Photo of Salha El-Shwehdi

Salha is an associate in Taft's Intellectual Property group focusing on privacy. She earned her J.D. from the University of Dayton School of Law and her B.A. in international studies and political science, magna cum laude, from Wright State University.

On May 11, 2023, Tennessee Governor Bill Lee signed the Tennessee Information Protection Act (the “TIPA”) into law. Tennessee is now the eighth state to enact a comprehensive privacy law, joining California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia. The TIPA is set to go into effect on July 1, 2025.Continue Reading State Number Eight: Tennessee Becomes Eighth State to Enact Privacy Law

This month, Indiana passed its own privacy bill, Senate Bill 5 (“SB 5”) for consumer data protection. SB 5 is now awaiting signature from Indiana Governor Eric Holcomb. Once signed into law, Indiana will be the seventh state in the nation to enact a comprehensive privacy law. With a later effective date of January 1, 2026, SB 5 maintains the status-quo and largely follows the six other states with privacy laws (California, Colorado, Connecticut, Iowa, Utah, and Virginia). Following is a high level overview of the key provisions of SB 5.Continue Reading Up Next, the Crossroads of America: Indiana Positioned as 7th State to Join Privacy Party

As expected, another state has joined the privacy party. This month, Iowa positioned itself to become the sixth state in the nation to pass legislation establishing consumer data privacy protections. Iowa Senate File 262 (the “SF 262”) unanimously passed in the Iowa House and Senate and is now awaiting signature by Iowa Governor Kim Reynolds. When signed into law, SF 262 will become effective on January 1, 2025. The new SF 262 mirrors many of the protections and rights provided in the data privacy laws of the five other states (California, Colorado, Connecticut, Utah, and Virginia). Below are the key highlights that businesses should know about the bill.Continue Reading Six down, 44 to go? Iowa Joins Privacy Party by Passing New Privacy Law

A few months ago we wrote about the proposed draft rules for the Colorado Privacy Act (CPA) (“draft rules”). Since then, the Colorado Attorney General’s Office has published two updated versions of the draft rules. The third and latest version of the proposed draft CPA rules was published on January 27, 2023 and the comment period for this version ended on February 3, 2023. Below is a brief high-level overview of some of the key changes made in the past two revisions of the draft rules.Continue Reading Colorado Privacy Act Update: Colorado AG Issues Updated Draft Rules

The Office for Civil Rights (OCR) recently issued a bulletin (the “Bulletin”) addressing the use of online tracking technologies by HIPAA-covered entities and business associates (collectively “regulated entities”). The Bulletin highlights the regulated entities’ obligations under the HIPAA Privacy, Security, and Breach Notification Rules (collectively the “HIPAA Rules”) when using tracking technologies. This blog post provides the key information regulated entities should know about their obligations under HIPAA when they, or their business associates, use tracking technologies.Continue Reading Cookies and HIPAA Don’t Always Mix: OCR Issues Guidance on HIPAA and Tracking Technologies

On December 13, 2022, the European Commission published a draft adequacy decision for the EU-U.S. Data Privacy Framework (“EU-U.S. DPF or DPF”) signaling the potential return of the framework allowing the flow of personal data between the EU and the United States. Although this is a draft decision, if approved, it will ease trans-Atlantic data flow and ease the restrictions that were placed after the 2020 Schrems II decision invalidated the EU-U.S. Privacy Shield framework for cross-border transfers. This draft adequacy decision ultimately concluded that the DPF provides an adequate level of protection of personal data.Continue Reading Don’t Call It A Comeback: EU-U.S. Data Privacy Framework Inches Closer to Implementation Following the European Commission’s Draft Adequacy Decision

Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.
Continue Reading Windows Pain? German Report Casts Doubt on Microsoft GDPR Compliance

The Colorado Attorney General (AG) recently published proposed rules for the Colorado Privacy Act (CPA). These draft rules shed light and clarify how the Attorney General plans to carry out the CPA when it goes into effect on July 1, 2023. These proposed CPA rules are a draft that is not yet finalized and therefore are subject to change. In the upcoming months, the Colorado AG will engage with key stakeholders and the public on feedback regarding these proposed rules. While the draft CPA draft rules are months away from finalization, the proposed rules are intended to help entities understand the AG’s requirements for when the CPA becomes effective. Below are a few key highlights of the draft CPA rules as they currently stand, which supplement the AG’s prior guidance from April 2022.
Continue Reading Colorado AG Publishes CPA Proposed Rules

Once again, California is setting trends in the world of privacy laws. On September 15, 2022, California’s Governor signed the first comprehensive state law to protect children’s online safety. A week later, on September 23, 2022, the New York Senate introduced a similar bill.

New York’s newly introduced Bill, S9563, the Child Data Privacy and Protection Act (“Bill”), largely mirrors the newly passed California law but has some added protections and procedures that online products targeting children must follow if the law is enacted.
Continue Reading From Coast to Coast: New York Introduces New Bill Aiming To Enhance Protections For Children Online a Week After California Enacts Similar Law