Photo of Jordan Jennings

Jordan is a member of Taft's Employment and Labor Relations practice group. She is focused on advising clients in areas of employment law and privacy and data security.

It is a new year, and the privacy efforts in the United States are not letting up. In 2024 alone, three new privacy laws will take effect (i.e., Montana, Oregon and Texas), and more laws are on the horizon. The latest update to the U.S. privacy landscape took place on January 16 when New Jersey governor Phil Murphy signed Senate Bill 332 (the “Act”) into law – making New Jersey the 13th state to enact a comprehensive privacy law. The Act takes effect January 15, 2025, and mirrors several other U.S. privacy laws, with a few unique distinctions. Here is what you need to know.Continue Reading The Garden State Joins the Privacy Party – New Jersey Becomes the Latest State to Adopt a Comprehensive Data Privacy Law

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just

Continue Reading Webinar: 10 Privacy and Security Resolutions in the New Year

In August, India passed its long-awaited Digital Personal Data Protection Act, 2023 (“the Act”). Initially introduced in 2019, the draft bill went through several iterations before being approved by India’s Union Cabinet earlier this year. Although the Act shares many similarities to other privacy legislation, such as the EU’s GDPR and the United Kingdom’s UK GDPR, there are a few notable distinctions. While no official effective date for the law has been announced, companies should start familiarizing themselves with this new privacy law and its requirements. Here is a breakdown of what you should know.Continue Reading Breaking Down India’s Digital Personal Data Protection Act, 2023

The EU is gearing up for massive reform concerning the use and accessibility of health data, and Germany is taking note. Recently, Germany proposed several draft legislation focusing on the use of health data. The Health Data Use Act, (Gesundheitsdatennutzungsgesetz, (GDNG)); The Digital Act, and A Law to Promote the Quality of Inpatient Care through Transparency (Hospital Transparency Act) are just a few of the newest pieces of proposed legislation designed to improve the use and accessibility of health data for German citizens. This move by the German Federal Ministry of Health is part of an EU-wide reform effort under the European Commission’s (“Commission”) European Health Data Space (EHDS).

Germany’s new legislation is designed to align with EHDS principles and these laws not only impact healthcare providers and hospitals in Germany but also companies that collect the health data of German residents. Below are the main takeaways of these proposed laws and what U.S. companies can expect moving forward.Continue Reading Germany’s Gearing up for European Health Data Space (EHDS) Compliance

Oregon has become one of the latest states to adopt a comprehensive data privacy law. The Oregon Consumer Privacy Act (“OCPA” or the “Act”) takes effect July 1, 2024, and mirrors its other U.S. privacy law counterparts, with a few unique distinctions. Here is what you need to know.

Scope. The OCPA applies to (i) any person or entity who conducts business in Oregon or provides products or services to residents in Oregon and (ii) during a calendar year, controls or processes:

  • The personal data of 100,000 or more consumers (other than personal data controlled or processed solely for the completion of a payment transaction) or
  • The personal data of 25,000 or more consumers while deriving 25 percent or more of annual revenue from selling personal data.

Continue Reading 12 Down, 38 to Go: Oregon Becomes One of the Latest States to Enact a Comprehensive Data Privacy Law

Last month, Washington Governor Jay Inslee signed the My Health My Data Act (“MHMDA” or the “Act”) into law. While the Act is not a comprehensive privacy law, it extends many protections to Washington residents (“consumers”) regarding certain personal information. The MHMDA’s unique features are unlike any privacy law we have seen in the last few years – making this law arguably the most impactful U.S. privacy legislation since the CCPA. Here is what you need to know. Continue Reading What You Need to Know About Washington State’s New “My Health My Data” Act

Recently, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA) long-awaited final regulations (“Regulations”). While there are many rules businesses need to ensure they comply with, this article focuses on the CPPA’s enforcement action and the role the Agency will play in interacting with companies moving forward.Continue Reading CPPA Final Regulations Are Here

Since China’s Personal Information Protection Law (PIPL) took effect in 2021, companies doing business in mainland China have questioned what is required of them when transferring personal information in and out of the country. Taft pondered this very question in our earlier blog post, ‘Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad.’ Last month, the Cyberspace Administration of China (CAC) provided its long-awaited answer, by issuing its final version of the measures of the standard contact for cross-border transfer of personal information (Final Measures), along with a standard contractual clauses equivalent (PIPL SCCs). Similar to the EU SCCs or UK international data transfer agreement (IDTA), the PIPL SCCs allow companies to freely import and export data from China. Here is what companies should know about this new Chinese transfer mechanism:Continue Reading The Wait is Over: Cyberspace Administration of China Releases Model Contract for Data Transfers

Swiss Flag

Switzerland is implementing new legislation to better protect its citizens’ data (“revFADP”), replacing the longstanding Federal Act on Data Protection of 1992. The revFADP improves the processing of personal data and grants Swiss citizens new rights consistent with other comprehensive data protection laws, such as the General Data Protection Regulation (GPDR) and UK GDPR. This important legislative change also comes with a number of increased obligations for companies doing business in Switzerland. Companies must quickly get up to speed on the revFADP requirements because the Act takes effect on September 1, 2023. Companies should not assume that compliance with the GDPR and UK GDPR equals compliance under the revFADP. While this revised legislation has many similarities to the GDPR, there are a few stark differences companies should be aware of. Here is the breakdown of what companies should know.Continue Reading Nothing Neutral about the New Swiss Federal Act on Data Protection

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision