Fama Technologies Granted U.S. Patent on Foundational AI-Powered Social Media Screening Technology
Click to Learn More

Global Compliance Update: AI, Data Privacy, NFM, Biometrics, and Cannabis Regulations in Motion

What regulations are tightening, what's loosening, and who's paying the price?

The regulatory picture is not moving in one clear direction. Some jurisdictions are tightening their regulations while others are easing restrictions. For example, many jurisdictions are increasing consumer and worker protections against AI, data privacy, and non-financial misconduct. Meanwhile, restrictions on cannabis loosen around the world. Below, we break down where the pressure is rising, where it’s lifting, and who these changes impact.

4 new developments shaping compliance in June 2026 

#1. AI and privacy screening tightens across Canada, the EU, and Connecticut

AI and privacy screening regulations are becoming new foundation blocks for compliance and privacy regulations worldwide. Here are new developments in Europe, Canada, and the state of Connecticut. 

The European Union

The European Commission never sits still. On 19 May, they released the draft guidelines on high-risk AI under the EU AI Act. In the draft, the Commission clarified which AI systems officially receive the ‘high risk’ clarification under the AI Act, and Annex III currently still covers employment systems. These guidelines explain in operational, actionable terms what a high risk classification triggers:

  • conformity assessments
  • human oversight requirements 
  • post-market monitoring 
  • and technical documentation. 

Even in the draft stage, this update provides background screeners, and employers a clear practical roadmap as to what is expected of employers as they navigate new AI advancements. 

Simultaneously, the EU Data Protection Authority continues coordinated audits across all EU member states with target privacy notices. All DPAs are scanning the same core documents: candidate-facing privacy notices. All background screening companies operating in the EU should actively audit their disclosure language before the findings are published later this year. This is the type of multilateral enforcement push that will catch companies with outdated notice templates. With a renewed focus on unity in regulation, it is expected that any local findings by country-specific DPAs will trigger ripples across the entire bloc.  

Canada

After years of regulators teasing national AI regulations, Prime Minister Carney revealed Canada’s federal AI strategy draft, AI for All. Instead of clear guidance, the draft is a framework for future legislation and expectations. Together with announcements of federal investment into AI, AI related jobs, and data centers, the draft also:

  • revealed their three pillars of AI use: Trust, Opportunity, and Sovereignty (more information on these to come).
  • speaks of the importance and value of AI and how AI literacy and willingness to use AI must increase.
  • outlines the fact that it must be created and used through and ethical AI lens. 
  • ensures data sovereignty.

What was missing from the draft, however, was a clear sign of intent as to which direction AI and pre-employment screening regulations would go. There was an expectation among the Canadian industry that Canada would follow the EU’s guidance, mimicking the EU AI law, but for now the region continues to wait semi-patiently for federal intent. 

Connecticut

In the U.S., the state of Connecticut signed new legislation that was far less ambiguous. SB 5 was signed May 27th, 2026, and it represents the state’s first major AI law, covering five key areas: 

  • companion chatbots
  • AEDTs (automated employment decision tools)
  • social media
  • AI provenance 
  • frontier AI whistleblower/layoff/sandbox provisions. 

By signing this law, Connecticut joins NYC and Illinois as the third U.S. Jurisdiction with explicit AEDT regulations, creating broad expectations for other states to follow suit. 

SB 5 represents a bundle of targeted obligations, deviating from other states such as NYC’s Local Law 144 in key areas. For example, it has a much narrower scope than Colorado’s 2024 language and does not require bias audits or risk assessments. The notice obligations are split between developer and deployer, but developers do not have to give deployers information on the tool. Deployers must disclose to applicants  the use of AEDT solutions, the purpose, the tool’s trade name and any significant information. That said, the human rights statute in Connecticut was amended to include that using an AEDT is not a defense to discrimination claims, allowing courts to consider evidence of anti-bias testing. 

#2. Broadening use of biometric data

Germany has historically been adverse to most forms of background screening, having deeply entrenched cultural and compliance regulations that were prohibitive to the practice. However, that has been steadily changing over the last few years; today Germany is actively exploring ways to broaden standard screening tools, starting with biometric screening.

The German federal cabinet has proposed changes to the Code of Criminal Procedure that effectively authorize law enforcement agencies to run biometric searches against publicly available online images. Although the initial intent of this was exclusively for law enforcement, it has now broadened to include an open discussion on: 

  • the uses of biometric data.
  • data minimization around it.
  • how these tools are already in place today. 
  • what guardrails need to be created to support it.

