As 2025 comes to a close, we asked several members of Taft’s Privacy and Data Security practice group to share their thoughts on what should be on a client’s “wish list” for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.

Continue Reading Closing Out 2025: Key Privacy & Data Security Updates from Taft

State regulators are increasingly prioritizing children’s data privacy. These efforts follow several changes to protect children’s online privacy at the federal level. One of the latest sweep of changes involve several states (e.g., California, Louisiana, Texas and Utah) imposing app store accountability laws (ASA Laws).

These new laws require app store operators (e.g., Apple and Google) along with app developers to implement safeguards for age verification, age rating, parental consent and data minimization. While the aim of these laws is to protect children, the obligations imposed on businesses apply broadly, regardless of the age of an app’s users. For businesses with mobile apps, these safeguards are not optional. They are mandatory to keep  apps available for download.

While the ASA Laws slightly vary in their respective requirements, a general overview of what businesses should know is below.

Continue Reading New App Store Accountability Laws in 2026: If Your Business Has an App, Read On

On October 8, 2025, Governor Gavin Newsom signed SB 361, amending the state’s existing data broker registration statute to expand obligations for data brokers. We previously discussed California’s data broker requirements here.

The law takes effect January 1, 2026.

Continue Reading California’s SB 361: Updated Data Broker Requirements

An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA).

A cottage industry of California plaintiffs’ firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week.

Continue Reading What to Know: Your Company Website and the California Information Privacy Act

On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed two legal questions: (1) whether workplace policy infractions can turn into federal crimes, and (2) whether passwords protecting propriety business information qualify as trade secrets under federal or Pennsylvania law.

The case was reheard and affirmed on October 7, 2025, with the Third Circuit firmly answering both questions in the negative. The decision significantly limits employers’ potential claims against employees who breach company policies without engaging in actual hacking or unauthorized access.

Continue Reading Passwords, Policies, and Trade Secrets: Lessons from NRA Group v. Durenleau and what it Means for Employers

Last month, I had the opportunity to speak to entrepreneurs at Launch Dayton’s Startup Week regarding the positive effects that strong privacy and data governance practices have on business.

As regulations increase and complexity rises, many businesses remain hesitant to view privacy and security obligations as anything other than impediments to innovation. In practice, embedding privacy by design and developing strategic approaches to cybersecurity and artificial intelligence laws serve as valuable drivers for growth.

Navigating the Regulatory Landscape
The environment surrounding privacy and security law is dynamic. American companies must contend with a complex framework that includes numerous state privacy laws (Indiana, Kentucky, and Rhode Island will introduce new statutes in 2026) federal regulations such as HIPAA and GLBA, industry self-regulatory standards including PCI-DSS, and evolving market contractual requirements specific to artificial intelligence. International standards, most notably the GDPR, introduce higher expectations for data transfers, extraterritorial reach, and significant penalties, including criminal penalties in Switzerland.

Understanding Key Risks
Organizations face considerable risks due to compromised consumer data. Data breaches commonly diminish trust, and individuals may reconsider or end relationships with the affected business. Significant breaches often trigger declines in brand value and stock price, as well as substantial financial costs resulting from recovery activities, regulatory penalties, and legal disputes. These consequences extend beyond financial metrics, affecting reputation and attracting increased regulatory attention.

Security incidents can arise from multiple sources, such as brute force attacks, business email compromise, social engineering, and suboptimal website data management. Additionally, accessibility issues related to web compliance represent substantial risks; regulatory bodies closely monitor such requirements. Neglect of web accessibility may result in costly litigation and settlements, emphasizing the necessity of compliance.

Artificial Intelligence and Emerging Risks
Artificial intelligence further complicates the landscape. Organizations are increasingly implementing natural language processors, machine learning tools, and generative AI solutions, all of which create distinctive legal exposures. These include intellectual property risks, discrimination, bias, inadvertent data disclosures, and exposure of regulated information. A policy addressing artificial intelligence is necessary to facilitate effective risk management. Judicial bodies address new cases regularly, and the regulatory environment continues to develop at the federal and state levels.

