Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.

Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.

Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers

On Aug. 15, the DoD issued another proposed rule regarding the forthcoming Cybersecurity Maturity Model Certification (CMMC) standard. As part of the release, the DoD proposed some additional verbiage for the DFARS regarding future cybersecurity obligations and offered clarifications of the requirements that it put out last December. The release also set Oct. 15, 2024 as the due date for any comments.

The rule’s highlights were split between the new, or somewhat new, additional verbiage and DoD’s clarifications of the details that it previously released. Below is a discussion of the most significant highlights:

Continue Reading Is It Still CMMC 2.0? DoD Clarifies the Forthcoming Cybersecurity Standard

Earlier this month, the Swiss Federal Council approved the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Beginning September 15, 2024, companies may rely on the Swiss-U.S. DPF as a lawful basis to transfer personal data of Swiss residents to companies in the United States.

Continue Reading Ready for Work: The Swiss Federal Council Approves of the Swiss-U.S. DPF
computer keyboard

On Aug. 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law, bringing significant reform to the state’s Biometric Information Privacy Act (BIPA). The much-anticipated BIPA amendment took effect immediately and will provide welcome relief to businesses.

The amendment allows written releases to be executed by electronic signature and drastically limits the damages an “aggrieved person” accrues in BIPA litigation. By ending the per-scan violation, the amendment directly responds to the Illinois Supreme Court’s ruling in Cothron v. White Castle Systems, Inc.

Continue Reading New Legislation Promises Stronger Privacy Protections and Clearer Guidelines for Businesses

On January 27, 2025, the Federal Communications Commission’s (FCC) new one-to-one consent requirement will go into effect. For background, the FCC published its final rule targeting and eliminating unlawful text messages under the Telephone Consumer Protection Act (TCPA) on January 26, 2024 (the Final Rule). Among other requirements and purposes, this Final Rule sought to close the “lead generator loophole.”

Continue Reading FCC’s 1-to-1 Consent Requirement for Marketing Text Messages

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

On July 12, 2024, the European Union’s Artificial Intelligence Act (AI Act) was published in the EU Official Journal.

This comprehensive legislation establishes the first risk-based regulatory framework for AI systems, with far-reaching implications for businesses using AI. The AI Act is effective August 2, 2024, with the enforcement of the majority of its provisions commencing on August 2, 2026.


Continue Reading The EU AI Act – What Businesses Need to Know

Believe it or not, we are now more than halfway through 2024. As of July 1st, we now have additional state privacy laws in effect in Florida (narrow applicability), Oregon, and Texas – with more on the way later this year and into 2025. We thought it would be a good time to provide a recap on the current privacy law landscape in the United States today. 

Continue Reading Comprehensive State Privacy Laws – Halfway Through 2024 and Looking Ahead to 2025

Special thanks to Taft summer associates Tanner Wilburn and Lizzie Dobbins for their contributions to this post. 

On June 20, 2024, the U.S. District Court for the Northern District of Texas vacated a portion of guidance issued by the Department of Health and Human Services (HHS) regarding the use of online tracking technologies. This decision is beneficial to healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) which use third-party tracking tools on their public-facing websites, but such entities should be cautious to not read the case too broadly.

Continue Reading Federal Court Strikes Down HHS Rule on Website Tracking Technologies… To an Extent

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

Earlier this year, we provided a law bulletin on changes coming to the Health Insurance Portability and Accountability Act (HIPAA). To recap briefly, in April 2024, the Department of Health and Human Services (HHS) issued a final regulation that modified the HIPAA Privacy Rule to safeguard individuals’ protected health information (PHI) concerning reproductive health care.

The regulations go into effect on June 25, 2024, and those subject to the regulations must comply with the requirements by December 23, 2024. HHS also set a special compliance date of February 16, 2026, for the regulations’ changes involving HIPAA notices of privacy practices (NPPs).

With the law going into effect this week and the compliance deadline coming in six months, we’ve put together a breakdown of what must happen, and when. 

Continue Reading Six Months to Go: HIPAA Privacy Rule Changes Require Additional Diligence