Privacy XFN

Welcome to Privacy XFN, curating the best reads at the intersection of data privacy and tech. This week we’re covering the announcement of who'll be leading California's privacy authority, the FTC contemplating of new privacy rules, GDPR fines for violations in Q3, and much more.

—The Transcend team

Former Federal Trade Commission chief technologist Ashkan Soltani will become the California Privacy Protection Agency's (CPPA) new executive director. Soltani will oversee the agency's rulemaking process, enforcement efforts. He is also responsible for constructing the agency's team.


  • The CPPA was established as part of the California Privacy Rights Act (CPRA), which was passed in Nov. 2020.
  • The CPPA cited Soltani as the "architect" of the CPRA and the 2018 California Consumer Privacy Act.
  • California Gov. Gavin Newsom appointed two members of the CPPA's five-person board.
  • The remaining three were selected by the state attorney general, senate rules committee, and speaker of the assembly.


The FTC is looking at multiple initiatives to regulate how businesses manage consumer data. The agency could designate certain data collection practices as "deceptive" or "exclusionary," giving it the authority to crack down on them. The FTC could end  "walled garden" advertising to ensure independent ad tech companies can compete with the giants in the space. Independent ad tech companies are more transparent about how they collect user data.


  • The agency has called on Congress to protect health and location data not covered by HIPAA.
  • The FTC could modify rules related to the Children's Online Privacy Protection Act (COPPA) which critics have said are outdated.
  • It wants to allocate additional resources to ensure technology firms are adhering to COPPA.
  • More firepower for the FTC: last month, House Democrats said they wanted to give the agency $1B to create a division dedicated to protecting data privacy.
  • Republicans don't want to give the FTC additional funds until Congress approves new privacy laws.



European regulators issued over $1.14B in fines for GDPR violations in Q3, according to Finbold. This was triple the amount from 2020 and almost 20 times the amount from Q1 and Q2 combined.


  • One possible reason for the high amount is that GDPR investigations can take time, and many of the cases are related to probes that began when the law went into effect in 2018.
  • Luxembourg issued over $867M worth of fines from 11 separate cases, the most of any country.
  • Ireland was second with nearly $262M worth of fines, followed by Italy with over $58M.
  • Tech giants are the biggest violators: Amazon received the largest fine of $867M, followed by WhatsApp ($262M), and Google ($58M).
  • Spain had 296 cases in the first nine months of 2021, the most of any country.


6 unique features of our Consent Manager: You may already know that Transcend’s Consent Manger is designed to move companies beyond cookie banners, but did you know it also enables more precise choices for site owners and their users?

Read post
In the past six months, the Interactive Advertising Bureau (IAB) in Europe has notified 10 consent management firms for failing to comply with the ad industry's Transparency and Consent Framework. The framework establishes guidelines firms must follow to manage the flow of data tracking consent in the digital ad supply chain in accordance with GDPR.


  • "One or two" consent management firms were temporarily suspended for not complying with the IAB Europe's user interface guidelines.
  • Privacy advocates have said consent notice banners and pop-ups are insufficient methods to obtain "meaningful consent"
  • Last month, data protection regulators for the G7 said most websites fail to obtain "meaningful consent" and rely on "dark patterns," where users are manipulated into giving consent.


Neiman Marcus revealed 4.6 million customers had their data compromised during a May 2020 breach. Names, credit card numbers, usernames, and passwords were among the information that was accessed.


  • The company said over 85% of the 3.1 million payment and virtual cards that were compromised were either "invalid or expired."
  • Neiman Marcus is working with law enforcement and cybersecurity firm Mandiant to investigate the breach.
  • While the breach occurred last year, Neiman Marcus only became aware in September.
  • Its subsidiaries Bergdorf Goodman and Horchow, weren't affected.

The Verge

Certain former OnlyFans employees are still able to access data of both users and models, according to Vice. Multiple former employees told Vice they could still access OnlyFans' customer service software Zendesk, despite no longer working at the company.


  • Employees said that customer service tickets contain sensitive information such as names, bank statements, and credit card numbers.
  • Vice notes that adult entertainment performers are at a greater risk than others due to the negative perception many people have about their profession.
  • Vice adds that OnlyFans' customers could be blackmailed if their personal information is leaked.


The Australia Competition and Consumer Commission (ACCC) published a report calling on new regulations to curb Google's dominance of the digital advertising sector. The report focused on Google's dominance of first-party data and suggested data separation powers and data access requirements as potential remedies.


  • Over 90% of ad impressions in Australia occurred on a Google-owned platform.
  • The ACCC attributed Google's dominance to its unrivaled access to data and the ability to integrate across all of its platforms.
  • U.K. regulators expressed similar concerns in a report published in July 2020.


In other privacy news:
  • Republicans and tax groups have expressed privacy concerns over a plan by the Democrats and President Biden that would force banks to report all inflows and outflows over an undetermined amount to the IRS.
  • Johnny Ryan, a senior fellow at the Irish Council for Civil Liberties, says the country's Data Protection Commission must be reformed after a recent report found the agency hadn't resolved 98% of outstanding GDPR cases.
  • Daniel Barber of TechCrunch called for global data privacy standards and says companies should minimize the amount of user information they collect.
  • An Illinois judge tentatively approved a $92M settlement against TikTok after it was accused of violating the state's Biometric Information Privacy Act.
  • A new privacy law that prohibits "doxxing" was approved by Hong Kong's legislature.

Improved privacy, improved ROI—a case study: When Indiegogo needed a privacy partner who could give their users a modern and secure data privacy, they chose Transcend. But that was just the start. Read how by switching to Transcend, Indiegogo was able to reduce consumer privacy request processing costs by 80%.

Learn more

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.