Talks between European Union legislators broke down on Wednesday as they tried to agree on proposed amendments to the EU AI Act. At the center of the debate is the Digital Omnibus on AI, first introduced in November 2025, which would delay several key compliance deadlines under the Act.

If approved, the Digital Omnibus would push back the compliance date for high-risk AI systems classified under Annex III from August 2, 2026, to December 2, 2027. For products already regulated under existing EU harmonization legislation and listed in Annex I, the deadline would shift to August 2, 2028.

Not everyone is on board, though. Some within the EU oppose including certain products, like medical devices, in the Act’s scope under Annex I, arguing that those products are already sufficiently governed by sector-specific laws. In their view, layering the AI Act on top of existing regulation would create unnecessary and burdensome double regulation, and sector-specific frameworks are the better tool for overseeing these AI systems.

With legislators unable to reach a consensus, they agreed to pause talks and will likely resume negotiations next month. Organizations should keep a close eye on these discussions, because the outcome will directly shape compliance timelines.

That said, the current deadlines still stand. Unless a compromise is reached, the Act’s obligations for high-risk AI systems begin taking effect in August 2026. That means now is the time to start building out governance programs. Practical steps include documenting AI systems currently in use, mapping them against the Act’s risk classifications, and putting processes in place to meet the Act’s transparency requirements.

Legal commentary on artificial intelligence in law practice often focuses on speed: drafts that once took days can now be produced in hours, and research that once took hours can now be narrowed in minutes. Those gains are real, but they do not resolve the more important operational questions. Many firms still don’t know whether faster tools are producing better realization or improved profitability. In practice, time saved in drafting often reappears in verification, supervision, and coordination. A draft may be generated quickly, but lawyers still need to test it against matter history, client objectives, procedural posture, and jurisdiction-specific requirements.

The better question is not whether AI speeds up a single task, but whether it improves matter economics overall. Firms often measure adoption through access, query volume, or document counts, yet those metrics do not show business value. More meaningful measures include time to completion, write-offs, staffing efficiency, turnaround time, and client satisfaction. From that perspective, the real constraint may be information architecture rather than drafting speed. When lawyers have to reconstruct context before trusting the AI output, the review becomes the new bottleneck. When financial data, prior work product, client instructions, and workflow are connected, that same output can be reviewed and used much more efficiently.

For law firms, the next step is not simply broader adoption, but disciplined implementation. Firms will need to determine where AI genuinely improves matter economics, build workflows that reduce rather than relocate friction, and establish clear strategies and governance around when and how these tools are used. That governance should address supervision, verification, confidentiality, accountability, and consistency of use across matters. The firms that stand out will likely be those that can show not just faster output, but controlled, measurable, and trusted use of AI in service of better outcomes.

The Federal Trade Commission (FTC) recently reported that, in 2025, social media scams were the costliest of all scams against consumers, with a whopping $2.1 billion lost. Thirty percent of those who reported losing funds in 2025 indicated that the scam started over social media.

The number of 2025 scams beginning on social media increased more than eight times from those that started on social media in 2020. The data shows that the scams are successful against all age groups except for those over 80 years old.

The FTC data shows that social media scams include:

  • Investment scams that “started with an ad or post offering a program to teach you how to invest” or scammers that posed “as friendly advisers or created WhatsApp groups full of ‘successful investors’ sharing fake testimonials;
  • Shopping scams (most reported) when consumers purchased something they saw in a social media ad, including clothing, makeup and car parts that “led to unfamiliar websites,” or “sites impersonating well-known brands that claimed to offer big discounts”; and
  • Romance scams, where scammers target individuals based on social media profiles and trick the individual to invest in an investment scheme, fake investment platform or invent a crisis requiring money.

To avoid becoming a victim, the FTC recommends:

  • Limit who can see your posts and contacts on social media. Visit your privacy settings to set some restrictions so scammers have less to work with;
  • Never let someone you have met only on social media direct your investment decisions. Instead, learn more about spotting investment scams;
  • Before you buy, check out the company. Search online for its name plus  “scam” or  “complaint.”

These are sound recommendations. Most importantly, be aware that your social media profiles and posts are public and can be seen by anyone in the world, including scammers. Be aware of who you allow to see your profile and posts and be careful about who you connect with. Check your privacy settings and be aware of these scams and how your social media can contribute to you being victimized.

