Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. This week, we’re covering President Biden selecting privacy advocate Rohit Chopra to head the Consumer Financial Protection Bureau, WhatsApp delaying its privacy update, New York introducing a biometric privacy bill, and Flo's privacy settlement with the FTC.

—The Transcend team

President Joe Biden will nominate Rohit Chopra, a current member of the Federal Trade Commission (FTC), as the next director of the Consumer Financial Protection Bureau (CFPB). Chopra had worked with Sen. Elizabeth Warren (D-Mass.) in setting up the bureau in response to the 2008 financial crash. He then served as a CFPB assistant director and student loan ombudsperson for the bureau.


  • As an FTC commissioner, Chopra urged Congress to significantly expand the commission's authority and resources to protect consumer privacy and security.
  • Chopra's priorities as CFPB head are reportedly to increase enforcement of fair lending laws, crack down on payday lenders, and build up case law on what constitutes an "abusive act or practice."
  • Chopra will need to be confirmed by the Senate, which is split 50/50 along party lines. 


WhatsApp is delaying until May an update to its privacy policy after backlash from users over expanding data sharing with parent company Facebook. WhatsApp's announcement that it would update its privacy policy next month prompted an outcry and rapid shift of users to other platforms such as Signal and Telegram. 


  • In announcing the delay, WhatsApp defended its decision to update its privacy policy, stating that it will give users new options to message businesses and provide greater transparency about how it collects and uses data.
  • India's IT ministry asked WhatsApp to stop its privacy policy update because of its potential impact on Indian citizens' privacy.
  • In response to the initial backlash, WhatsApp explained in a FAQ page that the changes to its privacy policy would not affect the privacy of messages with friends and family but only messages with businesses.



A message from TRANSCEND

How much do you value your time?

Transcend delivers a full-stack solution to receive, manage and automatically fulfill data requests from your customers, freeing you to do high value work.

Leading companies trust Transcend to automatically and securely fulfill privacy requests without the need of a human.

Transcend automates your drudge work giving back the most important ROI – your time.

Get a demo on how we can fulfill your privacy requests in less than a minute.

Get a Demo

As we covered last week, New York state lawmakers have introduced more than a dozen consumer privacy bills. One of those bills, the Biometric Privacy Act (AB 27), would allow consumers to sue companies for improperly collecting, retaining, or using biometric data—a so-called private right of action. The bill would also require private entities to develop public written policies about their handling, retention, and destruction of biometric data and to get written consent from the person whose data is being collected.


  • The bill would apply to biometric identifiers, such as iris scans or fingerprints, and biometric information used to identify an individual based on those identifiers.
  • An individual could receive up to $1,000 for a negligent violation and up to $5,000 for an intentional or reckless violation of the statute.
  • Currently, Illinois is the only state with a biometric privacy law that includes a private right of action.
  • AB 27 has been referred to the Assembly's Consumer Affairs and Protection Committee.


Privacy Tech Disciplines Guide: Download our latest guide to working with privacy engineering disciplines, including how each technical role contributes to the success of your legal program.

Download now

The developer of the Flo fertility-tracking app has reached a settlement with the Federal Trade Commission (FTC) over allegations that it misled users about its data-sharing practices when it shared users' personal health data with Facebook and Google. The settlement requires Flo Health to get users' consent to share health data and to conduct an independent review of its privacy practices.


  • The FTC alleges that Flo Health shared information about users' menstrual cycles, pregnancies, and childbirths with Facebook, Google, AppsFlyer, and Flurry.
  • Flo Health did not limit the use of the data it shared with these third parties, according to the FTC. 
  • In a statement, Flo Health responded that it does not share personal information without user permission.


Many U.S. tech firms have chosen Ireland for their European headquarters, which means that the Irish Data Protection Commissioner is their lead regulator when it comes to enforcement of the EU General Data Protection Regulation (GDPR). However, the Belgian data protection agency has taken regulatory action against Facebook over its use of cookies and other tracking technology impacting Belgian citizens. Facebook has objected to the Belgian action, arguing that the Irish regulator has jurisdiction over the company.


  • The European Court of Justice is currently considering the dispute, and a recent non-binding preliminary ruling sides with Facebook and the Irish regulator.
  • Belgium is being supported in the case by Italy, Poland, and Portugal, while the Irish regulator has the backing of the European Commission, the Czech Republic, and Finland.
  • The controversy could be only the beginning of intra-EU disputes over GDPR implementation, argues Forbes contributor and data privacy lawyer Stewart Room. 


Google continues to drag its feet in updating iOS apps with privacy information even after pledging to do so following allegations that it was trying to avoid complying with Apple's new privacy labels, reported 9-5 Mac. In response to the allegations, Google said it would update its iOS apps earlier this month. But so far, Google has not updated most of its iOS apps, including Gmail and YouTube, with the new privacy labels.


  • Early last month, Apple began requiring app developers to provide "labels" describing their privacy practices in order to be displayed on the App Store. 
  • In early January, Fast Company noticed that Google had failed to update its iOS apps with the privacy labels, but had updated its Google apps.
  • The only iOS apps Google has updated are Google Authenticator and Google Translate, according to 9-5 Mac.

The way in which the new Biden administration, Congress, and the federal judiciary handle rules regarding private companies' access to personal data will have significant consequences for American society, argue Westminster College academics Blaine Ravert and Tobias Gibson. Courts have developed a legal standard known as the third-party doctrine, which determines how much personal data governments can access. The doctrine states that a person does not have a "reasonable expectation of privacy" around personal data provided to third parties, such as phone companies, apps, and internet providers, when it comes to government access. However, there is not a similar doctrine for personal data access by private companies such as Twitter, Facebook, and Google. This is why there is a pressing need for new data privacy rules for the private sector, they conclude. 


  • Collection of metadata by the private sector and use of artificial intelligence will continue to erode privacy rights if nothing is done to limit its impact, Ravert and Gibson argue.
  • Without constitutional protections, the right to privacy would cease to exist, argues Laura Donohue, Georgetown University professor.


Quick Hits:
  • Sony's new lip-reading technology, which uses cameras and AI to read lips at a distance, could raise data privacy concerns.
  • A U.S. federal appeals court has sent a lawsuit against Clearview AI back to state court because it was brought under Illinois' Biometric Information Privacy Act.
  • Bugs found in Facebook Messenger, Google Duo, Signal, Mocha, and JioChat chat apps could enable hackers to spy on users.

An easier way to understand California’s Privacy Rights Act (CPRA): We’ve launched an online site, where you can search, share, and see amendments to the CPRA, California’s new law amending the California Consumer Privacy Act. 

Check it out

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.