Data Privacy

Subscribe to Data Privacy via RSS

Last year, we wrote about updates from the Department of Justice (DOJ) and the DOJ’s proposed enforcement efforts and regulations implementing Executive Order 14117 “Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Data by Countries of Concern” (Rule).

A year later, the DOJ has finalized the Rule and developed guidance on what companies handling (i) bulk U.S. sensitive personal data or (ii) U.S. Government-related data must know, especially when interacting with persons and entities in ”Countries of Concern,” which currently include:

  • China (includes Hong Kong and Macau)
  • Cuba
  • Iran
  • North Korea
  • Russia
  • Venezuela

In April of this year, the DOJ’s National Security Division (NSD) issued its Data Security Program and corresponding Compliance Guide (DSP) and Frequently Asked Questions (FAQs) providing information that all U.S. entities must understand and follow to comply with the Rule. The NSD’s stated primary mission with respect to the implementation and enforcement of the DSP is to protect U.S. national security from Countries of Concern that may seek to collect and weaponize both government data and Americans’ most sensitive personal data.

As we have written previously, the DSP will require U.S. organizations to look deeply into their data collection and data sharing practices to determine whether they are (i) providing covered data to a Country of Concern and (ii) subject to the DSP’s requirements.

All U.S. organizations handling government-related data and bulk U.S. sensitive personal data must make good-faith efforts to comply with the DSP by July 8, 2025. Continue Reading One Month to Go: What You Need to Know about the U.S. Department of Justice’s Data Security Program

The California Privacy Protection Agency (“CPPA”) recently issued a decision requiring American Honda Motor Co. to pay a $632,500 fine and change certain business practices related to alleged violations under the California Consumer Privacy Act (“CCPA”). While not specifically related to connected vehicles, this decision comes after the CPPA’s announcement in 2023 that it would be focusing on connected vehicle manufacturers’ compliance with the CCPA.Continue Reading California Privacy Enforcement Update: Verifying Consumer Requests and Banners Must Be Symmetrical

What does it take for a data breach plaintiff to have standing to sue in Illinois? More than a mere increased risk of harm, said the Illinois Supreme Court in a case where Taft represented the defendant, a large multi-specialty group medical practice.

This post highlights the importance of a thorough post-data breach investigation.Continue Reading Taft Wins First Data Breach Class Action to Reach Illinois Supreme Court: Key Takeaways

In late October 2024, Ohio Senate Bill 29 (“SB 29”)[1] took effect. This new law regulates educational records and student data privacy throughout the state, specifically relating to student-issued devices (e.g., laptops, tablets, software). What makes SB 29 unique is that it extends beyond schools and school districts and impacts third-party technology providers that work with these entities. Taft anticipates greater emphasis on compliance with this new law ahead of the 2025-2026 school year. Here is what you need to know about the Ohio student data privacy law.Continue Reading School is in Session: Ohio’s New Student Data Privacy Law Impacts More than Students

A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.Continue Reading New Year Rings in New State Privacy Laws

With Cyber Monday 2024 in the rear-view mirror, we are looking at one of the hot topics in data-privacy and cybersecurity litigation: the Video Privacy Protection Act. 

Recent years have seen an uptick in lawsuits asserting violations of the VPPA by companies that host video content on websites or mobile apps and then share information about the individuals who watched those videos with other businesses. 

While the companies have experienced some success in getting VPPA claims dismissed, the Second Circuit recently reinstated a putative class action asserting VPPA violations against the NBA that may breathe new life into VPPA claims. Salazar v. National Basketball Association, No. 23-1147 (2d Cir. Oct. 15, 2024). But is the worry about VPPA class actions overblown?Continue Reading Video Privacy Protection Act Claims – Maybe Not a Slam Dunk After All

With the rise in remote work, not to mention better technology, many employers have begun using apps and other services to monitor employees’ activities to track, assess, and evaluate workers. The Consumer Financial Protection Bureau (CFPB) recently issued a Circular stating that employers’ use of the reports generated by those apps and services may be subject to the Fair Credit Reporting Action (FCRA) just like a traditional employee background check.

The FCRA regulates the use of consumer reports for employment and other purposes. A criminal background check of a potential employee that is obtained from a third party is a typical consumer report. To be clear, the FCRA does not prohibit the use of such reports, but rather triggers a series of protections for the employee. And it applies both during the hiring phase and while the employee is working for the employer.Continue Reading Whatcha Watching? The CFPB’s Recent Guidance on Employer Monitoring

Hard to believe, but 2025 will be here before you know it. And what goes best with a new year? A countdown list!

Last week, I spoke at the Dayton Bar Association’s Corporate Counsel Section on the topic of the Top 10 legal technology issues that in-house counsel should have on its radar for 2025. Continue Reading Top 10 Technology Issues to Watch for in 2025

Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers