A Deeper Dive Into California’s App Store Accountability Law

By Jordan Jennings on March 23, 2026

Posted in California, Children’s Online Privacy Protection Act, Data Privacy

As previously reported, states such as California, Louisiana, Texas and Utah have adopted App Store Accountability (ASA) Laws. These new laws require app store operators (e.g., Apple and Google) along with app developers (i.e., the business that owns the app) to implement safeguards for age verification. While these laws are framed as child-protection measures, their impact is universal. Every app must comply, regardless of its audience. For businesses, meeting the requirements outlined in ASA Laws is mandatory for apps to remain available for download.

Louisiana, Texas and Utah’s laws are similar and take effect at various points in 2026, while California’s Digital Age Assurance Act (CA ASA Law) is unique and takes effect January 1, 2027. This is what businesses should know about the unique features of the CA ASA Law.

FTC’s Negative Option Rule Revived – Public Comment Period

By Zenus Franklin on March 17, 2026

Posted in FTC

The Federal Trade Commission (FTC) is once again taking aim at its Negative Option Rule, signaling a renewed effort to address deceptive subscription and automatic renewal practices.

On March 11, 2026, the FTC released an Advance Notice of Proposed Rulemaking (ANPRM) seeking input on whether the rule should be updated to reflect today’s subscription‑driven marketplace. The agency emphasized that negative option programs continue to generate substantial consumer frustration, including more than 100,000 complaints over the past five years.

Collection for Protection: The Age-Verification Paradox

By Kennedy Brooks on March 10, 2026

Posted in Children’s Online Privacy Protection Act, Data Privacy

From California to Texas to Ohio, lawmakers are increasingly turning to age-verification requirements to protect children online. These laws target a range of concerns, with a growing body of research suggesting that certain online activities may pose risks to children’s mental health and well-being.

At the same time, privacy laws continue to proliferate across the United States, many of which emphasize data minimization and limitations on the use of sensitive personal information. This creates a growing tension. Protecting children online may require companies to collect more personal data than they otherwise would, and potentially subject themselves to additional privacy requirements and consumer concerns.

The Use of AI in Interviewing, Hiring, and HR

By Beau Braswell on February 24, 2026

Posted in Artificial Intelligence (AI)

The use of AI in hiring and employment contexts has become a special area of interest for U.S. state legislatures in recent years. Does your business utilize AI solutions for recruiting, hiring, or other HR-related functions? Are these teams planning on implementing such technologies to increase efficiency?

Several states have enacted laws specifically regulating the use of AI in these contexts. Human resources and hiring teams need to ensure that current and planned AI use is understood and that new legal risks are identified and addressed.

Defining “Consumer” in the Digital Age: The Supreme Court Takes Up the VPPA Divide

By Zachary Heck & JP Jarecki on February 17, 2026

Posted in Data Privacy, Personally Identifiable Information

The Video Privacy Protection Act (VPPA), signed into law by President Ronald Reagan on November 18, 1988, grew out of one of Washington’s more underwhelming privacy scandals. During Judge Robert Bork’s Supreme Court confirmation hearings, a newspaper published his video rental history, which had been leaked by a video store clerk. This incident was intended to reveal his character but revealed nothing too controversial; the Bork Tapes showed that Judge Bork was partial to Alfred Hitchcock films, spy thrillers, and British costume dramas. Indeed, the enduring legacy of the Bork Tapes was not salacious, but legislative— the episode sparked bipartisan concern that something as personal as an individual’s viewing habits could be exposed without consent. In response, Congress moved swiftly to pass the VPPA, a law designed to shield Americans from unwarranted intrusions into their video rental and viewing records.

Understanding California Cyber Audit Requirements

By Michael Young on February 10, 2026

Posted in Cyber Security

Under new regulations effective January 1, 2026, California regulators now expect businesses to conduct an annual “cybersecurity audit” that assesses “how the business’s cybersecurity program protects personal information from unauthorized access, destruction, use, modification, or disclosure; and protects against unauthorized activity resulting in the loss of availability of personal information.”

Now is the time to prepare for these requirements.

As explained below, these requirements are detailed and contemplate a rigorous, professional, independent, evidence-based audit. Audit results must be shared with the California regulator under penalty of perjury.

New CCPA Risk Assessment Requirements Now In Effect

By Michael Young & Beau Braswell on February 3, 2026

Posted in California, Children’s Online Privacy Protection Act, Data Privacy, State Privacy Laws

Under newly implemented regulations of the California Consumer Privacy Act (CCPA), California now requires a formal risk assessment “before initiating any processing activity” of certain (sensitive) sorts. The regulation explicitly contemplates that businesses will complete risk assessments now, in 2026.

Eventually, such risk assessments – including those completed this year – must be signed by an executive and submitted to the California regulator under penalty of perjury.

Privacy: Ten Things to Know

By Scot Ganow on January 28, 2026

Posted in Cyber Security, Data Privacy, Privacy Policy

As we kick off a new year, may we at Taft be the first to wish you a happy Data Privacy Day! Yes, it is a thing. In the spirit of the Day, we thought of sharing ten things you may or may not know about privacy and maybe ways you can protect it better.

Rhode Island’s New Privacy Law: An Overview and Highlighted Differences

By Kennedy Brooks on January 20, 2026

Posted in Data Privacy, State Privacy Laws

As in Indiana and Kentucky, the start of 2026 brought into effect Rhode Island’s comprehensive consumer privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). This statute is not simply a replica of what has come before it.

While much of its terminology and mechanics will feel familiar to organizations already operating under multiple state privacy regimes, it also includes elements such as general applicability thresholds at the lower end of the typical range and broad privacy notice requirements. The similarities and distinctions make RIDTPPA easy to place within the broader U.S. privacy landscape, while also presenting a few compliance gray areas that merit closer attention.

Your 2026 Privacy, Security, and Artificial Intelligence Checklist

By Michael Young & Beau Braswell on January 12, 2026

Posted in Artificial Intelligence (AI), Cyber Security, Data Privacy

Enforcement activity surged in 2025, with landmark judgments and settlements—some reaching eight and nine figures—targeting issues such as ad tracking, analytics, wiretapping, text messaging, data subject rights, and sensitive data collection. This aggressive trend shows no signs of slowing as we move into 2026.

Taft continues to help its clients find the correct answers in their context for addressing these risks. Building on our year-end post, here are some issues you may want to consider as you take on the new year.

Taft Privacy & Data Security Insights