May 22, 2026

Today's regulatory landscape is defined by two converging enforcement vectors: aggressive US state and federal action against biometric data collection and AI capability misrepresentation, and accelerating platform accountability demands in the UK and EU. Texas, the FTC, and the DOT each advanced significant biometric-related actions in the past 24 hours, while Colorado's enactment of a new automated decision-making law signals that state-level AI governance is reorganizing around narrower, more durable frameworks rather than broad risk-tier structures. Together, these developments indicate that 2026 is shaping up as the year enforcement overtakes rulemaking in both the US and UK privacy regimes.

Texas Attorney General Ken Paxton has issued a Civil Investigative Demand to Meta targeting its Ray-Ban AI smart glasses under the state's Capture or Use of Biometric Identifier Act, focusing on undisclosed bystander recording, an allegedly concealable privacy indicator LED, and failures in automatic face-blurring. The action follows the landmark $1.4 billion biometric settlement Paxton secured from Meta in July 2024 and signals that Texas intends to treat wearable AI as a continuing enforcement frontier rather than a settled compliance domain. Organizations deploying or marketing consumer AI hardware with passive sensing capabilities in Texas-accessible markets should treat this CID as a template for the factual theories regulators will pursue against comparable devices.

Watch level: PREPARE (consumer hardware manufacturers, adtech and wearable AI vendors with Texas market exposure)

The FTC's $930,000 settlement with Cox Media Group over falsely marketed AI "active listening" advertising, combined with the agency's warning letters to approximately a dozen platforms regarding TAKE IT DOWN Act compliance, illustrates the FTC operating across two distinct but reinforcing enforcement tracks simultaneously. The Cox action targets AI capability misrepresentation in adtech — specifically the false claim that smart device audio could be harvested for ad targeting with consumer consent — establishing that inflated AI capability claims carry material enforcement risk independent of whether the underlying technology functioned as described. The TAKE IT DOWN Act warnings, previously noted in this briefing as an initial signal, have now been formally documented via FTC press release, confirming the agency is in active compliance monitoring mode rather than providing platforms an informal grace period; companies operating image-sharing or social platforms that have not yet implemented compliant removal workflows should treat the 48-hour deletion obligation as immediately enforceable.

Watch level: PREPARE (adtech vendors, AI product marketers, image-sharing and social platform operators)

Colorado's enactment of a new Automated Decision-Making Technology law — formally replacing the previously passed Colorado AI Act — represents a material legislative development beyond the amendment activity covered in yesterday's briefing. Rather than further narrowing the prior Act, the legislature has enacted a structurally distinct statute reorienting Colorado's framework around automated decision systems specifically, moving away from the broader AI risk-tier architecture that drew sustained industry resistance. Compliance teams that mapped obligations to the Colorado AI Act should treat their prior analysis as superseded and conduct a fresh scope assessment under the ADMT law's definitional and consumer-rights provisions.

Watch level: PREPARE (Colorado-exposed automated decision system deployers, employment, credit, and housing sector counsel)

The US Department of Transportation's mandatory launch of Motus — a biometric registration system for commercial truck drivers and motor-coach operators built with Idemia and Clear — marks a significant expansion of federal biometric infrastructure in a sector not previously subject to identity-linked registration requirements. With 50,000 carrier registrations recorded within days of launch and integration with the FMCSA Drug and Alcohol Clearinghouse, the system establishes a precedent for biometric identity verification as a condition of federal operating authority, raising data governance questions that privacy counsel in the transportation sector should assess now. The EU's EUDI Wallet rollout faces a structurally different but analogous challenge: GSMA has warned that unresolved investment costs, compliance burdens, and absent commercial frameworks for private-sector participants risk stalling the 2026 deployment timeline, with SIM-linked mobile identity credentials and eIDAS2 cybersecurity obligations identified as the most acute structural gaps. Stakeholders with exposure to either federal transportation identity infrastructure or the European digital identity ecosystem should monitor both tracks closely as implementation deadlines approach.

Watch level: MONITOR (transportation sector compliance and privacy counsel, EU financial services and telecom operators participating in EUDI Wallet pilots)

Ofcom's receipt of formal child safety commitments from Roblox, Snapchat, Instagram, Facebook, YouTube, and TikTok — covering algorithmic recommendations, age verification, and CSEA risks — marks an early operational test of the UK Online Safety Act's enforcement architecture. This development is distinct from Ofcom's previously covered hash-matching and deepfake detection mandates: it reflects the regulator's engagement with the Act's affirmative compliance obligation cycle, in which platforms must demonstrate remediation plans rather than simply await formal notices. Platforms that provided inadequate responses to Ofcom's April deadline should expect escalation; those operating children's services in the UK should benchmark their submissions against the commitments publicly attributed to the named platforms.

Watch level: PREPARE (UK-facing social media platforms, children's app and gaming operators)