On April 15, 2026, the Department of Justice (DOJ) announced that two U.S. nationals, Kejia Wang and Zhenxing Wang, were sentenced for facilitating a North Korean IT worker scheme that compromised over 80 U.S. identities, with sentences of 108 and 92 months respectively, supervised release, and forfeiture orders.

The scheme involved the defendants operating “laptop farms” and using the stolen identities of over 80 legitimate U.S. citizens, with co-conspirators posting as remote workers to obtain employment at more than 100 U.S. companies. Once the stolen identities were used to obtain employment, a company laptop would be sent by the unsuspecting company to the “new employee” at the laptop farm. Once the laptop was received, the operators of the laptop farms would allow remote access to the devices, enabling North Korean actors to infiltrate the companies’ system with access to sensitive data, including ITAR-controlled data. The scheme netted over $5M for the North Korean government, considered by the DOJ as a “hostile foreign regime.”

The scheme took place between 2021 and 2024. One of the defendants served as “the U.S.-based manager for the scheme, supervising at least five facilitators in the United States who collectively hosted hundreds of computers of U.S. victim companies at their residences.”

Eight indicted co-conspirators remain at large, with a $5M reward announced for information leading to disruption of DPRK financial mechanisms; previous seizures of domains and accounts occurred in June and October 2025.

KnowB4 was one of the first companies to alert others about the scheme in its July 23, 2025 blog, stating,

First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems. This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you. 

The blog is extremely helpful in understanding how the scheme worked and how over 100 U.S. companies fell victim to it. It is also illustrative of how sophisticated and devious foreign adversaries are to obtain money to use against the U.S.

Although these two defendants have been sentenced, the North Korean worker scheme continues to be operated by others and is still a threat. As recently as March 6, 2026, Microsoft Threat Intelligence sent a warning that the operatives are now using AI to shorten the time it takes them to create fake identities to start the scheme. Companies should continue to be on the alert for remote worker fraud schemes and implement policies and procedures to prevent becoming victimized.

California’s new Delete Request and Opt-Out Platform (DROP) goes live on August 1, 2026, and the compliance stakes are enormous. State officials have warned that a single missed deletion cycle could create theoretical penalty exposure of $1.5 billion for one data broker. That number reflects how aggressively the Delete Act is designed to work. One consumer request can now cascade across every registered data broker in the state, turning deletion compliance into a centralized, high-volume, enforcement-ready system.

The bigger surprise for many companies is not the platform itself—it is who may be covered. California is signaling that “data broker” should be read broadly, and the analysis turns on the data, not just the business as a whole. A company can have direct customer relationships and still be a data broker if it sells personal information obtained from third parties. If your business acquires consumer data indirectly and monetizes it, this is not a definition to skim past.

Operationally, DROP is not just a periodic deletion exercise. Registered brokers must access the system at least once every 45 days, pull hashed identifiers, match them against their records, process deletions, and report status before they can access the next batch. Even more important, unmatched identifiers still have to go on a permanent suppression list. That means if you buy relevant third-party data later, you may already be prohibited from selling or sharing it. Compliance is ongoing, and it reaches future data ingestion as much as current inventories.

Companies should now assess whether they have California data broker obligations, especially where third-party sourced data is involved. They should also be preparing for API integration, workflow design, suppression screening, and internal ownership before the August deadline arrives. California has built the system, consumers are already in the queue, and the window for treating DROP as a future problem is closing fast.

On April 22, 2026, OpenAI released its new Privacy Filter tool, designed to identify and mask sensitive information in text before that text is stored, shared, or used in downstream processing. OpenAI says the tool can detect items such as names, addresses, account numbers, private dates, and other personal data in documents, logs, and datasets before that material moves further through a system.

From a privacy perspective, this is a notable release because many privacy concerns with AI systems arise before any final output is generated. The exposure often happens at the intake stage, when raw documents, customer communications, internal records, or troubleshooting logs are uploaded, indexed, retained, or sent to another service without enough scrutiny. In that sense, a tool aimed at screening text earlier in the process addresses a real problem.

The tool also appears to do more than simply look for obvious patterns like email addresses, phone numbers, or account numbers. Traditional redaction tools are often limited to spotting information that fits a known format, but personal information is not always that straightforward. Sometimes a sentence may not contain an obvious identifier on its own yet still reveals who a person is when read together with the surrounding text. OpenAI claims that this feature is intended to pick up more of that kind of context.

