Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at around 1,200 words, we’re reporting on Florida considering a data privacy bill, Virginia's governor planning to sign that state's answer to CCPA, Zuckerberg calling on Facebook employees to "inflict pain" on Apple, an EU consumer group filing a privacy complaint against TikTok, and more.

🗣And this morning at 10am PT/1pm ET, hear how Signal and Zoom have built E2EE into their platforms at our first privacy engineering meetup of 2021. Register here. 

—The Transcend team

Florida joins a growing list of states considering or enacting data privacy protection legislation, with Gov. Ron DeSantis (R) backing legislation to boost the state's data privacy protections. The Consumer Data Privacy bill, sponsored by state Rep. Fiona McFarland (R), would, among other things, enable consumers to request their personal data be deleted or corrected by companies. 

The proposed legislation would also: 

  • Require companies to publish a data privacy policy;
  • Give consumers the right to know what data a company has collected about them;
  • Require firms to allow consumers to “opt-out” of the sale of personal data to third parties;
  • Prohibit discrimination based on opting out;
  • Limit a company's use and retention of personal data;
  • Allow a limited private cause of action;
  • Give the Attorney General power to enforce the law;
  • Limit the new consumer data privacy requirements to larger companies.


Virginia Gov. Ralph Northam (D) is expected to sign the state's Consumer Data Protection Act, which has passed both houses of the state legislature, into law by April. Effective from Jan. 1, 2023, the law, similar to the California Consumer Privacy Act, would apply to businesses that control or process data for at least 100,000 Virginia residents or businesses that derive at least 50% of revenues from the sale and processing of consumer data of at least 25,000 customers. 


  • The bill would exempt healthcare data, which is covered by the federal Health Insurance Portability and Accountability Act, and data collected to assess creditworthiness. 
  • The state House of Delegates and Senate are currently working out minor clarifying amendments to their versions of the legislation.
  • The International Association of Privacy Professionals has put together a useful graphic showing the status of various state data privacy initiatives.
  • This article from JD Supra includes a handy comparison graphic for how the Virginia law would compare to CPRA and GDPR.


Facebook CEO Mark Zuckerberg has told employees that the company needs to "inflict pain" on Apple for tightening privacy restrictions, sources told the Wall Street Journal. Apple is rolling out a new iPhone privacy tool that is expected to limit Facebook's ability to collect data.


  • Apple's new tool in iOS 14 will ask iPhone users to opt into sharing personal data for ad tracking.
  • Facebook responded by launching an in-app prompt that asks iPhone users for permission to collect their data for ads.
  • Apple has also begun requiring app developers to include a privacy label describing their privacy policies, with mixed results.


Privacy eng. insights from Signal, Zoom, and more:  Join our first Privacy_Infra() meetup of 2021 this morning from 10am Pacific, with tech talks from Signal Messenger's VP of Engineering, Zoom, and UC Berkeley. 

Register now

The European Consumer Organization (BEUC), which represents dozens of European privacy advocate groups, has filed a complaint against TikTok with the European Commission, charging the Chinese firm with misleading consumers about its data collection policies. BEUC alleged that TikTok's lack of transparency about its data collection and privacy policies violates the EU's General Data Protection Regulation.

More from BEUC:

  • BEUC also alleged that TikTok fails to protect children and teenagers from hidden advertising and harmful content.
  • The group's director-general, Monique Goyens, commented: “Children love TikTok but the company fails to keep them protected. We do not want our youngest ones to be exposed to pervasive hidden advertising and unknowingly turned into billboards when they are just trying to have fun."
  • BEUC noted that consumer protection groups in 15 EU countries are urging their national authorities to investigate TikTok's conduct.


The Peeping Tom theory might be an easy way to understand privacy, but it doesn't capture the nature of data privacy in the 21st century, argues Gilad Edelman in a recent Wired article. Much of the collected data is aggregated, fed into algorithms, and used to target advertisements based on behavior, Edelman observes.


  • Tech analyst Ben Thompson observes: "The entire reason their businesses are possible is precisely because they don’t know who I am, and have no need to. And yet they can sell me exactly what I want just the same.” 
  • At the same time, research indicates that this microtargeting is not that effective.
  • The purchase of personal data by the government raises other concerns about individual rights, Edelman notes.



Mexican lawmakers want telecom companies to collect cell phone users' biometric data as part of an effort to fight kidnapping and extortion, but critics worry this could lead to privacy violations. Under the proposal, wireless carriers would collect biometric data in a registry, which would be managed by the country's telecom regulator. 


  • The proposal, contained in legislation, has passed the lower house of the Mexican Congress and is expected to be considered by the Senate in this session.
  • Privacy advocates and telecom companies are warning that such a registry, if breached, would pose a significant privacy threat.
  • A total of 1,323 cases of kidnapping were registered in 2019, up from 1,185 cases reported a year earlier, according to Statista.


Technology being developed to read and alter brain activity could pose privacy risks, warn ethicists, scientists, and Science News readers. According to a survey of readers, privacy was the most worrying aspect of neurotechnology being developed by Elon Musk's Neuralink and other companies, beating out fairness and autonomy by a wide margin. 


  • Neuralink unveiled last year a pig called Gertrude that had a computer chip in its brain that served as a brain-to-machine interface.
  • Rafael Yuste, a neurobiologist at Columbia University, told Science News that scientists are getting close to being able to pull private information from people's brains, such as what someone is looking at or hearing. 
  • Yuste thinks that even subconscious thoughts might be discoverable using technology: "That is the ultimate privacy fear, because what else is left?" he asked.


  • Senate and House lawmakers have introduced the Promoting Digital Privacy Technologies Act, a bill to support research into privacy-enhancing technologies.
  • Apple is warning that a North Dakota bill that would ban app stores from requiring developers to exclusively use their app store and payment system could put iPhone user privacy and security at risk.
  • The Federal Aviation Administration's new regulations requiring drones to broadcast their unique ID numbers is a win for privacy, argues the American Civil Liberties Union.
  • The Los Angeles Police Department requested Ring camera video of the Black Lives Matter protests last summer, according to LAPD emails obtained by the Electronic Frontier Foundation.
  • Facebook has blocked news content from feeds in Australia, in response to a proposed law which would make tech giants pay for news content on their platforms.

An easier way to understand California’s new Privacy Rights Act (CPRA): We’ve launched an online site, where you can search, share, and see amendments to the CPRA, California’s new law amending the California Consumer Privacy Act.

Check it out

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.