Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at around 1,300 words, we’re covering Virginia joining California in passing modern privacy legislation, the FTC's acting head backing a federal privacy law, a judge approving a $650M Facebook privacy settlement, privacy movements in Utah and Minnesota, and more.

And happy National Consumer Protection Week!

—The Transcend team

Virginia Gov. Ralph Northam (D) signed into law this week the Consumer Data Protection Act (CDPA). Among other provisions of the law, consumers have the right to opt-out of having their personal data processed for targeted advertising and to confirm if their data is being processed. The law takes effect in January 2023.

More on CDPA:

  • The law applies to companies that control or process personal data of at least 100,000 Virginia residents or companies that control or process the data of at least 25,000 residents and make 50% or more of their gross revenue from selling personal data.
  • CDPA exempts companies that are subject to federal data privacy regulations, such as HIPAA and GLBA.
  • Companies can be fined up to $7,500 per violation of CDPA. 
  • The law gives consumers the right to access, correct, delete, and get a copy of their personal data.
  • Companies will be required to disclose information about their personal data processing activities, what rights consumers have under the law, and how consumers can exercise those rights. 


Rebecca Kelly Slaughter, acting Federal Trade Commission (FTC) chairwoman, told the recent Future of Privacy Forum that she supports a federal privacy law. Slaughter said she also favors stronger FTC remedies in privacy and security cases, such as "meaningful disgorgement" and "effective consumer notice."


  • Under the disgorgement remedy, if companies collect and/or use consumer data unlawfully, the FTC would demand disgorgement of the data and any benefits from that data.
  • In terms of effective consumer notice, companies would be required to provide notice to consumers about their privacy and security practices and be penalized if they fail to live up to that notice.
  • The White House issued a proclamation this week pledging to make data privacy a priority and to pursue fraudsters trying to take advantage of COVID-19 and the economic hardship that has resulted.


A federal judge has approved a $650M settlement under which Facebook has to pay 1.6 million users in Illinois up to $345 each for violating the Illinois Biometric Information Privacy Act. The class-action lawsuit asserted that the Facebook Tag Suggestions feature, which used biometrics to suggest people in image tagging, created face templates without users' permission. 


  • The $650M is $100M more than Facebook had proposed in January 2020.
  • Facebook said in a statement that it is "pleased to have reached a settlement so we can move past this matter."
  • Last week, ByteDance, the Chinese-based parent of TikTok, agreed to pay $92M to settle a class-action lawsuit brought under the Illinois law.


Better understand the tech disciplines involved in privacy: Download our latest guide to working with privacy engineering disciplines, including how each technical role contributes to the success of your legal program.

download now

The Utah House has passed a bill (HB 243) that would create two privacy officer positions inside the Utah government and a commission to develop best privacy practices for technology use and data collection by the government. Under the bill, lawmakers would appoint cybersecurity, technology, law enforcement, and legal experts to the 12-person privacy commission.


  • The bill's sponsor, House Majority Leader Francis Gibson, said it is an attempt "to rein in what many believe are abuses of our private and personal data.”
  • The bill comes in response to a controversy in which state contracts were awarded to Banjo to provide surveillance technology to law enforcement; the company founder was allegedly a member of a white supremacist group and involved in a synagogue shooting.
  • HB 234, which was approved unanimously by the House, now moves to the Senate for consideration.


Minnesota lawmakers are considering a data privacy bill (HF 1492) modeled on a similar bill proposed in the state of Washington. The Minnesota Consumer Data Privacy Act (MCDPA) would apply to companies that process personal data of at least 100,000 state residents or generate more than 25% of their gross revenue from the sale of personal data and process data of at least 25,000 residents.

More on MCDPA:

  • The bill grants consumers the right to verify, correct, delete, access, and opt out of processing their data.
  • MCDPA provides for fines of up to $7,500 for each violation of the law.
  • The bill doesn't currently include a private right of action for victims, but that could be added as legislation makes its way through the legislative process.


Facebook's WhatsApp plans to limit the features users can access if they do not accept changes to its privacy policies by May 15, according to an email WhatsApp sent to one of its merchant partners and obtained by TechCrunch. If WhatsApp users don't accept the changes, which involve expanded data sharing with parent Facebook, they will not be able to read or send messages from the app.


  • Users who do not accept the changes will be able to receive calls and notifications for a "short time," after which they will be considered inactive users subject to account deletion after 120 days. 
  • As we previously reported, WhatsApp delayed its privacy policy changes, which were set to take effect Feb. 8, after receiving backlash from users.
  • In a FAQ page, WhatsApp explained that the changes to its privacy policy would not affect the privacy of messages with friends and family but only messages with businesses.


Signal has seen an explosion in users of its encrypted messaging platform in response to WhatsApp's proposed privacy changes and a tweet from Elon Musk urging readers to "Use Signal." That was one observation of Jim O'Leary, Signal's VP of engineering, who spoke at Transcend's recent privacy_infra() event


  • O'Leary also attributed Signal's success to the privacy-respecting nature of its service; only a phone number is needed.
  • Signal uses the end-to-end encryption messaging standard known as the double ratchet algorithm.
  • O'Leary advised privacy engineers to "be the voice" for private and secure technology within their organization.


In other news:
  • A bipartisan group of U.S. lawmakers has introduced a bill (S 4981) to promote the use of privacy-enhancing technologies.
  • Mental health apps do not have adequate protection for sensitive health data and some share that data with third parties, including Facebook, according to Consumer Reports.
  • Indian digital rights advocates are warning that facial recognition technologies in at least a dozen government-funded schools in Delhi are an invasion of children's privacy.
  • Privacy engineering is an emerging discipline that focuses on building privacy principles into product development, according to Michelle Finneran-Dennedy, CEO and co-founder of Zen Data Privacy. 
  • In response to data security and privacy concerns, Microsoft is adding end-to-end encryption support for its Teams collaboration platform later this year. 

See how Transcend works in 10 mins: In this on-demand demo, our CEO Ben Brook demonstrates the entire privacy flow with Transcend, from privacy request submission to the automated backend orchestration across your data silos—all secured through end-to-end encryption.

check it out

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.