As we previously discussed here, the Federal Communications Commission’s (FCC) new One-to-One Consent Rule, which amends the Telephone Consumer Protection Act (TCPA), was set to go into effect on January 27, 2025.

While the identified goal of the FCC was to close the “lead generator loophole,” this new rule, among other requirements, would require all businesses seeking to send any marketing text messages to obtain consent from the customer for one identified seller (business) at a time.

Continue Reading UPDATE: FCC’s One-to-One Consent Rule Delayed, Then Overturned

What does it take for a data breach plaintiff to have standing to sue in Illinois? More than a mere increased risk of harm, said the Illinois Supreme Court in a case where Taft represented the defendant, a large multi-specialty group medical practice.

This post highlights the importance of a thorough post-data breach investigation.

Continue Reading Taft Wins First Data Breach Class Action to Reach Illinois Supreme Court: Key Takeaways

This month, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking in the Federal Register, which is intended to strengthen cybersecurity requirements for HIPAA-covered entities and business associates (the Proposed Rule). The comment period will close on March 7, 2025, with enactment of the proposed rule expected to take place later this year.

If adopted, this would be the first significant update to the HIPAA Security Rule in over a decade, a time when both technology and cybersecurity have advanced rapidly, and cyberattacks in health care have become more frequent and damaging. According to the preamble, the proposed rule seeks to address common compliance gaps identified by HHS’s Office for Civil Rights (OCR) and to build on guidelines from other agencies like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

Continue Reading HIPAA Security Rule to Experience Major Updates in 2025

In late October 2024, Ohio Senate Bill 29 (“SB 29”)[1] took effect. This new law regulates educational records and student data privacy throughout the state, specifically relating to student-issued devices (e.g., laptops, tablets, software). What makes SB 29 unique is that it extends beyond schools and school districts and impacts third-party technology providers that work with these entities. Taft anticipates greater emphasis on compliance with this new law ahead of the 2025-2026 school year. Here is what you need to know about the Ohio student data privacy law.

Continue Reading School is in Session: Ohio’s New Student Data Privacy Law Impacts More than Students

A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.

Continue Reading New Year Rings in New State Privacy Laws

With Cyber Monday 2024 in the rear-view mirror, we are looking at one of the hot topics in data-privacy and cybersecurity litigation: the Video Privacy Protection Act. 

Recent years have seen an uptick in lawsuits asserting violations of the VPPA by companies that host video content on websites or mobile apps and then share information about the individuals who watched those videos with other businesses. 

While the companies have experienced some success in getting VPPA claims dismissed, the Second Circuit recently reinstated a putative class action asserting VPPA violations against the NBA that may breathe new life into VPPA claims. Salazar v. National Basketball Association, No. 23-1147 (2d Cir. Oct. 15, 2024). But is the worry about VPPA class actions overblown?

Continue Reading Video Privacy Protection Act Claims – Maybe Not a Slam Dunk After All

With the rise in remote work, not to mention better technology, many employers have begun using apps and other services to monitor employees’ activities to track, assess, and evaluate workers. The Consumer Financial Protection Bureau (CFPB) recently issued a Circular stating that employers’ use of the reports generated by those apps and services may be subject to the Fair Credit Reporting Action (FCRA) just like a traditional employee background check.

The FCRA regulates the use of consumer reports for employment and other purposes. A criminal background check of a potential employee that is obtained from a third party is a typical consumer report. To be clear, the FCRA does not prohibit the use of such reports, but rather triggers a series of protections for the employee. And it applies both during the hiring phase and while the employee is working for the employer.

Continue Reading Whatcha Watching? The CFPB’s Recent Guidance on Employer Monitoring

Hard to believe, but 2025 will be here before you know it. And what goes best with a new year? A countdown list!

Last week, I spoke at the Dayton Bar Association’s Corporate Counsel Section on the topic of the Top 10 legal technology issues that in-house counsel should have on its radar for 2025.

Continue Reading Top 10 Technology Issues to Watch for in 2025

Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.

Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.

Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers