Photo of Jordan Jennings

Jordan is a member of Taft's Employment and Labor Relations practice group. She is focused on advising clients in areas of employment law and privacy and data security.

1, 2, 3, 4, 5 … you know how the song goes! Connecticut recently became the fifth state to adopt a comprehensive data privacy law. The new act titled “An Act Concerning Personal Data Privacy and Online Monitoring,”(the “Act”) takes effect July 1, 2023. As we expected, more and more states are continuing to join the ever-growing Privacy Party. Before getting on the privacy dance floor, here is what you need to know about Connecticut’s new privacy law.
Continue Reading Mambo No. 5: Connecticut Becomes the Fifth State to Join the Privacy Party

This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.

Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
Continue Reading New Personal Data Transfers out of the UK: Like the GDPR, but Different

California continues to be at the forefront of data protection in the United States. In February 2022, multiple privacy bills were introduced in the California legislature’s current session. The privacy bills seek to amend and enhance the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in regards to employee and business-to-business personal information exemptions and also personal information collected by proctors in an educational setting.

Extension to Employee and Business-to-Business Exemptions. Currently, the CPRA provides exemptions to employee personal information and the personal information that is collected in a business-to-business transaction. This exemption expires on January 1, 2023. Two bills were introduced to extend the exemptions. AB 2871 would extend the exemptions indefinitely by removing the sunset date altogether. AB 2891, however, would extend the exemptions to January 1, 2026.
Continue Reading California Privacy Update: Various Privacy Bills Introduced to the State’s Legislature

Could Utah join it’s mountain neighbor Colorado and be the latest state to adopt a comprehensive data privacy law? On March 4, the Utah Senate unanimously passed Senate Bill (SB) 227 – the Utah Consumer Privacy Act (UCPA). It is now up to Utah’s Governor, Spencer Cox, to sign the bill into law – making Utah the fourth state (following California, Virginia and Colorado) to pass a data privacy law and join the ever-growing privacy party.

Introduced in February 2022, SB 227 sets forth several consumer data protection standards, including Utah consumers’ rights to their personal data, the responsibilities on businesses (called “controllers” and “processors”) to protect such data, and the authority of the Utah Attorney General to investigate and enforce violations of the new law. If the bill is passed, the law will go into effect on December 31, 2023.
Continue Reading Utah Legislature Advances Data Privacy Bill

Before 2018, no state in the US had its own data privacy law. Since 2018, California, Virginia (effective January 1, 2023), and Colorado (effective July 1, 2023) have all enacted their own data privacy laws, seeking to protect consumers by giving them control over their personal information. Recently, Ohio introduced House Bill 376, “The Ohio Personal Privacy Act,” in July 2021, which does not have an effective date at this time. Now, Indiana has introduced Senate Bill 358 and is ready to join the ever-growing Privacy Party.

Introduced in January 2022, Senate Bill 358 sets forth numerous consumer data protection standards, including Indiana consumers’ rights to their personal data, the responsibilities on businesses and service providers (called “controllers” and “processors,” respectively) to protect such data, and the authority of the Indiana Attorney General to investigate and enforce violations of the new law. If the bill is passed, it will go into effect on January 1, 2025.

Continue Reading Indiana Joins the Privacy Party by Introducing its Own Data Privacy Bill

California continues to be at the forefront of data privacy in the United States. Two new laws (AB 825 and SB 41) were signed in October, expanding California residents’ rights to their genetic information and imposing additional obligations on companies that collect such information. We guess you could say data privacy is in California’s DNA. (See what we did there?)

These new laws go into effect on January 1, 2022. Here is a rundown of what you should know.
Continue Reading New Year, New Privacy Laws: California Expands Law to Protect Genetic Information

It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission (“Commission”). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union’s (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR’s data protection requirements for multiple variations of data exporter-importer relationships.

Continue Reading Out with the Old and In with The New: European Commission’s New Standard Contractual Clauses Grace Period is Ending

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider.
Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.

On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar.
Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance