Photo of Jordan Jennings

Jordan is a member of Taft's Employment and Labor Relations practice group. She is focused on advising clients in areas of employment law and privacy and data security.

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider.
Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.

On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar.
Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance

In March 2020, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) finalized two rules which established extensive healthcare data sharing policies related to the 21st Century Cures Act’s information blocking provision and adopted new health information technology certification requirements to enhance patients’ access to their health information.

Largely in response to the COVID-19 public health emergency, in October 2020, HHS released an interim rule which provides healthcare systems some flexibility and time to adapt to pandemic-related challenges. The interim rule extends the compliance dates and timeframes necessary to meet specific requirements related to information blocking and Conditions and Maintenance of Certification (CoC/MoC). The interim final rule also adopts updated standards and makes technical corrections and clarifications to the ONC Cures Act Final Rule.


Continue Reading Closing In On Impact: April 2021 Compliance Date For Information Blocking and Health IT Certification Requirements

On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.

In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.

Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below.
Continue Reading And Then There Were Two: The Commonwealth of Virginia Joins California in Enacting Comprehensive Privacy Rights Law