Data Privacy

Subscribe to Data Privacy via RSS

From California to Texas to Ohio, lawmakers are increasingly turning to age-verification requirements to protect children online. These laws target a range of concerns, with a growing body of research suggesting that certain online activities may pose risks to children’s mental health and well-being.

At the same time, privacy laws continue to proliferate across the United States, many of which emphasize data minimization and limitations on the use of sensitive personal information. This creates a growing tension. Protecting children online may require companies to collect more personal data than they otherwise would, and potentially subject themselves to additional privacy requirements and consumer concerns.Continue Reading Collection for Protection: The Age-Verification Paradox

The Video Privacy Protection Act (VPPA), signed into law by President Ronald Reagan on November 18, 1988, grew out of one of Washington’s more underwhelming privacy scandals. During Judge Robert Bork’s Supreme Court confirmation hearings, a newspaper published his video rental history, which had been leaked by a video store clerk. This incident was intended to reveal his character but revealed nothing too controversial; the Bork Tapes showed that Judge Bork was partial to Alfred Hitchcock films, spy thrillers, and British costume dramas. Indeed, the enduring legacy of the Bork Tapes was not salacious, but legislative— the episode sparked bipartisan concern that something as personal as an individual’s viewing habits could be exposed without consent. In response, Congress moved swiftly to pass the VPPA, a law designed to shield Americans from unwarranted intrusions into their video rental and viewing records.Continue Reading Defining “Consumer” in the Digital Age: The Supreme Court Takes Up the VPPA Divide

Under newly implemented regulations of the California Consumer Privacy Act (CCPA), California now requires a formal risk assessment “before initiating any processing activity” of certain (sensitive) sorts. The regulation explicitly contemplates that businesses will complete risk assessments now, in 2026.

Eventually, such risk assessments – including those completed this year – must be signed by an executive and submitted to the California regulator under penalty of perjury.Continue Reading New CCPA Risk Assessment Requirements Now In Effect

As in Indiana and Kentucky, the start of 2026 brought into effect Rhode Island’s comprehensive consumer privacy law, the Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA). This statute is not simply a replica of what has come before it.

While much of its terminology and mechanics will feel familiar to organizations already operating under multiple state privacy regimes, it also includes elements such as general applicability thresholds at the lower end of the typical range and broad privacy notice requirements. The similarities and distinctions make RIDTPPA easy to place within the broader U.S. privacy landscape, while also presenting a few compliance gray areas that merit closer attention.Continue Reading Rhode Island’s New Privacy Law: An Overview and Highlighted Differences

Enforcement activity surged in 2025, with landmark judgments and settlements—some reaching eight and nine figures—targeting issues such as ad tracking, analytics, wiretapping, text messaging, data subject rights, and sensitive data collection. This aggressive trend shows no signs of slowing as we move into 2026.

Taft continues to help its clients find the correct answers in their context for addressing these risks. Building on our year-end post, here are some issues you may want to consider as you take on the new year.Continue Reading Your 2026 Privacy, Security, and Artificial Intelligence Checklist

As we begin 2026, Kentucky has officially enacted the Kentucky Consumer Data Protection Act (KCDPA), a comprehensive privacy statute that took effect on January 1, 2026. As with Indiana, is KCDPA is modeled on the now‑familiar Virginia‑style framework. The KCDPA establishes consumer data rights, imposes governance obligations on businesses, and grants exclusive enforcement authority to the Kentucky Attorney General.Continue Reading Kentucky Consumer Data Protection Act: Key Takeaways for the New Bluegrass Statute

Indiana has joined the growing list of states with a comprehensive consumer privacy statute, codified at Indiana Code 24‑15 and effective January 1, 2026.

The law follows the “Virginia model,” but introduces several nuances that will matter for organizations doing business in, or targeting residents of, Indiana.Continue Reading HOO- HOO- HOO- HOOSIERS Brace for Indiana Consumer Data Protection Act

As 2025 comes to a close, we asked several members of Taft’s Privacy and Data Security practice group to share their thoughts on what should be on a client’s “wish list” for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.Continue Reading Closing Out 2025: Key Privacy & Data Security Updates from Taft

State regulators are increasingly prioritizing children’s data privacy. These efforts follow several changes to protect children’s online privacy at the federal level. One of the latest sweep of changes involve several states (e.g., California, Louisiana, Texas and Utah) imposing app store accountability laws (ASA Laws).

These new laws require app store operators (e.g., Apple and Google) along with app developers to implement safeguards for age verification, age rating, parental consent and data minimization. While the aim of these laws is to protect children, the obligations imposed on businesses apply broadly, regardless of the age of an app’s users. For businesses with mobile apps, these safeguards are not optional. They are mandatory to keep  apps available for download.

While the ASA Laws slightly vary in their respective requirements, a general overview of what businesses should know is below.Continue Reading New App Store Accountability Laws in 2026: If Your Business Has an App, Read On