Photo of Scot Ganow

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.

Continue Reading Porn, Privacy & Protecting Kids:  States Seek to Balance Individual Rights and Business Interests in New Online Age Verification Laws

As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.

Continue Reading UPDATE: Litigation Related to Website Technology & Data Sharing

In our previous post, “A Primer on Artificial Intelligence and the Law in 2023,” we briefly discussed how the federal government is preparing for legislation and regulation regarding Artificial Intelligence (“AI”) through provisions of the National Artificial Intelligence Initiative Act of 2020 (the “Act”). While no comprehensive federal statute regulating AI has been signed into law, regulatory agencies must contend with the emerging technology under existing laws.

Continue Reading Artificial Intelligence: U.S. Federal Considerations

Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).

Continue Reading Heads Up!  Increasing Litigation Related to Website Technology & Data Sharing

As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.

1.  Get strong!  Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and

Continue Reading 2023 Privacy and Data Security Resolutions

If you haven’t already seen the notifications in the Taft Privacy and Data Security Mobile App, we wanted to make you aware or remind you about some important security updates issued by Apple affecting multiple products. CISA (Cybersecurity & Infrastructure Security Agency) is recommending consumers update their devices as soon as possible.


Continue Reading Important Security Updates Issued by Apple

In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
Continue Reading HIPAA: Its Confidentiality Protections (And Limits)

I recently got back from the IAPP Global Privacy Summit (the “Summit”), the world’s largest meeting of privacy professionals from around the world.  The Summit always serves as a great opportunity to network and learn from colleagues, thought leaders, and regulators working in this important area of business, technology, and law.  With that in mind, I want to share some reflections and themes from this year’s Summit.
Continue Reading 2022 Global Privacy Summit: Reflections and Take-Aways

The CCPA has been up and running for a couple of years now, with changes coming in 2023 with the amendments from the Consumer Privacy Rights Act (CPRA).  While a federal law is always being teased and
other states coming online in 2023
, California remains the state privacy law by which to assess and manage compliance when processing personal data.

So, as you might imagine, loads of questions and anxiety over the country’s most comprehensive state privacy regulation continue to keep us busy.  This prompted us to provide a simple 3-step process to determine if the law applies to your business (now, in 2023, or beyond), what you need to do to meet the law’s requirements, and how to begin considering a national approach to data privacy governance.  While no summary can capture every aspect of developing a compliance plan, we hope the following resources are helpful in getting your arms around managing privacy and meeting the (applicable) requirements of the California laws.
Continue Reading Breaking Down the California Consumer Privacy Act (CCPA)

Whether you are an attorney advising clients, a medical professional treating patients via telemedicine, or anyone else working remotely, your second workplace or office might be providing more than just convenience. If you have a smart home device, such as one of the many varieties now available from companies like Google (Home/Nest), Amazon (Alexa), Microsoft (Cortana), or Apple (Siri), your remote work discussions (and conversations in general) may be less private than you realize. While convenient and sometimes helpful, these devices might be creating a record of more than your favorite songs and compromising your patient’s, client’s, or company’s confidential information.
Continue Reading Smart Devices: Convenient, Helpful, Fun. Oh Yeah, and Possibly Breaching Confidentiality.