancellation takes ten, you are now out of step with the rule, and the fix is a change to the interface and the process, not a policy memo.
Operator Note: Map every EU-facing subscription and distance contract, then time the cancellation flow. If it is harder than signing up, it needs work now.
2. New Jersey Enacts the Costliest Data Broker Law Yet
New Jersey enacted A5328, the nation’s most expensive data-broker law, with annual registration fees running from $5,000 to $1.5 million and a definition broad enough to sweep in companies that never called themselves data brokers (JD Supra). The registration net is wide, so the first task is deciding whether you meet the definition, because guessing wrong is a fee and a penalty rather than a rounding error.
Operator Note: If you buy, sell, license, or enrich third-party personal data, assume you are in scope until counsel says otherwise.
3. HIPAA Security Rule Overhaul Postponed
HHS postponed the timeline for the major HIPAA Security Rule overhaul, giving regulated entities more room to prepare for the proposed changes (HIPAA Journal). The delay is breathing room, and the organizations that use it to run a gap assessment now will not be the ones scrambling when the clock restarts.
Operator Note: Use the extra time to baseline against the proposed rule. The requirements are still coming, and the assessment is the cheap part.
4. EU Publishes AI Content Transparency Code
The European Commission published its Code of Practice on Transparency of AI-Generated Content, setting expectations for labeling synthetic media, though it is not yet formally endorsed (JD Supra). If your marketing, product, or support functions generate AI content, the labeling obligation is close enough to start building the workflow, because retrofitting disclosure across a content library costs far more than baking it in.
5. Only 26% of Companies Have AI Governance Aligned
Only 26% of companies say their governance frameworks are fully aligned with their AI adoption, and few report a measurable return on the AI spend (Corporate Compliance Insights). Deploying AI faster than you govern it is how you end up owning the liability without the payback, and the assessment that closes that gap costs far less than the incident that exposes it.
Operator Note: If AI is already in your operations, an AI governance and risk assessment is overdue. You cannot manage the liability you have not mapped.
Additional Compliance Alerts
Regulatory Updates
- MiCAR transition period ends: the transitional window for crypto-asset service providers under the EU’s Markets in Crypto-Assets Regulation (MiCAR) has expired, and the Anti-Money Laundering Authority (AMLA) issued an advisory on the money-laundering risks of the changeover. JD Supra
- FINRA enforcement under review: FINRA published an external review of its enforcement program, with recommendations member firms should read before their next exam. JD Supra
- DoD eyes circuit board restrictions: the Department of Defense issued an advance notice of proposed rulemaking toward a certification framework restricting certain printed circuit boards in defense systems. JD Supra
Policy & Governance Updates
- SEC to revisit the IPO process: the SEC will host a July 13 virtual roundtable on modernizing IPOs and expanding access to public markets. SEC
- Healthcare’s risk problem reframed: analysts argue the healthcare challenge has moved from maintaining compliance to gaining enough visibility and accountability to manage enterprise risk. JD Supra
The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.
A leader defined by a 'bias for action,' Dusten specializes in physical security assessments that impact profitability and facility resilience.
View Profile →Media Inquiries
For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.