Photo of Jordan Jennings

Jordan Jennings

Subscribe to Jordan Jennings's Posts

Jordan is a member of Taft's Employment and Labor Relations practice group. Her practice focuses on the collection, processing, sharing, transferring and retention of personal data domestically and abroad. She has experience negotiating data processing and sharing agreements for companies in various countries including those located in the European Union, United Kingdom, Asia-Pacific, and the Middle East.

Follow:Read more about Jordan JenningsJordan's Linkedin Profile

As 2025 comes to a close, we asked several members of Taft’s Privacy and Data Security practice group to share their thoughts on what should be on a client’s “wish list” for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.Continue Reading Closing Out 2025: Key Privacy & Data Security Updates from Taft

State regulators are increasingly prioritizing children’s data privacy. These efforts follow several changes to protect children’s online privacy at the federal level. One of the latest sweep of changes involve several states (e.g., California, Louisiana, Texas and Utah) imposing app store accountability laws (ASA Laws).

These new laws require app store operators (e.g., Apple and Google) along with app developers to implement safeguards for age verification, age rating, parental consent and data minimization. While the aim of these laws is to protect children, the obligations imposed on businesses apply broadly, regardless of the age of an app’s users. For businesses with mobile apps, these safeguards are not optional. They are mandatory to keep  apps available for download.

While the ASA Laws slightly vary in their respective requirements, a general overview of what businesses should know is below.Continue Reading New App Store Accountability Laws in 2026: If Your Business Has an App, Read On

On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers’ sexual and reproductive health information. While other consumer health data laws exist, such as Washington’s My Health My Data Act (MHMDA), which generally protects a broad category of “consumer health data,” the VCDPA amendments take a more narrow approach and only focus on reproductive and sexual health information. Here is what you need to know.Continue Reading Virginia is for Lovers (of Privacy): VCDPA Amendments Merge Components of Consumer Data Health Laws to Better Protect Reproductive and Sexual Health Information

On June 19, 2025, the United Kingdom Parliament enacted the Data Use and Access Act 2025 (DUAA). The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). While the DUAA imposes new requirements on organizations subject to UK privacy legislation, it also clarifies several provisions, making privacy compliance in the United Kingdom more manageable.

The changes under the DUAA began in June 2025 and will be phased in over the next year through June 2026.Continue Reading Are You Ready for the UK’s Data Use and Access Act 2025 (DUAA)?

Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ’s proposed enforcement efforts and regulations implementing Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Data by Countries of Concern” (Rule).

A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in ”Countries of Concern,” which currently include:

  • China (includes Hong Kong and Macau)
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Venezuela

In April of this year, the DOJ’s National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD’s stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans’ most sensitive personal data.

As we have written previously, the DSP will require U.S. organizations to look deeply into their data collection and data sharing practices to determine whether they are (i) providing covered data to a Country of Concern and (ii) subject to the DSP’s requirements.

All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP by July 8, 2025. Continue Reading One Month to Go: What You Need to Know about the U.S. Department of Justice’s Data Security Program

Several states and the Federal Trade Commission (FTC) have implemented autorenewal laws aimed at (i) better protecting consumers and providing transparency in automatic renewals (e.g., subscriptions) and (ii) mandating easy cancellation processes to terminate such products.

Although state laws vary, the amended California Automatic Renewal Law (CARL) and the FTC’s Click-to-Cancel Rule (FTC Rule) provide a comprehensive overview of what businesses can expect when complying with autorenewal laws. While these autorenewal requirements have consumers saying “click, click hooray” understanding and implementing these obligations can create a compliance conundrum for businesses. Here is a summary of what businesses should know.Continue Reading Click, Click Hooray: What Businesses Need to Know about Autorenewal Laws and Subscription Cancellation Requirements

In late October 2024, Ohio Senate Bill 29 (“SB 29”)[1] took effect. This new law regulates educational records and student data privacy throughout the state, specifically relating to student-issued devices (e.g., laptops, tablets, software). What makes SB 29 unique is that it extends beyond schools and school districts and impacts third-party technology providers that work with these entities. Taft anticipates greater emphasis on compliance with this new law ahead of the 2025-2026 school year. Here is what you need to know about the Ohio student data privacy law.Continue Reading School is in Session: Ohio’s New Student Data Privacy Law Impacts More than Students

Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers

Earlier this month, the Swiss Federal Council approved the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Beginning September 15, 2024, companies may rely on the Swiss-U.S. DPF as a lawful basis to transfer personal data of Swiss residents to companies in the United States.Continue Reading Ready for Work: The Swiss Federal Council Approves of the Swiss-U.S. DPF