Data Privacy

Subscribe to Data Privacy via RSS

As 2025 comes to a close, we asked several members of Taft’s Privacy and Data Security practice group to share their thoughts on what should be on a client’s “wish list” for the holiday season, or on a list of resolutions for 2026.

Here are their thoughts for businesses considering to not only meet the requirements of new laws and mitigate existing risks, but also looking to seize the opportunity to maximize the impact of technology to unleash the power in their data.Continue Reading Closing Out 2025: Key Privacy & Data Security Updates from Taft

State regulators are increasingly prioritizing children’s data privacy. These efforts follow several changes to protect children’s online privacy at the federal level. One of the latest sweep of changes involve several states (e.g., California, Louisiana, Texas and Utah) imposing app store accountability laws (ASA Laws).

These new laws require app store operators (e.g., Apple and Google) along with app developers to implement safeguards for age verification, age rating, parental consent and data minimization. While the aim of these laws is to protect children, the obligations imposed on businesses apply broadly, regardless of the age of an app’s users. For businesses with mobile apps, these safeguards are not optional. They are mandatory to keep  apps available for download.

While the ASA Laws slightly vary in their respective requirements, a general overview of what businesses should know is below.Continue Reading New App Store Accountability Laws in 2026: If Your Business Has an App, Read On

An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA).

A cottage industry of California plaintiffs’ firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week.Continue Reading What to Know: Your Company Website and the California Information Privacy Act

On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed two legal questions: (1) whether workplace policy infractions can turn into federal crimes, and (2) whether passwords protecting propriety business information qualify as trade secrets under federal or Pennsylvania law.

The case was reheard and affirmed on October 7, 2025, with the Third Circuit firmly answering both questions in the negative. The decision significantly limits employers’ potential claims against employees who breach company policies without engaging in actual hacking or unauthorized access.Continue Reading Passwords, Policies, and Trade Secrets: Lessons from NRA Group v. Durenleau and what it Means for Employers

Last month, I had the opportunity to speak to entrepreneurs at Launch Dayton’s Startup Week regarding the positive effects that strong privacy and data governance practices have on business.

As regulations increase and complexity rises, many businesses remain hesitant to view privacy and security obligations as anything other than impediments to innovation. In practice, embedding privacy by design and developing strategic approaches to cybersecurity and artificial intelligence laws serve as valuable drivers for growth.

Navigating the Regulatory Landscape
The environment

Continue Reading Privacy by Design, Profit by Strategy: Thoughts from Dayton’s Startup Week

On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers’ sexual and reproductive health information. While other consumer health data laws exist, such as Washington’s My Health My Data Act (MHMDA), which generally protects a broad category of “consumer health data,” the VCDPA amendments take a more narrow approach and only focus on reproductive and sexual health information. Here is what you need to know.Continue Reading Virginia is for Lovers (of Privacy): VCDPA Amendments Merge Components of Consumer Data Health Laws to Better Protect Reproductive and Sexual Health Information

On September 1, 2025, Texas Senate Bill 140 officially amended the state’s well-known “mini-TCPA” so that certain Chapters now apply to sellers and salespersons who send marketing texts to consumers. This is a big change, particularly in two ways:

  1. Texting included. Previously the law only applied to traditional phone calls, and thus text marketers could arguably avoid the law’s painstaking registration and disclosure requirements.
  2. Private right of action. The amendments also include a private right of action through the state’s Deceptive Trade Practices Act, which subjects violators to steep penalties and gives Chapters 302, 304, and 305 of Texas’ Business and Commerce Code some additional teeth.

Continue Reading New Amendments to Texas’ Telemarketing Law Have Gone into Effect—Sellers Should Carefully Consider the Exemptions

On July 24, 2025, the California Privacy Protection Agency (CPPA) approved a sweeping set of amendments to the California Consumer Privacy Act (CCPA) regulations. These updates introduce new compliance obligations for businesses around automated decision making, cybersecurity audits, risk assessments, and more.

Below, we discuss some of these new requirements.Continue Reading California Finalizes Major CCPA Amendments

On June 19, 2025, the United Kingdom Parliament enacted the Data Use and Access Act 2025 (DUAA). The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). While the DUAA imposes new requirements on organizations subject to UK privacy legislation, it also clarifies several provisions, making privacy compliance in the United Kingdom more manageable.

The changes under the DUAA began in June 2025 and will be phased in over the next year through June 2026.Continue Reading Are You Ready for the UK’s Data Use and Access Act 2025 (DUAA)?