As this is ongoing, the Austrian privacy NGO noyb (“none of your business”) has sued Germany’s Hamburg Data Protection Authority to reopen its 2020 case against PimEyes, a facial recognition tool. The DPA had initially filed the suit in 2020 and the case was closed in November 2025 over concerns around the inability to enforce it as well as GDPR concerns. With the case reopening, all eyes are on PimEye’s core argument that they do not identify individuals, they simply match content. As it is still an ongoing case, there is no conclusion in sight; but it has certainly attracted significant attention as the outcome will determine whether biometric data is defined by source or by processing purpose

#3. Cannabis and loosening regulations

Not all movements are towards stricter rules and denser regulations. In North America, cannabis regulation continues to loosen, with cascading effects for screening and hiring policies. In the US, the Acting Attorney General Todd Blanche issued a final order placing FDA-approved and state-regulated medical marijuana products in Schedule III of the Controlled Substances Act. It was a significant moment, as it weakens the federal illegal substance argument that courts have historically relied on to reject ADA accommodation claims involving medical marijuana. That said, the ADA still requires a zero tolerance policy around safety-sensitive positions in transportation, aviation, trucking, and logistics. 

Simultaneously, state level workplace protections are tightening. Massachusetts is currently advancing H.2179, which would effectively bar most private employers from pre-employment cannabis checks, aligning with California, New York, New Jersey, Nevada, Connecticut, Rhode Island, and Minnesota. 

Canada has moved in a similar direction. They are taking an impairment-based rather than metabolite-based framework. The requirements around bona fide occupational requirements still remain steadfast, with arbitrators only allowing these checks in fields where observable impairment evidence for discipline is available. The only exception appears to be around regulated industries such as transportation and airlines, where safety stakes are deemed catastrophic. 

When looking at the overall North American picture around cannabis regulation, the US is slowly adopting Canada’s central framework. New regulations are making it more important than ever for background screeners and employers to watch for these changing rules.

#4. FCA-regulated firms have 78 days to prepare for NFM changes

The Financial Conduct Authority’s (FCA) upcoming non-financial misconduct changes are only 78 days away. The new requirements outlined in Policy Statement PS25/23 is establishing requirements for ongoing monitoring or rescreening on key, high asset risk personnel. 

These new rules will take effect on September 1, 2026, and employers are expected to be audit-ready. 

Now is the time to review policies and partners, and prepare teams for the new era of compliance. To help employers prepare, check out our  FCA NFM Countdown Resource Center and resouces:  

  1. Live Webinar Tomorrow: FCA Non-Financial Misconduct: A Playbook for HR & Compliance Leaders
    Speakers: HireRight’s Caroline Smith, Background Check Advisory’s Anton Watson, and Fama’s Ben Mones
    Why Attend? Get an overview of the changes and a strategic playbook for HR and Compliance leaders to revamp policies and technologies and align with new regulatory standards.
  2. In-Person Event in London: Background Check Advisory Summer Social 
    When:     Thursday 9 July 2026 | 2-5pm BST
    Where:     The Timber Loft, The Light Bar
    233 Shoreditch High Street
    London E1 6PJ 
    Why Attend?     Join us for a fun afternoon of great drinks, good people, and amazing conversations about background screening and the FCA. Register here
    Note: space is limited, RSVP now.

How employers can remain compliant with regulations in motion 

As society, behavior, and technology change, regulators around the world continue to explore ways to keep up. Whether tightening regulations over data privacy concerns, loosening rules over cannabis acceptance, rethinking how we adopt and regulate new AI advancements, and even addressing rising behavior risk, regulators are making significant changes and employers are expected to keep up.

It’s important for employers to understand what changes are coming and when they are expected to comply. This allows employers the time to prepare their tech stacks, internal policies, and teams for the changes ahead of audits.

Here at Fama, we actively review upcoming regulations around the world, and adjust our solutions and customer support to help our clients stay on top of important changes. Not only do Fama’s social media screening solutions abide by global regulations, our solutions also help employers around the world remain compliant. By surfacing relevant non-financial misconduct and behaviour risks while respecting individual privacy, we help our clients evolve with changing regulatory standards. "’What I appreciate as a senior leader is that I don’t have to think about it anymore. I know that Fama is going to take care of us, keep improving the product, and help us navigate compliance.’” – Academic Search’s COO Shawn Hartman.

Learn how Fama can keep you compliant. Request a demo.