Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at around 1,200 words, we’re tracking a hefty fine for Twitter over a data privacy breach, the FTC asking social media firms to provide data collection details, and Apple rolling out data privacy labels for apps. Enjoy!

—The Transcend team

Ireland's data protection agency has fined Twitter $547K for exposing private user tweets to the public. The breach resulted from a bug in Twitter's "Protect my tweets" tool that affected Android phone users. The fine was issued for Twitter's inadequate notification and documentation.


  • This marks the Irish regulator's first fine on a multinational tech firm for violating the EU's General Data Protection Regulation (GDPR).
  • The data protection agencies from Austria, Germany, Italy, and Hungary objected that the fine was too low and would not dissuade companies from future GDPR violations.
  • In response to the criticism, the Irish Data Protection Commissioner asserted that the fine was "effective, proportionate, and dissuasive."


The Federal Trade Commission (FTC) is requiring nine social media and video streaming sites and apps to provide details about how they collect and use consumers' personal information. The companies must also provide data on advertising, user engagement practices, and practices related to children and teens.


  • The companies are Facebook, Twitter, Amazon, YouTube, Discord, Reddit, Snap, WhatsApp, and ByteDance, owner of TikTok.
  • In particular, the FTC wants to know whether the companies apply algorithms or data analytics to personal information.
  • Three of the commissioners issued a statement accompanying the order in which they warned: "Never before has there been an industry capable of surveilling and monetizing so much of our personal lives." 
  • The companies have 45 days to respond to the FTC. 


A message from TRANSCEND

How much do you value your time?

Transcend delivers a full-stack solution to receive, manage and automatically fulfill data requests from your customers, freeing you to do high value work.

Leading companies trust Transcend to automatically and securely fulfill privacy requests without the need of a human.

Transcend automates your drudge work giving back the most important ROI – your time.

Get a demo on how we can fulfill your privacy requests in less than a minute.

Get a Demo

Apple is rolling out new data privacy labels for apps on the Apple App Store. The labels describe the privacy practices of the app so users can see them before they download the app.


  • Developers and their third-party partners are required to provide information on the types of data their apps collect and whether it is used to track them.
  • Apple is exempting certain data from health research apps and regulated financial services apps from the label requirement.
  • Developers will be able to explain their reasons for their data collection, but users will have to click through two sets of links to see those reasons.


An easier way to understand California’s new Privacy Rights Act (CPRA):

We’ve launched an online site, where you can search, share, and see amendments to the CPRA, California’s new law amending the California Consumer Privacy Act.

Check it out

Facebook intends to have its U.K. users sign user agreements with its headquarters in California next year, moving them out of reach of the European Union's data privacy laws. Currently, U.K. users have agreements with Facebook's Irish unit, which is covered by the General Data Protection Regulation (GDPR).


  • The U.K. users will still be subject to the U.K. privacy law, which for now correspond with the GDPR.
  • The British government is currently negotiating its final exit deal with the European Union.
  • Google plans a similar move to shift U.K. users to U.S. user agreements.


Given the wave of new privacy laws and a shift in consumer expectations, privacy can no longer be treated as a bolt-on feature for business, argues Mike Farrell, Transcend's chief technology officer. Farrell lays out six engineering principles that CPOs can employ to enable their firms to keep up with these laws and expectations. Here are two of them:

  1. Employ a clean technical framework that scales
  2. Improve inconsistent or unreliable services

For more, please click on this link.


California has launched a new COVID-19 exposure notification app that could pose privacy and data security risks. The mobile app, CA Notify, is based on the API developed by Google and Apple and in use by 20 other states. The app uses the phone's Bluetooth feature to alert users if they have been in close contact with someone who tested positive for COVID-19.


  • The Electronic Frontier Foundation (EFF) expressed concern that the API has not been subject to third-party audits and penetration testing.
  • At the same time, EFF said the API allows informed, voluntary, opt-in consent and data minimization and enables users to uninstall the app, turn off the functionality, and opt-out.
  • In addition, the API does not track user location, and it keeps all the user’s identifiers on the device. 


There is a global trend toward stricter data privacy regulations and higher penalties for violators. The trend was kicked off by the EU's General Data Protection Regulation (GDPR) in 2018 and led to new data privacy laws in Brazil, Kenya, New Zealand, and the U.S. state of California. Next up appears to be Canada, which recently introduced an overhaul of its data privacy law modeled on GDPR.


  • The Canadian legislation, Bill C-11, would significantly expand the privacy rights of individuals and impose hefty fines for violators. 
  • Brazil's new privacy law, modeled on GDPR, took effect in August of this year. 
  • New Zealand's updated Privacy Act 2020 went into force earlier this month.



  • Next year, some states are likely to follow the New York Shield Act in setting clear regulatory standards for reasonable data protection.
  • Skyflow, a Palo Alto, Calif.-based privacy API startup, has raised $17.5M in a Series A funding round led by Canvas Ventures.
  • The ACLU of Louisiana has obtained emails that show the New Orleans Police Department has been using facial recognition technology despite repeated denials.

Newsletter Launch Survey

As an early subscriber to Privacy XFN, we'd love to get some quick feedback from you, to help us make next week's newsletter even better.

Provide feedback

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.