Privacy XFN

Welcome to Privacy XFN, curating the best reads at the intersection of data privacy and tech. This week we’re covering how product leaders can educate consumers on their data collection practices. Congressional Democrats send another letter to the FTC, support for a private right of action gains traction, and much more.

—The Transcend team

As consumers become more conscious of data privacy, product leaders should educate them about their firm's data collection practices, says Blane Sims, chief product officer of Tapad, a cross-device advertising company.  A 2020 McKinsey Survey found 87% of respondents wouldn't shop from a company if they were concerned about its security practices. 71% said they'd stop doing business with a company that shared user data without their consent.


  • Sims says brands need to focus on building trust with consumers by obtaining their consent.
  • Brands that prioritize data privacy will see higher opt-in rates.
  • Companies that are transparent about their data collection policies will enjoy strong relationships with their customers, according to Sims.
  • They should implement strong safety measures to demonstrate to consumers that they're committed to protecting user data.

CPO Magazine

Three congressional Democrats sent a letter to the FTC calling on the agency to ensure social media platforms are abiding by child privacy laws. In the letter, lawmakers note that minors now spend an average of nearly five hours online each day.


  • Last week, Facebook whistleblower Frances Haugen told lawmakers the company's products "harm children."
  • Last month, a WSJ report found that 32% of American teenage girls and 14% of teenage boys said Instagram made them feel worse about themselves. 
  • Facebook said it will introduce new safety features that let parents control their kids' accounts and limit their exposure to political or harmful content.
  • Another appeal: Last month, nine Democratic Senators asked the FTC to develop new rules around privacy and data collection.


During a Senate hearing on Sept. 29, former FTC acting chair Maureen Ohlhausen and Morgan Reed, president of the ACT | The App Association, expressed support for a narrow private right of action. A private right of action is when an individual, as opposed to the state, files a lawsuit to enforce rights granted to them under a statute.


  • Former FTC officials Ashkan Soltani and David Vladeck argued that a private right of action would help enforce privacy laws but acknowledged there must be guardrails to ensure businesses aren't overwhelmed with lawsuits.
  • Ohlhausen said a private right of action should enable consumers to recover “actual damages” from severe or multiple violations and Reed added that a “period to cure” can help protect small businesses from being inundated with lawsuits.
  • Vladeck noted that previous laws containing a private right of action only cover nominal damages and attorney’s fees and Soltani listed the size of the data breach, company, and harm to individuals as factors that should be considered when developing guardrails.
  • Sen. Roger Wicker (R-MS), who introduced the SAFE DATA Act in July, said he was open to including a narrow private right of action in a federal privacy law.

Brookings Institution

6 unique features of our Consent Manager: You may already know that Transcend’s Consent Manger is designed to move companies beyond cookie banners, but did you know it also enables more precise choices for site owners and their users?

Read post
The European Parliament voted 377-248 to adopt a non-binding resolution calling for biometric mass surveillance to be outlawed. Members of European Parliament (MEP) want to ban automated facial recognition in public spaces banned unless it's being used to combat major crimes such as terrorism.


  • MEPs want to ban private facial recognition databases and predictive policing based on behavioral data.
  • They also want to eliminate social scoring systems that monitor an individual's behavior to assign them a trustworthiness rating.
  • A quick recap: In April, the European Commission introduced the Artificial Intelligence Act, which would ban social scoring systems and restrict the usage of automated facial recognition in public spaces.


The California Privacy Protection Agency's new executive director Ashkan Soltani could introduce rules cracking down on email-based ad identifiers. Soltani has criticized email-based ad identifiers in the past, calling them "more privacy-invasive" than cookies.


  • Soltani helped develop Global Privacy Control which blocks ad trackers and complies with the California Privacy Rights Act (CPRA).
  • Legal experts say email-based IDs are considered identifiable information under the CPRA and California Consumer Privacy Act, however, it's unclear if they're considered a data sale.
  • Publishers are allowed to share emails and email-based IDs within clean data rooms, but California rules don't specify how publishers can use emails to ensure individuals that have opted out aren't targeted.


California Gov. Gavin Newsom signed two bills that strengthen privacy protections for genetic data. As part of AB 825, genetic data is now considered personal information. Genetic data is defined as data extracted from a biological sample analysis.


  • Businesses that store and process genetic data must implement "reasonable" security measures and are required to report breaches.
  • The Genetic Information Privacy Act will be created as part of SB 41, which means all direct-to-consumer genetic testing companies must be transparent about how they collect and use data.
  • Companies must obtain express consent before collecting data, and it must be deleted within 30 days if requested by a consumer.

National Law Review

  • Outgoing information commissioner Elizabeth Denham warned that new proposals by the U.K. government would threaten the office's independence. 
  • Amazon-owned Twitch said 125GB of data was compromised during a breach last week.
  • President Biden signed a bill that would mandate the Cybersecurity and Infrastructure Security Agency to evaluate the cyber risks posed to schools and develop tools that enable schools to protect themselves.
  • China's Ministry of Industry and Information Technology will introduce new rules designed to regulate how domestic vehicles can export data abroad.

Improved privacy, improved ROI—a case study: When Indiegogo needed a privacy partner who could give their users a modern and secure data privacy, they chose Transcend. But that was just the start. Read how by switching to Transcend, Indiegogo was able to reduce consumer privacy request processing costs by 80%.

Learn more

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.