With Cyber Monday 2024 in the rear-view mirror, we are looking at one of the hot topics in data-privacy and cybersecurity litigation: the Video Privacy Protection Act. 

Recent years have seen an uptick in lawsuits asserting violations of the VPPA by companies that host video content on websites or mobile apps and then share information about the individuals who watched those videos with other businesses. 

While the companies have experienced some success in getting VPPA claims dismissed, the Second Circuit recently reinstated a putative class action asserting VPPA violations against the NBA that may breathe new life into VPPA claims. Salazar v. National Basketball Association, No. 23-1147 (2d Cir. Oct. 15, 2024). But is the worry about VPPA class actions overblown?Continue Reading Video Privacy Protection Act Claims – Maybe Not a Slam Dunk After All

Hard to believe, but 2025 will be here before you know it. And what goes best with a new year? A countdown list!

Last week, I spoke at the Dayton Bar Association’s Corporate Counsel Section on the topic of the Top 10 legal technology issues that in-house counsel should have on its radar for 2025. Continue Reading Top 10 Technology Issues to Watch for in 2025

On January 27, 2025, the Federal Communications Commission’s (FCC) new one-to-one consent requirement will go into effect. For background, the FCC published its final rule targeting and eliminating unlawful text messages under the Telephone Consumer Protection Act (TCPA) on January 26, 2024 (the Final Rule). Among other requirements and purposes, this Final Rule sought to close the “lead generator loophole.” Continue Reading FCC’s 1-to-1 Consent Requirement for Marketing Text Messages

Special thanks to Taft summer associate Tanner Wilburn for his significant contributions to this post. 

On July 12, 2024, the European Union’s Artificial Intelligence Act (AI Act) was published in the EU Official Journal.

This comprehensive legislation establishes the first risk-based regulatory framework for AI systems, with far-reaching implications for businesses using AI. The AI Act is effective August 2, 2024, with the enforcement of the majority of its provisions commencing on August 2, 2026.

Continue Reading The EU AI Act – What Businesses Need to Know

Last week, Vermont Governor Phil Scott vetoed one of the most-watched pieces of privacy legislation in the United States: the Vermont Data Privacy Act (VDPA). Described in H.121 as “an act relating to enhancing consumer privacy and the age-appropriate design code,” was passed by the Vermont legislature in the early morning hours on May 11, 2024. The act represented a seismic change in domestic consumer privacy rights. However, Governor Scott returned H.121 without signature, effectively vetoing the would-be watershed bill.Continue Reading Not So Fast: Vermont Governor VETOES Private Right of Action for Consumer Privacy Violations

The U.S. is cracking down on data sharing and export with foreign countries. A clear example of the United States’ position is seen in Executive Order 14117 (EO 14117) issued by President Biden on February 28, 2024.

Department of Justice (DOJ) seal

Titled “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern,” EO 14117’s main objective is simple – protect the sensitive personal data of individuals located in the United States. But, the reason for this Executive Order is more nuanced.Continue Reading Recent Executive Order and DOJ Rulemaking Prioritize the Protection of Sensitive Personal Data from “Countries of Concern”

Last December, the Department of Defense (“DoD”) published its proposed rule setting forth cybersecurity requirements for defense contractors and subcontractors. These requirements are designated with a particular Cybersecurity Maturity Model Certification (CMMC) level that is associated with the contractor’s procurement. As the second iteration of CMMC, 2.0 demonstrates an escalating system of maturity using designated levels 1, 2, and 3.

With the proposed rule set to be finalized this year, and implementation set to take place in 2025, now is as good a time as any to understand how contractors are impacted by CMMC 2.0; as well as the requirements, the certification process, and how your organization can best prepare.Continue Reading CMMC 2.0 Is Here to Stay: Where Do We Start?

Tuesday, Jan. 30, 2024

11 a.m. – 12 p.m. ET

You read the news every day and maybe even receive notices yourself: data security and privacy compliance is a growing area of concern and risk for businesses. With security incidents on the rise across various industries of all sizes, as well as increased regulation of privacy and security-related issues, evaluating and addressing your current data governance program is a crucial step in protecting your business in the new year. Just

Continue Reading Webinar: 10 Privacy and Security Resolutions in the New Year

Last week, the US Securities and Exchange Commission (SEC) voted 3-2 on a series of rules relating to cybersecurity disclosures, including a new requirement for public companies to publicly disclose “significant impacts” of cyber-attacks within four days. Public companies would be well-served to review the new requirements immediately to form a plan of action to address the newly approved rules.Continue Reading SEC Approves Transformative Cybersecurity Disclosure Requirements

Here in the United States, companies face a patchwork of legal obligations that address information security and data privacy. For example, federal laws target certain market segments (such as health care, financial services, and education), state laws target certain types of information (such as personal financial or biometric information), and both state and federal laws target unfair or unreasonable business practices. This patchwork—and the lack of comprehensive nationwide privacy and security standards—can make compliance challenging and frustrating. Security professionals and legal counsel must work hard to keep up.

The Security and Exchange Commission (SEC) will soon add to the patchwork. The SEC’s new rules promise to add significant compliance obligations for public companies, and non-public companies will also want to take note.Continue Reading The SEC’S Proposed Cybersecurity Rules: Is Your Company Ready?