Establishing a Proactive Plan
Taking prompt action helps alleviate digital concerns. Organizations of all sizes can strengthen privacy and security by focusing on several fundamental areas:

  • Leadership commitment: Executive leadership must prioritize privacy; boards are expected to understand obligations and risks. Designating responsibility to a Chief Privacy Officer or department lead is advisable.
  • Data classification: Personal data should be assessed and defined according to both external regulations and internal risk criteria.
  • Data mapping: Understanding the location of data across physical servers, cloud environments, offices, third-party vendors, and artificial intelligence providers is essential for security.
  • Risk assessments: Ongoing risk evaluations help maintain compliance with HIPAA, GLBA, NY DFS, insurance requirements, and government contracts, and should lead to prioritized risk mitigation.
  • Governance and controls: Develop administrative, technical, and physical safeguards including policies, procedures, employee training, privacy statements, and formal agreements to create a multi-layered security structure.
  • Privacy impact assessments: Evaluate risks associated with new products, system updates, or organizational changes prior to launch to promote purposeful progress.

Leveraging Trust for Business Growth
Organizations that protect consumer information consistently benefit from increased loyalty and trust. Many individuals prefer and are willing to support brands that prioritize privacy. Transparent and accessible privacy policies strengthen trust and improve brand perception. Privacy and cybersecurity serve as opportunities for organizations to drive positive momentum. Those that implement privacy in their strategy and invest in governance realize advantages that extend to both market performance and regulatory compliance. Taking immediate steps toward a privacy-first approach remains the most effective path forward.

On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers’ sexual and reproductive health information. While other consumer health data laws exist, such as Washington’s My Health My Data Act (MHMDA), which generally protects a broad category of “consumer health data,” the VCDPA amendments take a more narrow approach and only focus on reproductive and sexual health information. Here is what you need to know.

Continue Reading Virginia is for Lovers (of Privacy): VCDPA Amendments Merge Components of Consumer Data Health Laws to Better Protect Reproductive and Sexual Health Information

On September 1, 2025, Texas Senate Bill 140 officially amended the state’s well-known “mini-TCPA” so that certain Chapters now apply to sellers and salespersons who send marketing texts to consumers. This is a big change, particularly in two ways:

  1. Texting included. Previously the law only applied to traditional phone calls, and thus text marketers could arguably avoid the law’s painstaking registration and disclosure requirements.
  2. Private right of action. The amendments also include a private right of action through the state’s Deceptive Trade Practices Act, which subjects violators to steep penalties and gives Chapters 302, 304, and 305 of Texas’ Business and Commerce Code some additional teeth.
Continue Reading New Amendments to Texas’ Telemarketing Law Have Gone into Effect—Sellers Should Carefully Consider the Exemptions

Colorado legislators have approved a five-month delay for the implementation of the Colorado Artificial Intelligence Act (the Act), moving the start date from Feb. 1, 2026, to June 30, 2026.

The decision follows a special legislative session called because of concerns stemming from compliance costs, industry lobbying, and fiscal impacts on businesses and the state. Colorado Budget Director Mark Ferrandino indicated that the law could cost the state alone between $2.5 million and $5 million annually to implement, and Colorado Governor Jared Polis indicated that the amount could be as much as $6 million per year. The Act, originally designed to address risks of algorithmic discrimination in sectors like employment, housing, and lending, will now give both lawmakers and businesses more time to clarify provisions and prepare compliance programs.

Continue Reading Colorado Gives Businesses Breathing Room Before AI Act Takes Effect

On July 24, 2025, the California Privacy Protection Agency (CPPA) approved a sweeping set of amendments to the California Consumer Privacy Act (CCPA) regulations. These updates introduce new compliance obligations for businesses around automated decision making, cybersecurity audits, risk assessments, and more.

Below, we discuss some of these new requirements.

Continue Reading California Finalizes Major CCPA Amendments