May 27, 2026

Today's most consequential pattern is a simultaneous tightening and loosening of biometric and location data liability in the United States: new coordinated BIPA litigation advances an aggressive legal theory that AI model parameters themselves constitute biometric data, while a Seventh Circuit ruling substantially caps the damages that theory could generate. Together, these developments define the current boundaries of biometric enforcement risk and signal that the litigation environment, though active, is becoming structurally more manageable for defendants — a dynamic compliance teams should factor into reserve calculations and litigation strategy.

The BIPA coordination covered in yesterday's briefing has now extended to Google, with a new complaint alleging voiceprint extraction for Gemini Live and NotebookLM training. The legally significant element — that voiceprints embedded in model weights cannot be deleted on request — equates the trained AI product with improperly retained biometric data, a theory that, if accepted, would impose destruction-of-model remedies courts have not yet ordered. However, the Seventh Circuit's ruling in Clay v. Union Pacific Railroad, holding that Illinois's 2024 per-person damages cap applies retroactively to pending cases, substantially reduces aggregate exposure across all BIPA defendants. Companies facing active BIPA suits in the Seventh Circuit should immediately reassess litigation reserves and settlement valuations downward, while simultaneously tracking whether federal courts adopt the model-as-biometric theory that could reopen liability on entirely different grounds.

Watch level: PREPARE (AI platform operators, in-house litigation counsel, compliance teams with Illinois data exposure)

The FTC's proposed settlement with data broker Kochava establishes a meaningful enforcement template for the commercial geolocation market, requiring affirmative express consent before sensitive mobile location data may be sold or shared and mandating supplier consent audits and data retention controls. The action, resolving a 2022 complaint, is notable for its structural remedies: Kochava must build a sensitive location data program and report third-party violations, embedding ongoing compliance obligations beyond a one-time fine. Coming alongside the Supreme Court's oral arguments in Chatrie v. United States — where justices signaled skepticism on both sides regarding geofence warrant standards — the FTC action and the pending Fourth Amendment ruling together define a period of active recalibration of the legal framework governing location data access by both commercial actors and law enforcement. Organizations that aggregate, sell, or broker location data should treat the Kochava consent order as a forward-looking compliance benchmark, not merely a resolution of past conduct.

Watch level: PREPARE (data brokers, location-data aggregators, ad-tech platforms, law enforcement technology vendors)

Meta's judicial review of Ofcom's Online Safety Act penalty framework represents a structural challenge to one of the most significant enforcement levers in UK digital regulation. The company's argument — that penalties should be computed against UK-only revenue rather than qualifying global revenue — if successful, would reduce the theoretical fine ceiling for Meta from approximately $16 billion to a fraction of that figure, and would constrain Ofcom's deterrent posture across the platform sector. With a hearing set for October and CCIA intervening in support, the case signals that the extraterritorial revenue base adopted by UK regulators, and by extension the EU under GDPR and the DSA, faces concerted legal opposition. The outcome will carry precedential weight for any jurisdiction that has constructed its enforcement regime around global-revenue multipliers.

Watch level: MONITOR (global platform operators, UK regulatory counsel, EU DPA enforcement teams)

The Fifth Circuit's decision vacating an FTC cease-and-desist order against Intuit's TurboTax under the Jarkesy framework materially constrains the FTC's administrative enforcement architecture for deceptive advertising. By requiring such claims to be adjudicated in federal court rather than before agency administrative law judges, the ruling increases the agency's litigation burden and timeline, potentially reducing enforcement throughput on consumer protection matters. Compliance teams should note that while this ruling narrows FTC procedural authority, it does not eliminate substantive liability under Section 5 of the FTC Act — it redirects enforcement to a forum where defendants face a jury, which may cut in either direction. The decision adds to a growing body of post-Jarkesy rulings that are systematically reshaping federal agency enforcement capacity across multiple regulatory domains.

Watch level: MONITOR (FTC-regulated industries, consumer-facing digital services, regulatory affairs counsel)

China's MIIT has introduced a mandatory 29-digit lifecycle identification registry for all domestically manufactured AI-equipped humanoid robots, covering the full chain from production through recycling and already encompassing over 28,000 registered units. The framework is structurally similar to product serialization regimes in pharmaceuticals and automotive sectors, but its application to AI-embodied systems is novel and signals Beijing's intent to establish governance infrastructure concurrent with — rather than following — rapid sector scaling. Multinational firms participating in Chinese robotics manufacturing, distribution, or end-use markets should assess supply chain compliance obligations under the new registry, including the obligations that extend to service providers, sellers, and recyclers, not only manufacturers.

Watch level: MONITOR (multinational robotics manufacturers, AI hardware vendors, supply chain compliance teams with China exposure)