California continues to be at the forefront of data protection in the United States. In February 2022, multiple privacy bills were introduced in the California legislature’s current session. The privacy bills seek to amend and enhance the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), in regards to employee and business-to-business personal information exemptions and also personal information collected by proctors in an educational setting.

Extension to Employee and Business-to-Business Exemptions. Currently, the CPRA provides exemptions to employee personal information and the personal information that is collected in a business-to-business transaction. This exemption expires on January 1, 2023. Two bills were introduced to extend the exemptions. AB 2871 would extend the exemptions indefinitely by removing the sunset date altogether. AB 2891, however, would extend the exemptions to January 1, 2026.
Continue Reading California Privacy Update: Various Privacy Bills Introduced to the State’s Legislature

Could Utah join it’s mountain neighbor Colorado and be the latest state to adopt a comprehensive data privacy law? On March 4, the Utah Senate unanimously passed Senate Bill (SB) 227 – the Utah Consumer Privacy Act (UCPA). It is now up to Utah’s Governor, Spencer Cox, to sign the bill into law – making Utah the fourth state (following California, Virginia and Colorado) to pass a data privacy law and join the ever-growing privacy party.

Introduced in February 2022, SB 227 sets forth several consumer data protection standards, including Utah consumers’ rights to their personal data, the responsibilities on businesses (called “controllers” and “processors”) to protect such data, and the authority of the Utah Attorney General to investigate and enforce violations of the new law. If the bill is passed, the law will go into effect on December 31, 2023.
Continue Reading Utah Legislature Advances Data Privacy Bill

Before 2018, no state in the US had its own data privacy law. Since 2018, California, Virginia (effective January 1, 2023), and Colorado (effective July 1, 2023) have all enacted their own data privacy laws, seeking to protect consumers by giving them control over their personal information. Recently, Ohio introduced House Bill 376, “The Ohio Personal Privacy Act,” in July 2021, which does not have an effective date at this time. Now, Indiana has introduced Senate Bill 358 and is ready to join the ever-growing Privacy Party.

Introduced in January 2022, Senate Bill 358 sets forth numerous consumer data protection standards, including Indiana consumers’ rights to their personal data, the responsibilities on businesses and service providers (called “controllers” and “processors,” respectively) to protect such data, and the authority of the Indiana Attorney General to investigate and enforce violations of the new law. If the bill is passed, it will go into effect on January 1, 2025.

Continue Reading Indiana Joins the Privacy Party by Introducing its Own Data Privacy Bill

On this International Data Privacy Day (please celebrate responsibly), Taft’s Privacy and Data Security practice is pleased to announce we will soon be launching a mobile application that will allow users to:

  • Stay up-to-date on data security and privacy news, developments, and events.
  • Get daily tips on privacy and security compliance and best practices.
  • Access content from Taft’s Privacy and Data Security attorneys, including helpful checklists and other resources.
  • Search for Taft Privacy and Data Security attorneys and easily contact


Continue Reading Stressed About Privacy and Security Compliance? Well, There’s a (Taft) App for That.

That’s right, it’s that time of year again.  And, as always, we in the Taft Privacy & Data Security practice encourage you to celebrate responsibly (especially as we have the full weekend to do so).

And if you are thinking, “Scot, you’re making this holiday up so you can push more privacy and security propaganda.”  You would be wrong.   International Privacy Day is a thing.  Jan. 28 has been set aside as a date to raise awareness and generally promote
Continue Reading Happy International Data Privacy Day, 2022!

California continues to be at the forefront of data privacy in the United States. Two new laws (AB 825 and SB 41) were signed in October, expanding California residents’ rights to their genetic information and imposing additional obligations on companies that collect such information. We guess you could say data privacy is in California’s DNA. (See what we did there?)

These new laws go into effect on January 1, 2022. Here is a rundown of what you should know.
Continue Reading New Year, New Privacy Laws: California Expands Law to Protect Genetic Information

As we anticipated in 2018, “So Goes California, So Goes the Country,” when it comes to U.S. privacy law. California broke new ground when it passed the California Consumer Privacy Act of 2018 (CCPA), now, the rest of the nation is following suit. Since 2018, Virginia (the VCDPA) and Colorado (the CPA) have passed similar statues. Now, Ohio is ready to join the party.

Introduced earlier this month, House Bill 376 “The Ohio Personal Privacy Act,” seeks to bring similar protections to Ohio consumers by giving them control over their personal data. The draft legislation does not have an effective date, but we expect that in the next few years, businesses subject to proposed law will need to meet its specifications. For now, businesses should start to consider the bill’s requirements and how they may implement the necessary processes to be compliant with its requirements.

Continue Reading Welcome to the Privacy Party, Ohio: State Legislature Proposes Comprehensive Data Privacy Legislation

In our blog post discussing Virginia’s Consumer Data Protection Act (“VCDPA”), we anticipated that more states would adopt their own omnibus data privacy laws – and Colorado is the latest  state to do so. Last week, the governor of Colorado signed into law the Colorado Privacy Act (“CPA”), becoming the third state in the U.S. to enact a comprehensive data privacy law. The new law goes into effect July 1, 2023.

The CPA mirrors its California and Virginia counterparts in many ways. The law provides Colorado residents similar rights and protections when it comes to their personal data. These rights include:

  • Right to opt out
  • Right of access
  • Right to correction
  • Right to deletion
  • Right to data portability

That said, the CPA also features a few prominent distinctions that businesses should have on their data governance radar. The following is a brief summary of what businesses should consider.
Continue Reading Rocky Mountain High: Colorado Becomes Third State to Establish its own Data Privacy Law

With the recent shift to a remote or hybrid workplace and advancements in technology, there are increased privacy concerns for employee information as well as employer liability for data breaches. There are important legal concerns for employers to understand about employee privacy issues. In addition, companies must have a plan to safeguard company and employee data and minimize the risk of a data breach.

Join Taft Law on July 28 at 12:00 pm ET for a discussion of the practical
Continue Reading Webinar – Face the Facts: Getting Smart About Employee Privacy and Data Security

The White House issued this memorandum to corporate executives and business leaders this week in which it stresses the need for urgent vigilance in implementing many of the best information security best practices we commonly discuss on our Privacy and Data Security Insights blog.  The memo contains good information that any business of any size should consider and implement as quickly as possible to bolster its defenses to what has been an onslaught of ransomware attacks in the past year.  

Continue Reading White House Memo Stresses Need For Vigilance in Defending Against Ransomware Attacks