As we reported early last year, the Federal Trade Commission (FTC) issued a notice of proposed rulemaking to the Children’s Online Privacy Protection Act rule (COPPA). On April 22, 2025, over a year after the notice of proposed rulemaking was issued, the FTC has finalized its amendments to the COPPA rule and are set to go into effect on June 23, 2025.

To note, while the amendments will be effective on June 23, 2025, regulated entities under COPPA have until April 22, 2026 to comply.

Continue Reading Children’s Online Privacy Protection Act Amendments Effective June 23, 2025

On April 11, 2025, North Dakota Governor Kelly Armstrong signed HB 1127 (the Act) into law.

The Act, which takes effect on August 1, 2025, establishes new data security requirements for certain financial institutions and nonbanking financial service providers. In addition, the Act amends multiple sections related to financial institution licensing and oversight.

Continue Reading North Dakota Governor Signs Cybersecurity Governance Law for Financial Institutions

Several states and the Federal Trade Commission (FTC) have implemented autorenewal laws aimed at (i) better protecting consumers and providing transparency in automatic renewals (e.g., subscriptions) and (ii) mandating easy cancellation processes to terminate such products.

Although state laws vary, the amended California Automatic Renewal Law (CARL) and the FTC’s Click-to-Cancel Rule (FTC Rule) provide a comprehensive overview of what businesses can expect when complying with autorenewal laws. While these autorenewal requirements have consumers saying “click, click hooray” understanding and implementing these obligations can create a compliance conundrum for businesses. Here is a summary of what businesses should know.

Continue Reading Click, Click Hooray: What Businesses Need to Know about Autorenewal Laws and Subscription Cancellation Requirements

The California Privacy Protection Agency (“CPPA”) recently issued a decision requiring American Honda Motor Co. to pay a $632,500 fine and change certain business practices related to alleged violations under the California Consumer Privacy Act (“CCPA”). While not specifically related to connected vehicles, this decision comes after the CPPA’s announcement in 2023 that it would be focusing on connected vehicle manufacturers’ compliance with the CCPA.

Continue Reading California Privacy Enforcement Update: Verifying Consumer Requests and Banners Must Be Symmetrical

Biometrics continue to be a hot issue and one primed for litigation and related liabilities.  We in the Privacy and Data Security Practice are happy to share this upcoming Taft webinar, which will include a discussion on BIPA class action risks.   Join our colleagues from Taft’s Litigation Practice on April 15th.

Time: 12 p.m. – 1:15 p.m. EST
Register HERE.

Continue Reading Taft Takeaways: Class Action Insights and Updates

The Google Threat Intelligence Group revealed a chilling reality: nation-states are weaponizing AI tools like Gemini for sophisticated cyberattacks. This new frontier of AI-powered fraud demands immediate attention from business leaders and general counsel, who stand at the confluence of technology, data security, and governance.

Recent Incidents and the Evolving Sophistication of These Attacks

Generative AI, like the tools used by these cybercriminals, can create highly convincing text, images, voice recordings, and even video interactions that are nearly impossible to distinguish from genuine content. In the report Adversarial Misuse of Generative AI, the Google Threat Intelligence Group explains how more than 20 countries have used Google’s generative AI tool named Gemini for nefarious purposes, including cyber espionage, destructive computer network attacks, and attempts to influence online audiences in a deceptive, coordinated manner.

Continue Reading AI-Powered Fraud: Immediate Action Steps to Protect Companies from Next-Generation Payment Scams

As we previously discussed here, the Federal Communications Commission’s (FCC) new One-to-One Consent Rule, which amends the Telephone Consumer Protection Act (TCPA), was set to go into effect on January 27, 2025.

While the identified goal of the FCC was to close the “lead generator loophole,” this new rule, among other requirements, would require all businesses seeking to send any marketing text messages to obtain consent from the customer for one identified seller (business) at a time.

Continue Reading UPDATE: FCC’s One-to-One Consent Rule Delayed, Then Overturned

What does it take for a data breach plaintiff to have standing to sue in Illinois? More than a mere increased risk of harm, said the Illinois Supreme Court in a case where Taft represented the defendant, a large multi-specialty group medical practice.

This post highlights the importance of a thorough post-data breach investigation.

Continue Reading Taft Wins First Data Breach Class Action to Reach Illinois Supreme Court: Key Takeaways

This month, the Department of Health and Human Services (HHS) issued a Notice of Proposed Rulemaking in the Federal Register, which is intended to strengthen cybersecurity requirements for HIPAA-covered entities and business associates (the Proposed Rule). The comment period will close on March 7, 2025, with enactment of the proposed rule expected to take place later this year.

If adopted, this would be the first significant update to the HIPAA Security Rule in over a decade, a time when both technology and cybersecurity have advanced rapidly, and cyberattacks in health care have become more frequent and damaging. According to the preamble, the proposed rule seeks to address common compliance gaps identified by HHS’s Office for Civil Rights (OCR) and to build on guidelines from other agencies like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA).

Continue Reading HIPAA Security Rule to Experience Major Updates in 2025

In late October 2024, Ohio Senate Bill 29 (“SB 29”)[1] took effect. This new law regulates educational records and student data privacy throughout the state, specifically relating to student-issued devices (e.g., laptops, tablets, software). What makes SB 29 unique is that it extends beyond schools and school districts and impacts third-party technology providers that work with these entities. Taft anticipates greater emphasis on compliance with this new law ahead of the 2025-2026 school year. Here is what you need to know about the Ohio student data privacy law.

Continue Reading School is in Session: Ohio’s New Student Data Privacy Law Impacts More than Students