A new year means new effective dates for state privacy legislation.  On January 1, 2025, four states witnessed consumer privacy protection laws take effect:  Delaware, Iowa, Nebraska, and New Hampshire. 

These four states join another 16 that have comprehensive data privacy laws in place. Although there are similarities in the approaches of these 20 states, each law carries unique provisions that companies must navigate in building a data governance program. This blog is intended to give a high-level overview of 2025’s newest consumer privacy laws.

Continue Reading New Year Rings in New State Privacy Laws

With Cyber Monday 2024 in the rear-view mirror, we are looking at one of the hot topics in data-privacy and cybersecurity litigation: the Video Privacy Protection Act. 

Recent years have seen an uptick in lawsuits asserting violations of the VPPA by companies that host video content on websites or mobile apps and then share information about the individuals who watched those videos with other businesses. 

While the companies have experienced some success in getting VPPA claims dismissed, the Second Circuit recently reinstated a putative class action asserting VPPA violations against the NBA that may breathe new life into VPPA claims. Salazar v. National Basketball Association, No. 23-1147 (2d Cir. Oct. 15, 2024). But is the worry about VPPA class actions overblown?

Continue Reading Video Privacy Protection Act Claims – Maybe Not a Slam Dunk After All

With the rise in remote work, not to mention better technology, many employers have begun using apps and other services to monitor employees’ activities to track, assess, and evaluate workers. The Consumer Financial Protection Bureau (CFPB) recently issued a Circular stating that employers’ use of the reports generated by those apps and services may be subject to the Fair Credit Reporting Action (FCRA) just like a traditional employee background check.

The FCRA regulates the use of consumer reports for employment and other purposes. A criminal background check of a potential employee that is obtained from a third party is a typical consumer report. To be clear, the FCRA does not prohibit the use of such reports, but rather triggers a series of protections for the employee. And it applies both during the hiring phase and while the employee is working for the employer.

Continue Reading Whatcha Watching? The CFPB’s Recent Guidance on Employer Monitoring

Hard to believe, but 2025 will be here before you know it. And what goes best with a new year? A countdown list!

Last week, I spoke at the Dayton Bar Association’s Corporate Counsel Section on the topic of the Top 10 legal technology issues that in-house counsel should have on its radar for 2025.

Continue Reading Top 10 Technology Issues to Watch for in 2025

Last week, Taft’s Privacy and Data Security team sponsored and presented at Northern Kentucky University’s (NKU) 17th Annual Cybersecurity Symposium. Our presentation centered on (i) new consumer health data laws being enacted at the state level across the country; (ii) the Federal Trade Commission (FTC) Act’s heightened focus on businesses’ use of health information and (iii) the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Although these laws have overlapping data points and serve a similar objective of protecting health data, the obligations placed on entities regulated under each law differ. Therefore, it is crucial for organizations collecting health data to learn about these laws, determine how, if at all, they apply to your organization and comply with the obligations outlined under each applicable law.

Below, we have prepared a summary of some obligations that these laws require of regulated companies.  Please note that the summary below is not intended to be an exhaustive list of obligations imposed under each law.

Continue Reading Health Data and its Many Obligations – An Overview of the Expanding Scope of Health Data Laws in the United States

Three years after the European Commission’s (Commission) adoption of the updated Standard Contractual Clauses (SCCs), new clauses are on the horizon.

The Commission announced a recent initiative in which the SCCs would be open for public consultation beginning the fourth quarter of 2024, with potential updates to the SCCs being adopted by the Commission in the second quarter of 2025 (2025 Clauses). These 2025 Clauses offer the Commission the opportunity to address any gaps left by the current SCCs adopted on June 4, 2021.

Continue Reading Another Update Already? New EU Standard Contractual Clauses on the Horizon to Further Safeguard Cross Border Data Transfers

On Aug. 15, the DoD issued another proposed rule regarding the forthcoming Cybersecurity Maturity Model Certification (CMMC) standard. As part of the release, the DoD proposed some additional verbiage for the DFARS regarding future cybersecurity obligations and offered clarifications of the requirements that it put out last December. The release also set Oct. 15, 2024 as the due date for any comments.

The rule’s highlights were split between the new, or somewhat new, additional verbiage and DoD’s clarifications of the details that it previously released. Below is a discussion of the most significant highlights:

Continue Reading Is It Still CMMC 2.0? DoD Clarifies the Forthcoming Cybersecurity Standard

Earlier this month, the Swiss Federal Council approved the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Beginning September 15, 2024, companies may rely on the Swiss-U.S. DPF as a lawful basis to transfer personal data of Swiss residents to companies in the United States.

Continue Reading Ready for Work: The Swiss Federal Council Approves of the Swiss-U.S. DPF
computer keyboard

On Aug. 2, 2024, Illinois Governor J.B. Pritzker signed SB 2979 into law, bringing significant reform to the state’s Biometric Information Privacy Act (BIPA). The much-anticipated BIPA amendment took effect immediately and will provide welcome relief to businesses.

The amendment allows written releases to be executed by electronic signature and drastically limits the damages an “aggrieved person” accrues in BIPA litigation. By ending the per-scan violation, the amendment directly responds to the Illinois Supreme Court’s ruling in Cothron v. White Castle Systems, Inc.

Continue Reading New Legislation Promises Stronger Privacy Protections and Clearer Guidelines for Businesses

On January 27, 2025, the Federal Communications Commission’s (FCC) new one-to-one consent requirement will go into effect. For background, the FCC published its final rule targeting and eliminating unlawful text messages under the Telephone Consumer Protection Act (TCPA) on January 26, 2024 (the Final Rule). Among other requirements and purposes, this Final Rule sought to close the “lead generator loophole.”

Continue Reading FCC’s 1-to-1 Consent Requirement for Marketing Text Messages