EU Withdrawal Button, NJ Data Broker Law & HIPAA Delay (07/09/2026)

July 9, 2026
EU Withdrawal Button, NJ Data Broker Law & HIPAA Delay (07/09/2026)
Key Intel / TL;DR
  • The EU withdrawal-button rule (Article 11a) took effect June 19 and reaches US and global sellers serving EU consumers.
  • New Jersey enacted A5328, the nation's costliest data-broker law, with annual fees from $5,000 to $1.5 million.
  • HHS postponed the major HIPAA Security Rule overhaul, giving regulated entities more time to prepare.
  • The EU published its Code of Practice on Transparency of AI-Generated Content, setting labeling expectations.
  • Only 26% of companies say their governance frameworks are fully aligned with their AI adoption.

Three new obligations landed for operators today. The EU’s withdrawal-button rule is now in force for anyone selling to European consumers, New Jersey enacted the country’s most expensive data-broker law, and healthcare entities got a reprieve on the HIPAA Security Rule overhaul. Each one adds something you now have to prove to a regulator, and the smart move on all three is to assess your exposure before someone else does it for you.

Top 5 Critical Compliance Alerts

1. EU Withdrawal Button Now in Force

Article 11a of EU Directive 2023/2673 took effect on 19 June 2026, requiring online sellers to give EU consumers a prominent withdrawal button to cancel distance contracts, and it reaches US and global sellers serving EU customers (JD Supra). If your checkout takes the order in three clicks while cancellation takes ten, you are now out of step with the rule, and the fix is a change to the interface and the process, not a policy memo.

Operator Note: Map every EU-facing subscription and distance contract, then time the cancellation flow. If it is harder than signing up, it needs work now.

2. New Jersey Enacts the Costliest Data Broker Law Yet

New Jersey enacted A5328, the nation’s most expensive data-broker law, with annual registration fees running from $5,000 to $1.5 million and a definition broad enough to sweep in companies that never called themselves data brokers (JD Supra). The registration net is wide, so the first task is deciding whether you meet the definition, because guessing wrong is a fee and a penalty rather than a rounding error.

Operator Note: If you buy, sell, license, or enrich third-party personal data, assume you are in scope until counsel says otherwise.

3. HIPAA Security Rule Overhaul Postponed

HHS postponed the timeline for the major HIPAA Security Rule overhaul, giving regulated entities more room to prepare for the proposed changes (HIPAA Journal). The delay is breathing room, and the organizations that use it to run a gap assessment now will not be the ones scrambling when the clock restarts.

Operator Note: Use the extra time to baseline against the proposed rule. The requirements are still coming, and the assessment is the cheap part.

4. EU Publishes AI Content Transparency Code

The European Commission published its Code of Practice on Transparency of AI-Generated Content, setting expectations for labeling synthetic media, though it is not yet formally endorsed (JD Supra). If your marketing, product, or support functions generate AI content, the labeling obligation is close enough to start building the workflow, because retrofitting disclosure across a content library costs far more than baking it in.

5. Only 26% of Companies Have AI Governance Aligned

Only 26% of companies say their governance frameworks are fully aligned with their AI adoption, and few report a measurable return on the AI spend (Corporate Compliance Insights). Deploying AI faster than you govern it is how you end up owning the liability without the payback, and the assessment that closes that gap costs far less than the incident that exposes it.

Operator Note: If AI is already in your operations, an AI governance and risk assessment is overdue. You cannot manage the liability you have not mapped.

Additional Compliance Alerts

Regulatory Updates

  • MiCAR transition period ends: the transitional window for crypto-asset service providers under the EU’s Markets in Crypto-Assets Regulation (MiCAR) has expired, and the Anti-Money Laundering Authority (AMLA) issued an advisory on the money-laundering risks of the changeover. JD Supra
  • FINRA enforcement under review: FINRA published an external review of its enforcement program, with recommendations member firms should read before their next exam. JD Supra
  • DoD eyes circuit board restrictions: the Department of Defense issued an advance notice of proposed rulemaking toward a certification framework restricting certain printed circuit boards in defense systems. JD Supra

Policy & Governance Updates

  • SEC to revisit the IPO process: the SEC will host a July 13 virtual roundtable on modernizing IPOs and expanding access to public markets. SEC
  • Healthcare’s risk problem reframed: analysts argue the healthcare challenge has moved from maintaining compliance to gaining enough visibility and accountability to manage enterprise risk. JD Supra

The Axe Report is a daily briefing from Grab The Axe. Need help assessing your organization’s security posture? Take our free Human Attack Surface Score assessment.

Distribute Intel
Dusten Trounce
Director of Physical Security
Dusten Trounce
The Growth Architect.

A leader defined by a 'bias for action,' Dusten specializes in physical security assessments that impact profitability and facility resilience.

View Profile →
Press & Media

Media Inquiries

For expert commentary, interview requests, or high-res assets regarding this announcement, initialize the terminal.

Initialize Terminal

Initiate
Deployment.

Whether you need a full adversarial facility audit or an executive resilience protocol for your leadership team.

Secure the Facility (Assessments)
Secure the Mind (Coaching/Speaking)