Photo of Jordan Jennings

Jordan Jennings

Subscribe to Jordan Jennings's Posts

Jordan is a member of Taft's Employment and Labor Relations practice group. She is focused on advising clients in areas of employment law and privacy and data security.

California continues to be at the forefront of data protection in the United States. In February 2022, multiple privacy bills were introduced in the California legislature’s current session. The privacy bills seek to amend and enhance the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in regards to employee and business-to-business personal information exemptions and also personal information collected by proctors in an educational setting.

Extension to Employee and Business-to-Business Exemptions. Currently, the CPRA provides exemptions to employee personal information and the personal information that is collected in a business-to-business transaction. This exemption expires on January 1, 2023. Two bills were introduced to extend the exemptions. AB 2871 would extend the exemptions indefinitely by removing the sunset date altogether. AB 2891, however, would extend the exemptions to January 1, 2026.
Continue Reading California Privacy Update: Various Privacy Bills Introduced to the State’s Legislature

Could Utah join it’s mountain neighbor Colorado and be the latest state to adopt a comprehensive data privacy law? On March 4, the Utah Senate unanimously passed Senate Bill (SB) 227 – the Utah Consumer Privacy Act (UCPA). It is now up to Utah’s Governor, Spencer Cox, to sign the bill into law – making Utah the fourth state (following California, Virginia and Colorado) to pass a data privacy law and join the ever-growing privacy party.

Introduced in February 2022, SB 227 sets forth several consumer data protection standards, including Utah consumers’ rights to their personal data, the responsibilities on businesses (called “controllers” and “processors”) to protect such data, and the authority of the Utah Attorney General to investigate and enforce violations of the new law. If the bill is passed, the law will go into effect on December 31, 2023.
Continue Reading Utah Legislature Advances Data Privacy Bill

Before 2018, no state in the US had its own data privacy law. Since 2018, California, Virginia (effective January 1, 2023), and Colorado (effective July 1, 2023) have all enacted their own data privacy laws, seeking to protect consumers by giving them control over their personal information. Recently, Ohio introduced House Bill 376, “The Ohio Personal Privacy Act,” in July 2021, which does not have an effective date at this time. Now, Indiana has introduced Senate Bill 358 and is ready to join the ever-growing Privacy Party.

Introduced in January 2022, Senate Bill 358 sets forth numerous consumer data protection standards, including Indiana consumers’ rights to their personal data, the responsibilities on businesses and service providers (called “controllers” and “processors,” respectively) to protect such data, and the authority of the Indiana Attorney General to investigate and enforce violations of the new law. If the bill is passed, it will go into effect on January 1, 2025.

Continue Reading Indiana Joins the Privacy Party by Introducing its Own Data Privacy Bill

California continues to be at the forefront of data privacy in the United States. Two new laws (AB 825 and SB 41) were signed in October, expanding California residents’ rights to their genetic information and imposing additional obligations on companies that collect such information. We guess you could say data privacy is in California’s DNA. (See what we did there?)

These new laws go into effect on January 1, 2022. Here is a rundown of what you should know.
Continue Reading New Year, New Privacy Laws: California Expands Law to Protect Genetic Information

It is the end of an era: September 27, 2021, officially marks the termination date for the Standard Contractual Clauses (SCCs) grace period set forth by the European Commission (“Commission”). In June 2021, the Commission published two new sets of clauses (2021 SCCs), marking the first update to the SCCs in over a decade. Unlike prior iterations, which were created before the enactment of the European Union’s (EU) General Data Protection Regulation (GDPR), the 2021 SCCs reflect the GDPR’s data protection requirements for multiple variations of data exporter-importer relationships.

Continue Reading Out with the Old and In with The New: European Commission’s New Standard Contractual Clauses Grace Period is Ending

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider.
Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

Guess what?  Last Thursday, the first Thursday in May, was World Password Day. Right? You didn’t even know it.  We in the Privacy and Data Security Practice Group thought it would be a perfect opportunity to talk about the importance of the most basic, but still effective way to safeguard your accounts and data. In the early days of the internet, a simple password was all you might need to adequately protect the one or two accounts you might have had. Your desktop login, your email, and maybe some early version of social media. Password security was taken so lightly; it wasn’t unusual for passwords to be stored in a plain text file on a desktop or on a sticky note at your desk. Those days are over. Well, they should be.

Continue Reading Celebrating World Password Day. Responsibly.

On April 1, 2021, the Supreme Court decided Facebook, Inc. v. Duguid, which narrowed the scope of the Telephone Consumer Protection Act of 1991 (TCPA). The Court unanimously ruled that Facebook did not violate the TCPA by sending unsolicited text messages to individuals without their consent, overturning the Ninth Circuit’s decision to broadly define automatic telephone dialing systems (“autodialers”) under the federal statute. The case boiled down to everyone’s favorite subject—grammar.
Continue Reading Comma Again? The Supreme Court Provides a Grammar Lesson and Hands Down a Big Decision Impacting TCPA Compliance

In March 2020, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health IT (ONC) finalized two rules which established extensive healthcare data sharing policies related to the 21st Century Cures Act’s information blocking provision and adopted new health information technology certification requirements to enhance patients’ access to their health information.

Largely in response to the COVID-19 public health emergency, in October 2020, HHS released an interim rule which provides healthcare systems some flexibility and time to adapt to pandemic-related challenges. The interim rule extends the compliance dates and timeframes necessary to meet specific requirements related to information blocking and Conditions and Maintenance of Certification (CoC/MoC). The interim final rule also adopts updated standards and makes technical corrections and clarifications to the ONC Cures Act Final Rule.

Continue Reading Closing In On Impact: April 2021 Compliance Date For Information Blocking and Health IT Certification Requirements

On February 3, 2021, the Virginia Senate passed the Virginia Consumer Data Protection Act (“VCDPA” or the “Act”). Upon approval from Governor Ralph Northam, Virginia will be the second state in the nation to adopt a comprehensive data privacy law. This proposed legislation places Virginia alongside California at the forefront of domestic data privacy regulations.

In 2020, California changed the landscape of data privacy laws in the United States with the California Consumer Privacy Act (CCPA). The CCPA, a result of a ballot initiative by California, introduced the idea of widespread data subject rights for American consumers. Nearly three years later, Virginia is securing the second place spot with its enactment of the VCDPA. The Act mirrors the CCPA and the European Union’s General Data Protection Regulation (GDPR) in many ways. For instance, the Act contains a broad definition of “personal data.” It imposes certain fundamental processing principles, such as purpose limitation and data minimization rules, on businesses that process personal data. It also provides Virginia consumers with new rights to access, correct, delete, and request processing modifications with respect to their personal data.

Once signed into law, the VCDPA will be effective January 1, 2023. In the meantime, companies doing business in Virginia should start actively thinking of ways to incorporate VCDPA requirements into their existing privacy policies and procedures. The key features of the VCDPA are summarized below.
Continue Reading And Then There Were Two: The Commonwealth of Virginia Joins California in Enacting Comprehensive Privacy Rights Law