Data Privacy

Subscribe to Data Privacy

On Friday, June 3, 2022, a bipartisan group of lawmakers published a discussion draft for the proposed American Data Privacy and Protection Act (the “ADPPA”).  The ADPPA is a draft bill that has yet to be introduced in the U.S. House or Senate, which means that any provision is subject to amendment.  However, even in draft form, the ADPPA is a notable advance in the efforts for a federal privacy law with sponsorship from both democrats and republicans, as well as members of the U.S. House and Senate.
Continue Reading What is the American Data Privacy and Protection Act?

It was not long ago that data privacy was an afterthought for many companies, and in some regards, it may still be an afterthought. Since 2018, major laws and regulations governing companies’ collection, use, and disclosure of personal information have been enacted, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) (amended by the California Privacy Rights Act, and soon to be joined by similar state privacy laws in Colorado, Connecticut, Indiana, Virginia, and Utah), Strengthening American Cybersecurity Act, and state data breach notification laws.
Continue Reading The Changing Landscape of Privacy and Data Security in Mergers and Acquisitions

Recently, multiple states have enacted and passed new data privacy laws and bills (Colorado, Virginia, Utah, California Privacy Rights Act, Connecticut, Indiana, and Ohio). Rightfully so, these laws and bills have garnered much of the media attention. However, in the midst of all the new state data privacy laws, new bills regulating “data brokers” have begun to emerge. To no surprise, California is leading the way with its Data Broker Registration Law, which was enacted in 2019.
Continue Reading Am I A Data Broker?: A Quick Primer on State Laws Regulating a Growing Industry

1, 2, 3, 4, 5 … you know how the song goes! Connecticut recently became the fifth state to adopt a comprehensive data privacy law. The new act titled “An Act Concerning Personal Data Privacy and Online Monitoring,”(the “Act”) takes effect July 1, 2023. As we expected, more and more states are continuing to join the ever-growing Privacy Party. Before getting on the privacy dance floor, here is what you need to know about Connecticut’s new privacy law.
Continue Reading Mambo No. 5: Connecticut Becomes the Fifth State to Join the Privacy Party

The Colorado Privacy Act (“CPA”) takes effect July 1, 2023, and will provide express consumer rights, as well as controller and processor obligations, relating to personally identifiable information of Colorado consumers. This month, the Office of the Colorado Attorney General (the “Office”) outlined the pre-rulemaking considerations for the CPA (“Pre-Rulemaking Considerations”), in an effort to educate regulated entities on the trajectory of this new law, and how such entities may address the upcoming requirements. The Pre-Rulemaking Considerations were also forecasted in Colorado AG Phil Weiser’s address to the International Association of Privacy Professionals 2022 Global Privacy Summit.
Continue Reading Colorado AG Explains Rocky Mountain Way for Data Privacy Law

I recently got back from the IAPP Global Privacy Summit (the “Summit”), the world’s largest meeting of privacy professionals from around the world.  The Summit always serves as a great opportunity to network and learn from colleagues, thought leaders, and regulators working in this important area of business, technology, and law.  With that in mind, I want to share some reflections and themes from this year’s Summit.
Continue Reading 2022 Global Privacy Summit: Reflections and Take-Aways

The CCPA has been up and running for a couple of years now, with changes coming in 2023 with the amendments from the Consumer Privacy Rights Act (CPRA).  While a federal law is always being teased and
other states coming online in 2023, California remains the state privacy law by which to assess and manage compliance when processing personal data.

So, as you might imagine, loads of questions and anxiety over the country’s most comprehensive state privacy regulation continue to keep us busy.  This prompted us to provide a simple 3-step process to determine if the law applies to your business (now, in 2023, or beyond), what you need to do to meet the law’s requirements, and how to begin considering a national approach to data privacy governance.  While no summary can capture every aspect of developing a compliance plan, we hope the following resources are helpful in getting your arms around managing privacy and meeting the (applicable) requirements of the California laws.
Continue Reading Breaking Down the California Consumer Privacy Act (CCPA)

Whether you are an attorney advising clients, a medical professional treating patients via telemedicine, or anyone else working remotely, your second workplace or office might be providing more than just convenience. If you have a smart home device, such as one of the many varieties now available from companies like Google (Home/Nest), Amazon (Alexa), Microsoft (Cortana), or Apple (Siri), your remote work discussions (and conversations in general) may be less private than you realize. While convenient and sometimes helpful, these devices might be creating a record of more than your favorite songs and compromising your patient’s, client’s, or company’s confidential information.
Continue Reading Smart Devices: Convenient, Helpful, Fun. Oh Yeah, and Possibly Breaching Confidentiality.

Taft’s Privacy and Data Security Practice is pleased to
announce our mobile application is now live and available for download.  As we shared on International Privacy Day, (I am sure we are all still recovering from that celebration), we wanted to make available an easy-to-use app for you to quickly:

  • Stay up-to-date on data security and privacy news, developments, and events.
  • Get daily tips on privacy and security compliance and best practices.
  • Access content from Taft’s Privacy and Data Security


Continue Reading Now Available: Taft’s Privacy and Data Security Mobile App!

This week, the new rules for personal data transfers to countries outside the United Kingdom (“UK”) went into effect. As of March 21, 2022, businesses transferring personal data from the UK to countries outside the European Economic Area (“EEA”) need to analyze their data flows and update their agreements involving data transfer practices to reflect the UK Data Protection Authority’s (“ICO”) new standard contractual clauses.

Under both the European Union’s General Data Protection Regulation (“GDPR”) and the UK Data Protection Act 2018, businesses are required to implement certain safeguards when transferring personal data outside the UK to countries “without an adequate level of data protection.” Standard contractual clauses (“SCCs”) are largely used to validate these types of transfers in the European Union as permitted under GDPR. However, following the “Brexit” transition period that concluded on December 31, 2020, GDPR no longer applied to the UK. Further, when the European Union revised SCCs in June 2021, the changes did not apply in the UK, and companies were left with confusion on how to effectuate personal data transfers outside the UK.
Continue Reading New Personal Data Transfers out of the UK: Like the GDPR, but Different