However, the tool should be viewed with appropriate caution. OpenAI has acknowledged that Privacy Filter can miss uncommon identifiers or make mistakes. Heightened privacy risks remans, especially in legal, healthcare, financial, and other regulated settings, where the consequences of overcollection or disclosure can be significant. In addition, privacy risk is not limited to obvious identifiers, and even where direct personal data has been masked, context can still allow a person to be identified or for sensitive facts to be inferred.

As a general guideline, sensitive, confidential, or regulated information should never be entered into free or consumer-facing AI tools. A filtering tool such as Privacy Filter may reduce some risk, but it does not solve the broader concerns that come with using free models for business, legal, or regulated data. Privacy-centered design is always a positive development, but tools like this one should be evaluated with care and should never be mistaken for a complete solution to the privacy risks that AI systems continue to create.

As corporate legal departments continue adopting AI, the conversation is shifting from experimentation to strategy. According to the Thomson Reuters Institute’s 2026 State of the Corporate Law Department Report, nearly half of legal departments now report department-wide AI adoption, and technology has become a top strategic priority for many general counsel.

That momentum matters, but adoption alone is not the goal. The bigger question is whether legal teams are using AI in ways that support the company’s broader business priorities.

So far, many legal departments have focused on AI’s most immediate benefits, such as faster research, quicker contract review, and more efficient document drafting. Those uses make sense, especially in the early stages of implementation. However, if success is measured only by time saved or internal usage, legal leaders risk missing AI’s larger value. The real opportunity is not just unlocking capacity inside the legal department but deploying that capacity in ways that improve outcomes across the business.

Contract reviews are a strong example. Faster turnaround is helpful, but business leaders care most about whether legal support helps close deals sooner, improve contract win rates, reduce revenue leakage, or avoid costly risk. These are the kinds of metrics that connect AI legal strategy to business performance. The report suggests that this is still an emerging discipline, with fewer than 20% of law departments measuring AI return on investment at all. That leaves plenty of room for legal teams to become more intentional about how they define and track success.

The most effective legal AI strategies will therefore go beyond efficiency alone. They will support better service delivery, stronger operations, smarter growth, and better protection of the business. For GCs, that means partnering more closely with other functions, aligning AI initiatives with company goals, and building metrics that show legal’s impact in terms the business already values. AI may start as a legal technology investment, but its long-term value will be determined by how well it helps the business perform. To view the full report, click here .

On March 11, 2026, the Federal Trade Commission (FTC) announced an Advance Notice of Proposed Rulemaking (ANPRM) highlighting its Rule Concerning the Use of Prenotification Negative Option Plans, seeking comment on whether the rule should be amended or supplemented to better address deceptive or unfair negative option practices.

The FTC describes negative options as marketing arrangements in which a consumer’s silence or failure to act is treated as consent to be charged for goods or services. Negative option marketing includes automatic renewals, continuity programs, free-to-pay conversions, and prenotification plans. Regulators generally focus on several considerations:

  • Are material terms clearly disclosed?
  • Did the seller obtain express informed consent?
  • Is cancellation simple and effective?

Consistent with that focus, the FTC’s March 11th notice seeks input on practices that prevent consumers from understanding key terms, lead to enrollment without express informed consent, or deter cancellation.

The FTC’s enforcement posture in this area has been active for years and is unlikely to soften. The agency cites ongoing concerns with difficult cancellation processes, unlawful retention tactics, and other barriers that keep consumers from switching or ending subscriptions. It also reports receiving thousands of complaints each year, including more than 100,000 complaints over the past five years, which signals that subscription marketing remains a regulatory priority.

As for timing, the FTC stated that once the ANPRM is published in the Federal Register, the public will have 30 days to submit comments. The agency may then proceed through review, a proposed rule, another round of comments, and potentially a final rule.

In the meantime, businesses should expect the FTC and state regulators to continue using existing authorities, including unfair and deceptive practices statutes, to challenge problematic subscription flows. The best approach is to make key terms conspicuous, obtain and retain clear evidence of affirmative consent, and offer cancellation that is straightforward, reliable, and at least as accessible as enrollment. In many cases, regulatory risk turns less on the fact of a subscription and more on whether the overall experience could be viewed as obscuring costs or limiting consumers’ ability to leave.