Over the last few years, there has been an increased focus on the collection of children’s personal information in the United States. For example, many states have begun passing laws that significantly increase regulation for businesses collecting personal information from children, see our previous discussion on California’s Age-Appropriate Design Code Act. Additionally, at the federal level, the Federal Trade Commission (FTC) has increased its focus on the Children’s Online Privacy Protection Act (COPPA), specifically in the educational context.Continue Reading Children’s Online Privacy Protection Act Update! FTC Enforcement and New Parental Consent Proposal

On June 30, 2023, California Superior Court Judge James P. Arguelles held that the California Privacy Protection Agency (the “Agency”) cannot enforce any violation for the Agency’s regulations issued on March 29, 2023, under the California Consumer Privacy Act (CCPA), as amended by the California Consumer Privacy Rights Act (CPRA) until March 29, 2024. This holding stems from a petition brought by the California Chamber of Commerce (the “Chamber”) against the Agency, arguing that based on a plain reading of the CPRA’s language, enforcement cannot begin until one year following issuance of the Agency’s regulations.

Although enforcement of the Agency’s regulations are delayed, the text of the CCPA, as well as regulations enacted prior to March 29, 2023, remain in effect and enforceable. The enforcement stay solely bars the Agency from enforcing its own issued regulations under the CPRA for one year after a particular regulation is finalized.Continue Reading Not So Fast: California Superior Court Delays Enforcement of Certain CPRA Regulations

On May 19, 2023, Montana Governor Greg Gianforte signed the Montana Consumer Data Privacy Act (the “MTCDPA”) into law, becoming the ninth state to enact a comprehensive consumer privacy act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Utah, and Virginia with legislation that protects their residents’ personal data.

The MTCDPA will go into effect on October 1, 2024. In preparation for MCTDPA to be signed into law, companies doing business in Montana should start thinking of ways to incorporate the law’s requirements into their existing privacy policies and procedures.Continue Reading Montana Enacts Privacy Law

On May 3, 2023, Utah’s Online Pornography Viewing Age Requirements Act (the “Act”) went into effect. The Act states that website operators must require internet users to prove they are eighteen years of age or older through a “digitized identification card” or third-party age-verification service when accessing websites containing “pornography or other materials harmful to minors.” In other words, to access adult websites in Utah, users must either upload their driver’s license (or other state-issued identification) or subject themselves to third-party age verification through tools such as biometric scanning. Simply clicking “I am 18 or older” is no longer sufficient with this legislation; an individual must now give personally identifiable information, including in some cases, a biometric face scan.Continue Reading Porn, Privacy & Protecting Kids:  States Seek to Balance Individual Rights and Business Interests in New Online Age Verification Laws

As we previously covered in February, there has been an increase in lawsuits, including class actions, filed against website operators in various states (including California, Florida, Indiana, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (VPPA). Since then, there have been some updates to such pending litigation. For purposes of this post, the pending litigation can be broken out into three categories: (1) Chat window wiretapping claims; (2) Session replay technology claims; and (3) claims under the VPPA.Continue Reading UPDATE: Litigation Related to Website Technology & Data Sharing

This month, Indiana passed its own privacy bill, Senate Bill 5 (“SB 5”) for consumer data protection. SB 5 is now awaiting signature from Indiana Governor Eric Holcomb. Once signed into law, Indiana will be the seventh state in the nation to enact a comprehensive privacy law. With a later effective date of January 1, 2026, SB 5 maintains the status-quo and largely follows the six other states with privacy laws (California, Colorado, Connecticut, Iowa, Utah, and Virginia). Following is a high level overview of the key provisions of SB 5.Continue Reading Up Next, the Crossroads of America: Indiana Positioned as 7th State to Join Privacy Party

Recently, the California Office of Administrative Law approved the California Privacy Protection Agency’s (CPPA) long-awaited final regulations (“Regulations”). While there are many rules businesses need to ensure they comply with, this article focuses on the CPPA’s enforcement action and the role the Agency will play in interacting with companies moving forward.Continue Reading CPPA Final Regulations Are Here

Since China’s Personal Information Protection Law (PIPL) took effect in 2021, companies doing business in mainland China have questioned what is required of them when transferring personal information in and out of the country. Taft pondered this very question in our earlier blog post, ‘Data Transfers and Beyond: China Moves Closer to Finalizing Draft Provisions Permitting the Transfer of Personal Data Abroad.’ Last month, the Cyberspace Administration of China (CAC) provided its long-awaited answer, by issuing its final version of the measures of the standard contact for cross-border transfer of personal information (Final Measures), along with a standard contractual clauses equivalent (PIPL SCCs). Similar to the EU SCCs or UK international data transfer agreement (IDTA), the PIPL SCCs allow companies to freely import and export data from China. Here is what companies should know about this new Chinese transfer mechanism:Continue Reading The Wait is Over: Cyberspace Administration of China Releases Model Contract for Data Transfers

A few months ago we wrote about the proposed draft rules for the Colorado Privacy Act (CPA) (“draft rules”). Since then, the Colorado Attorney General’s Office has published two updated versions of the draft rules. The third and latest version of the proposed draft CPA rules was published on January 27, 2023 and the comment period for this version ended on February 3, 2023. Below is a brief high-level overview of some of the key changes made in the past two revisions of the draft rules.Continue Reading Colorado Privacy Act Update: Colorado AG Issues Updated Draft Rules

Over the past year, there has been a growing number of lawsuits, including class actions, filed against website operators in various states (including California, Florida, Illinois, and Pennsylvania) for violations of state wiretapping laws or the Video Privacy Protection Act of 1988 (“VPPA”).Continue Reading Heads Up!  Increasing Litigation Related to Website Technology & Data Sharing