Welcome to this week’s Privacy XFN! Coming in at around 1,200 words, we’re reporting on Facebook's new privacy prompt plans, the privacy impact of the EU's copyright directive, privacy bills that Virginia and Oklahoma are considering, an investigation into Apple's privacy labels, and more. 

One more thing—we've just opened registration for our first Privacy_Infra() event of 2021 on February 18, and we're thrilled to have privacy engineering talks from Signal and Zoom, with more to be announced! Register here.

—The Transcend team

In response to Apple's privacy changes, Facebook is launching an in-app prompt for iPhone and iPad users that asks them for permission to use their data for personalized advertising. The prompt will be rolled out along with Apple's privacy update to iOS 14, which will inform users about tracking and ask them if they want to permit it.


  • Advertising industry experts cautioned that Apple's new privacy changes will make it harder for Facebook and other companies to gather user data.
  • Facebook CEO Mark Zuckerberg warned last week that Apple's privacy changes will hurt millions of businesses around the globe.
  • Apple CEO Tim Cook responded, in a veiled reference to Facebook: "If a business is built on misleading users, on data exploitation, on choices that are no choices at all, it does not deserve our praise—it deserves reform.” 



EU's Copyright in the Digital Single Market Directive, which must be implemented by member states by June of this year, could have a negative effect on privacy and free expression, according to researchers at the Brookings Institution. The directive requires online content-sharing service providers to identify and remove copyrighted content. To avoid running afoul of the directive, companies are likely to be more aggressive in enforcement, which could create greater obstacles to users posting and accessing online content.

More from EFF:

  • In comments on the directive, the Electronic Frontier Foundation (EFF) argued that governments should implement the directive in a way that preserves users' privacy and free expression rights.
  • The EFF cautioned that implementation should not result in governments imposing general monitoring obligations on companies.
  • The foundation also noted that the use of automated systems for catching and blocking copyright infringement should be restricted because their use would violate the General Data Protection Regulation.



A report from the Utah State Auditor is recommending measures to improve data privacy following the disclosure that Utah-based Banjo collected social media, facial recognition, and government data for a massive law enforcement monitoring system. The report concluded that data should be filtered, restricted, and anonymized within the government's system before being transferred to a vendor. 


  • The report was prepared by the Commission on Protecting Privacy and Preventing Discrimination, which was set up to look into the Banjo controversy.
  • The state halted funding for Banjo, whose former CEO had past ties to the Klu Klux Klan.
  • House Majority Leader Francis Gibson (R) has introduced a bill (HB 243) to limit government data collection and to establish a state privacy officer.

FOX 13

New year, new integrations: True privacy request automation is only possible with API-based integrations to the vendors where personal data is stored. Read more on the latest participating partner integrations that Transcend has added.

Read more

The state legislatures of Virginia and Oklahoma have joined lawmakers in Washington, New York, and Minnesota in considering data privacy legislation. In Virginia, Senate Bill 1392 contains provisions similar to the California Consumer Privacy Act (CCPA). In Oklahoma, House Bill 1130 is more limited in scope than CCPA and would only require firms to post privacy policies regarding their data collection and privacy practices.


  • Virginia Senate Bill 1392 passed the Senate Committee on General Laws and Technology last month.
  • A companion bill, HB 2307, has passed the Virginia House of Delegates by a vote of 89 to 9.
  • Oklahoma House Bill 1130, should it pass the legislature, would be enforced by the Oklahoma Attorney General beginning Nov. 1, 2021.


Geoffrey Fowler, a technology columnist with the Washington Post, recently reviewed app privacy labels on Apple's App Store and found many were either misleading or inaccurate. In one case, Fowler downloaded an app called the Satisfying Slime Simulator that received the highest-level privacy label, but the app covertly sent his personal data to Facebook, Google, and other companies. 


  • In December, Apple began requiring app developers to explain what data they collect and with whom they share the data.
  • Fowler criticized Apple for leaving it up to the app developers to be truthful about their privacy practices.
  • Apple responded that it conducts routine and ongoing audits of the information provided by the app developers and it works with developers to correct inaccuracies.


Senate and House Democrats have introduced legislation, the Public Health Emergency Privacy Act, that would boost privacy protections for COVID-19 technology, such as contact tracing apps, home testing apps, and vaccine scheduling apps. Many of these tools are not covered by the Health Insurance Portability and Accountability Act (HIPAA) because HIPAA only applies to healthcare organizations and business associates. 


  • The sponsors of the legislation include Sens. Mark Warner (D-Va.) and Richard Blumenthal (D-Conn.) and Reps. Anna Eshoo (D-Calif.), Jan Schakowsky (D-Ill.), and Suzan DelBene (D-Wash.).
  • Among other provisions, the bill would require data security and data integrity protection for COVID-19 apps, including data minimization and accuracy, and mandate deletion by tech firms after the public health emergency.
  • The Health and Human Services Department's Office of Civil Rights recently lifted HIPAA penalties for use of COVID-19 vaccine scheduling apps. 


U.S. intelligence agents are warning that China is attempting to collect health data, including DNA, on U.S. citizens. This effort has raised alarm across U.S. agencies, political parties, and the White House. 


  • In an interview with CBS's 60 Minutes, Bill Evanina, a former top U.S. counterintelligence official, related that BGI, a Chinese company with suspected links to the Chinese government, had proposed to Washington state to set up a major coronavirus testing site. 
  • Evanina said that U.S. intelligence officials were concerned that BGI would collect COVID-19 test data on Americans and turn it over to the Chinese government.
  • Edward You, FBI supervisory special agent, told 60 Minutes that China is likely interested in U.S. medical data so it can be a leader in developing precision medicine.
  • China has already stolen personal data on 80% of Americans, according to Evanina.


  • A consumer has filed a lawsuit against fertility tracking app Flow Health for disclosing private health data to third parties. (As we previously reported, the Federal Trade Commission reached a settlement with Flow Health in which the company agreed to obtain user consent before sharing data.)
  • A Philadelphia health official resigned in response to concerns that one of the city's COVID-19 vaccine vendors revised its data privacy policy allowing it to sell data to third parties. 
  • Guy Babcock's reputation was destroyed by a disgruntled former employee who posted false and outrageous claims about Babcock and his family, the New York Times reported.

An easier way to understand California’s Privacy Rights Act (CPRA): We’ve launched an online site, where you can search, share, and see amendments to the CPRA, California’s new law amending the California Consumer Privacy Act.

Check it out

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.