Photo of Jordan Jennings

Jordan is a member of Taft's Employment and Labor Relations practice group. She is focused on advising clients in areas of employment law and privacy and data security.

The answer is simple; delete it (unless retention is required by law or contract)! Virtually every company processes personal data in some form or fashion. The term “processing” is defined broadly under most data protection laws to mean “any operation or set of operations which is performed on personal data.” The general rule is that when a business’ processing of personal data is complete, the data must be returned or deleted. Typically, data deletion arises:

  • when required contractually (i.e., in data processing agreements to comply with applicable data protection laws such as Europe’s General Data Protection Regulation’s (“GDPR”) Article 28(3)(g));
  • when requested by data subjects exercising their “right to be forgotten”/deletion/erasure under applicable data protection laws.  This means that, in some cases, even if a company’s processing of personal data is incomplete, the processing can be cut short if a person requests that their data be deleted.; and/or
  • as a requirement to do business with other companies. In some instances, data deletion or a process for deletion must exist to do business with other entities. For example, Facebook requires companies to have a policy/process for individuals to request their data be deleted (even if there is no applicable law imposing this requirement on the company) if a company wants individuals to create an account on the company’s website using their Facebook credentials.


Continue Reading I’m Done With My Data, Now What?

In the past year, we have seen an increase in the number of countries developing/updating legal frameworks (such as model agreements) that permit the transfer of personal data abroad. Transfer mechanisms, such as the model agreements, are necessary because different countries’ data protection laws may offer different levels of protection to individuals’ personal data. Transfer mechanisms function as an “equalizer” by requiring a base level of protection that all entities must have in place when transferring personal data abroad. Accordingly, transfer mechanisms ensure that protections are in place to safeguard data that leaves a country with strong data protection laws to be transferred to a country that has no such laws. Last June, the European Commission updated its Standard Contractual Clauses (“EU SCCs”) permitting the transfer of data outside the European Economic Area (“EEA”) after a decade. Earlier this year the United Kingdom implemented the UK’s version of transfer clauses with the International Data Transfer Agreement (“UK IDTA”). Like Europe and the United Kingdom, China also has some transfer mechanisms in the works.
Continue Reading Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad

Last week, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion to ensure that companies that use and share credit and background reports have a “permissible purpose” under the Fair Credit Reporting Act (“FCRA”). The credit, criminal, job, and rental records of individuals are a few items consumer reporting agencies gather, compile, and assess. This information is then packaged into a report and used across various industries by creditors, insurers, landlords, employers, and others to make eligibility and other decisions about consumers. This collection, assembly, evaluation, dissemination, and use of vast quantities of often highly sensitive personal and financial information contained within consumer reports pose significant risks to consumer privacy. Thus, to combat these risks and better safeguard individuals’ personal data, the CFPB’s new advisory opinion makes clear that users of credit reports also have express obligations to protect this sensitive data. For these reasons, entities must have a “permissible purpose” when obtaining such reports.
Continue Reading The Consumer Financial Protection Bureau Issues an Advisory Opinion Strengthening Consumer Privacy

By now, we are used to seeing notifications on our phones asking whether we would like certain applications to track our activity across other companies’ apps and websites. Typically, these tracking tools are used to examine and assess advertising efficiency. Although beneficial marketing tools, companies must be mindful of how tracking tools are used on their platform to avoid infringing on individuals’ data privacy rights.

Recently, Canadian regulators found that Tim Hortons, a coffee and bake shop chain, violated Canada’s federal privacy laws, including Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), by tracking customers’ (who downloaded its app) movement every few minutes of every day. Following an app update in May 2019, the company allegedly tracked users not only when using the app, but whenever individuals’ devices were turned on –collecting massive amounts of location data without users’ knowledge.

Continue Reading In Hot Water, eh? Canadian Regulators Investigate Tim Horton’s Tracking of App Users

1, 2, 3, 4, 5 … you know how the song goes! Connecticut recently became the fifth state to adopt a comprehensive data privacy law. The new act titled “An Act Concerning Personal Data Privacy and Online Monitoring,”(the “Act”) takes effect July 1, 2023. As we expected, more and more states are continuing to join the ever-growing Privacy Party. Before getting on the privacy dance floor, here is what you need to know about Connecticut’s new privacy law.
Continue Reading Mambo No. 5: Connecticut Becomes the Fifth State to Join the Privacy Party

This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.

Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
Continue Reading New Personal Data Transfers out of the UK: Like the GDPR, but Different

California continues to be at the forefront of data protection in the United States. In February 2022, multiple privacy bills were introduced in the California legislature’s current session. The privacy bills seek to amend and enhance the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in regards to employee and business-to-business personal information exemptions and also personal information collected by proctors in an educational setting.

Extension to Employee and Business-to-Business Exemptions. Currently, the CPRA provides exemptions to employee personal information and the personal information that is collected in a business-to-business transaction. This exemption expires on January 1, 2023. Two bills were introduced to extend the exemptions. AB 2871 would extend the exemptions indefinitely by removing the sunset date altogether. AB 2891, however, would extend the exemptions to January 1, 2026.
Continue Reading California Privacy Update: Various Privacy Bills Introduced to the State’s Legislature

Could Utah join it’s mountain neighbor Colorado and be the latest state to adopt a comprehensive data privacy law? On March 4, the Utah Senate unanimously passed Senate Bill (SB) 227 – the Utah Consumer Privacy Act (UCPA). It is now up to Utah’s Governor, Spencer Cox, to sign the bill into law – making Utah the fourth state (following California, Virginia and Colorado) to pass a data privacy law and join the ever-growing privacy party.

Introduced in February 2022, SB 227 sets forth several consumer data protection standards, including Utah consumers’ rights to their personal data, the responsibilities on businesses (called “controllers” and “processors”) to protect such data, and the authority of the Utah Attorney General to investigate and enforce violations of the new law. If the bill is passed, the law will go into effect on December 31, 2023.
Continue Reading Utah Legislature Advances Data Privacy Bill

Before 2018, no state in the US had its own data privacy law. Since 2018, California, Virginia (effective January 1, 2023), and Colorado (effective July 1, 2023) have all enacted their own data privacy laws, seeking to protect consumers by giving them control over their personal information. Recently, Ohio introduced House Bill 376, “The Ohio Personal Privacy Act,” in July 2021, which does not have an effective date at this time. Now, Indiana has introduced Senate Bill 358 and is ready to join the ever-growing Privacy Party.

Introduced in January 2022, Senate Bill 358 sets forth numerous consumer data protection standards, including Indiana consumers’ rights to their personal data, the responsibilities on businesses and service providers (called “controllers” and “processors,” respectively) to protect such data, and the authority of the Indiana Attorney General to investigate and enforce violations of the new law. If the bill is passed, it will go into effect on January 1, 2025.

Continue Reading Indiana Joins the Privacy Party by Introducing its Own Data Privacy Bill

California continues to be at the forefront of data privacy in the United States. Two new laws (AB 825 and SB 41) were signed in October, expanding California residents’ rights to their genetic information and imposing additional obligations on companies that collect such information. We guess you could say data privacy is in California’s DNA. (See what we did there?)

These new laws go into effect on January 1, 2022. Here is a rundown of what you should know.
Continue Reading New Year, New Privacy Laws: California Expands Law to Protect Genetic Information