Photo of Kennedy Brooks

Kennedy Brooks

Subscribe to Kennedy Brooks's Posts

Kennedy is a Privacy, Security, and Artificial Intelligence and Intellectual Property attorney in Taft’s Cincinnati office and advises startups to enterprise clients on managing data across its full lifecycle, from commercial contracting to incident response and regulatory compliance. Her practice spans U.S. state and federal privacy laws, including the CCPA/CPRA, KCDPA, WMHMDA, HIPAA, FERPA, and COPPA, breach notification laws, and emerging regulatory frameworks governing artificial intelligence. Kennedy regularly helps clients operationalize compliance in a way that aligns legal, technical, and business realities.

Contact:Read more about Kennedy Brooks

Last week, the House Energy and Commerce and Financial Services Committees announced a joint effort to advance two new data privacy bills:  the Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act (the SECURE Data Act) and the Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act (the GUARD Financial Data Act).

(At minimum, points to Congress for the acronyms).

If you have been watching federal privacy legislation over the past few years, the SECURE Data Act alone may not inspire much excitement. Congress has been attempting comprehensive federal privacy legislation for years without much success, and this bill follows that tradition of ambition. That said, the SECURE Data Act is the result of over a year of work by the House Energy and Commerce Data Privacy Working Group and contains a few notable developments worth paying attention to. This package also includes a serious, targeted effort to modernize the Gramm-Leach-Bliley Act (the GLBA) through the GUARD Financial Data Act.

Below, we overview both bills, briefly explain why comprehensive federal privacy legislation has historically stalled, and discuss what this means for businesses today.

Continue Reading A New Push for Federal Privacy Law: What to Know About SECURE and GUARD

From California to Texas to Ohio, lawmakers are increasingly turning to age-verification requirements to protect children online. These laws target a range of concerns, with a growing body of research suggesting that certain online activities may pose risks to children’s mental health and well-being.

At the same time, privacy laws continue to proliferate across the United States, many of which emphasize data minimization and limitations on the use of sensitive personal information. This creates a growing tension. Protecting children online may require companies to collect more personal data than they otherwise would, and potentially subject themselves to additional privacy requirements and consumer concerns.

Continue Reading Collection for Protection: The Age-Verification Paradox

As in Indiana and Kentucky, the start of 2026 brought into effect Rhode Island’s comprehensive consumer privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). This statute is not simply a replica of what has come before it.

While much of its terminology and mechanics will feel familiar to organizations already operating under multiple state privacy regimes, it also includes elements such as general applicability thresholds at the lower end of the typical range and broad privacy notice requirements. The similarities and distinctions make RIDTPPA easy to place within the broader U.S. privacy landscape, while also presenting a few compliance gray areas that merit closer attention.

Continue Reading Rhode Island’s New Privacy Law: An Overview and Highlighted Differences