On October 8, 2025, Governor Gavin Newsom signed SB 361, amending the state’s existing data broker registration statute to expand obligations for data brokers. We previously discussed California’s data broker requirements here.
The law takes effect January 1, 2026.Continue Reading California’s SB 361: Updated Data Broker Requirements
An ongoing issue many of our clients are dealing with are claims under the California Information Privacy Act (CIPA). This is actually a criminal statute and should not be confused with the California Consumer Privacy Act (CCPA).
A cottage industry of California plaintiffs’ firms are sending demand letters, filing suits, and initiating arbitrations for alleged CIPA violations. Here at Taft, we are seeing 1-2 new claims a week.Continue Reading What to Know: Your Company Website and the California Information Privacy Act
On August 26, 2025, in NRA Group, LLC v. Durenleau et al., the U.S. Court of Appeals for the Third Circuit addressed two legal questions: (1) whether workplace policy infractions can turn into federal crimes, and (2) whether passwords protecting propriety business information qualify as trade secrets under federal or Pennsylvania law.
The case was reheard and affirmed on October 7, 2025, with the Third Circuit firmly answering both questions in the negative. The decision significantly limits employers’ potential claims against employees who breach company policies without engaging in actual hacking or unauthorized access.Continue Reading Passwords, Policies, and Trade Secrets: Lessons from NRA Group v. Durenleau and what it Means for Employers
Last month, I had the opportunity to speak to entrepreneurs at Launch Dayton’s Startup Week regarding the positive effects that strong privacy and data governance practices have on business.
As regulations increase and complexity rises, many businesses remain hesitant to view privacy and security obligations as anything other than impediments to innovation. In practice, embedding privacy by design and developing strategic approaches to cybersecurity and artificial intelligence laws serve as valuable drivers for growth.
Navigating the Regulatory Landscape
The environment
On July 1, 2025, the Virginia Consumer Data Protection Act (VCDPA) amendments took effect, implementing several changes to the existing privacy law, including adding new protections to reinforce consumers’ sexual and reproductive health information. While other consumer health data laws exist, such as Washington’s My Health My Data Act (MHMDA), which generally protects a broad category of “consumer health data,” the VCDPA amendments take a more narrow approach and only focus on reproductive and sexual health information. Here is what you need to know.Continue Reading Virginia is for Lovers (of Privacy): VCDPA Amendments Merge Components of Consumer Data Health Laws to Better Protect Reproductive and Sexual Health Information
On September 1, 2025, Texas Senate Bill 140 officially amended the state’s well-known “mini-TCPA” so that certain Chapters now apply to sellers and salespersons who send marketing texts to consumers. This is a big change, particularly in two ways:
On July 24, 2025, the California Privacy Protection Agency (CPPA) approved a sweeping set of amendments to the California Consumer Privacy Act (CCPA) regulations. These updates introduce new compliance obligations for businesses around automated decision making, cybersecurity audits, risk assessments, and more.
Below, we discuss some of these new requirements.Continue Reading California Finalizes Major CCPA Amendments
On June 19, 2025, the United Kingdom Parliament enacted the Data Use and Access Act 2025 (DUAA). The DUAA amends, but does not replace, the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA) and the Privacy and Electronic Communications Regulations (PECR). While the DUAA imposes new requirements on organizations subject to UK privacy legislation, it also clarifies several provisions, making privacy compliance in the United Kingdom more manageable.
The changes under the DUAA began in June 2025 and will be phased in over the next year through June 2026.Continue Reading Are You Ready for the UK’s Data Use and Access Act 2025 (DUAA)?
On July 1, 2025, the California Attorney General, Rob Bonta, announced that the California Privacy Protection Agency (CPPA) entered into a settlement with Healthline Media LLC (Healthline), which included a fine of $1,550,000, the largest fine by the CPPA to date, for various alleged violations of the California Consumer Privacy Act (CCPA). This settlement and fine follow the CCPA’s $632,500 fine against American Honda Motor Co. in March of this year. These actions continue to show California’s increased focus on CCPA enforcement.
Per the announcement, Healthline.com is a health and wellness information website that is one of the top 40 most visited websites in the world and generates revenue by showing advertisements on the website.Continue Reading California Privacy Enforcement Continues: CPPA’s Largest Fine To Date
A recent decision from the Northern District of Texas has upended the Department of Health and Human Services’ 2024 amendments to the HIPAA Privacy Rule (the 2024 Rule), which were intended to bolster privacy protections for reproductive health care information.
The court’s ruling in Purl v. HHS vacates almost all of these amendments, finding that HHS overstepped its statutory authority and improperly interfered with state law.Continue Reading HIPAA’s Reproductive Health Shake-Up: What the Purl Ruling Means for Health Plans and Covered Entities