Photo of Scot Ganow

Scot Ganow

Subscribe to Scot Ganow's Posts

Scot is a partner in Taft’s Dayton office, and chair of the firm’s Privacy and Data Security Practice.  As a former chief privacy officer and leveraging more than ten years of management and compliance experience in Fortune 500 companies, Scot brings a diverse business background to his privacy and data security practice. Scot has represented clients in a variety of sectors, including consumer reporting, construction, healthcare, and manufacturing.

Follow:Read more about Scot GanowScot's Linkedin Profile

On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.

The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.

Continue Reading Montana Enacts Privacy Law

On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.

Continue Reading Porn, Privacy & Protecting Kids:  States Seek to Balance Individual Rights and Business Interests in New Online Age Verification Laws

As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.

Continue Reading UPDATE: Litigation Related to Website Technology & Data Sharing

In our previous post, “A Primer on Artificial Intelligence and the Law in 2023,” we briefly discussed how the federal government is preparing for legislation and regulation regarding Artificial Intelligence (“AI”) through provisions of the National Artificial Intelligence Initiative Act of 2020 (the “Act”). While no comprehensive federal statute regulating AI has been signed into law, regulatory agencies must contend with the emerging technology under existing laws.

Continue Reading Artificial Intelligence: U.S. Federal Considerations

Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).

Continue Reading Heads Up!  Increasing Litigation Related to Website Technology & Data Sharing

As you consider the end of the year and beginning of a new year, we in Taft’s Privacy and Data Security Practice thought to provide you with a simple list of data protection resolutions you might consider, both professionally and personally.

1.  Get strong!  Now is a good time to make a change in passwords for your accounts, and specifically make them strong passwords (i.e. ten characters or more, including an upper and lower case letter, number, and

Continue Reading 2023 Privacy and Data Security Resolutions

If you haven’t already seen the notifications in the Taft Privacy and Data Security Mobile App, we wanted to make you aware or remind you about some important security updates issued by Apple affecting multiple products. CISA (Cybersecurity & Infrastructure Security Agency) is recommending consumers update their devices as soon as possible.


Continue Reading Important Security Updates Issued by Apple

In the wake of the Supreme Court decision in Dobbs v. Jackson Women’s Health Organization, here is a reminder about the protections available for privacy and the confidentiality of health-related information under current law. This bulletin will discuss the Health Insurance Portability and Accountability Act (HIPAA).

First off, it is important to understand that HIPAA, composed of a Privacy Rule, Security Rule, and Data Breach Rule, regulates the use of patient information in the provision of health care in the United States. It only applies to “protected health information” (PHI) that is generated by a “covered entity” — health care provider, payer, or clearing house — in the provision of health care treatment, payment, or operations to a patient. Any other information, even if health-related, does not get the protections of HIPAA.
Continue Reading HIPAA: Its Confidentiality Protections (And Limits)

I recently got back from the IAPP Global Privacy Summit (the “Summit”), the world’s largest meeting of privacy professionals from around the world.  The Summit always serves as a great opportunity to network and learn from colleagues, thought leaders, and regulators working in this important area of business, technology, and law.  With that in mind, I want to share some reflections and themes from this year’s Summit.
Continue Reading 2022 Global Privacy Summit: Reflections and Take-Aways

The CCPA has been up and running for a couple of years now, with changes coming in 2023 with the amendments from the Consumer Privacy Rights Act (CPRA).  While a federal law is always being teased and
other states coming online in 2023, California remains the state privacy law by which to assess and manage compliance when processing personal data.

So, as you might imagine, loads of questions and anxiety over the country’s most comprehensive state privacy regulation continue to keep us busy.  This prompted us to provide a simple 3-step process to determine if the law applies to your business (now, in 2023, or beyond), what you need to do to meet the law’s requirements, and how to begin considering a national approach to data privacy governance.  While no summary can capture every aspect of developing a compliance plan, we hope the following resources are helpful in getting your arms around managing privacy and meeting the (applicable) requirements of the California laws.
Continue Reading Breaking Down the California Consumer Privacy Act (CCPA)