Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at just under 1,200 words, we’re covering California's new rules to end dark patterns, companies challenging GDPR fines, a secret web surveillance tool being tested in the U.K., and more.

🗓And an invite to share: We're thrilled to have 1Password's Privacy Officer and engineer Pilar Garcia alongside Transcend co-founder Ben Brook, for a special session for non-technical privacy teams next Thursday 3/25, to break down core privacy engineering and technical concepts. Save your spot here.

—The Transcend team

California has approved new rules under the California Consumer Privacy Act (CCPA) that will prohibit the use of "dark patterns"—ploys used by websites and apps to frustrate users trying to exercise their privacy rights. These dark patterns use confusing language or unnecessary steps, such as forcing consumers to click through multiple screens or listen to reasons why they shouldn't opt out of data collection, Attorney General (AG) Xavier Becerra announced this week.

More from the AG:

  • Companies have the option to use a blue Privacy Options icon, developed by Carnegie Mellon University and the University of Michigan, that guides consumers to where they can opt out of having their personal data collected and sold.
  • The initial regulations implementing the CCPA went into effect on Aug. 14, 2020, but some rules were withdrawn to clarify required processes for businesses; the state's Office of Administrative Law approved the changes this month.
  • “These protections ensure that consumers will not be confused or misled when seeking to exercise their data privacy rights," Becerra said.


Companies are successfully challenging hefty fines issued by regulators for violations of the EU's General Data Protection Regulation (GDPR). Several European courts have struck down or reduced larger fines, prompting companies to be more aggressive in challenging regulators' rulings, according to privacy lawyers and regulators interviewed by the Wall Street Journal.


  • A German court recently vacated a $17.2M fine against Deutsche Wohnen, arguing that the company could not be held responsible for violating GDPR unless fault could be attached to a specific individual or executive.
  • Vodafone Spain was recently fined €8.15M ($9.71M) for 191 data processing and consent practice violations over a two-year period. 
  • Ticketmaster, Marriott, and British Airways were all fined for GDPR violations that occurred during the U.K. lockdown in response to the COVID-19 pandemic.


The U.K. government has begun secretly testing a powerful web surveillance tool that can log and store the browsing activity of U.K. citizens. The tests are being run by the Home Office, the National Crime Agency, and two unnamed internet service providers.


  • The testing is being carried out under the Investigatory Powers Act 2016, which provides a framework for the use of investigatory powers by law enforcement and intelligence agencies.
  • Among other things, the law provides for the retention of internet connection records (ICRs) that detail what individuals do online.
  • Civil liberties groups warn that there is little transparency about the surveillance tool and the law's implementation.


Invite—your privacy tech stack, decoded: From erasure vs. pseudonymization, to different encryption levels, and more—we're hosting an interactive session for non-technical privacy folks to debunk key engineering concepts next Thursday 3/25, with 1Password's Privacy Officer Pilar Garcia and our own Ben Brook. Bring your questions! 


The nonprofit Uniform Law Commission (ULC) is developing a uniform state privacy law intended as a template for states to avoid the compliance nightmare of many conflicting state privacy laws. The Collection and Use of Personally Identifiable Data (CUPID) Act would narrow the data subject rights and data controller responsibilities as compared to the EU's General Data Protection Regulation and California Consumer Privacy Act.


  • The Uniform Law Commission was established in 1892 to provide states with non-partisan legislation in areas of the law where uniformity would be beneficial.
  • A uniform state model offers an alternative to a federal privacy law in providing a unified legal framework in the area of privacy.
  • The ULC has succeeded in convincing all states to adopt its Uniform Commercial Code.
  • The CUPID Act is currently in draft form and is expected to be ready in the summer of 2021.


The latest beta of the iOS operating system includes a feature that warns users about clandestine surveillance. The feature detects the presence of AirTags and warns users if the AirTags are being abused for stalking or other nefarious activities. 


  • Apple's AirTags is a Bluetooth tracking device intended to be attached to computers, phones, keys, wallets, and other objects so they can be located using the Find My app.
  • However, domestic abuse advocates are concerned that the AirTags could be exploited by abusive domestic partners.
  • Benjamin Mayo, an iOS developer, tweeted that the iOS beta includes Item Safety, which notifies users about any unauthorized use of AirTags.


A group of 15 attorneys general (AGs) has updated a Texas antitrust complaint against Google to include Chrome's recent privacy changes, which the plaintiffs argue could have an anticompetitive impact. The suit alleges that Google’s Privacy Sandbox would require advertisers to use Google as a middleman, making its own advertising system far more attractive.


  • Earlier this month, Google announced it would be phasing out third-party tracking cookies on Chrome and was working on a Privacy Sandbox to protect privacy while providing results for advertisers and publishers
  • The AGs' complaint alleges that Google uses its market power in search, streaming video, and other markets to stamp out other ad platforms, forcing small firms and media to use its system.
  • The complaint states that Google "does not actually care about privacy," but wants to insert itself "in the middle of publishers' business relationships with non-Google advertising companies."


Law enforcement is able to break into encrypted phones "on a vast scale," despite arguing for a mandatory encryption backdoor, argues Joe Mullin, a policy analyst with the Electronic Frontier Foundation (EFF). Police are able to purchase forensic tools, such as Cellebrite, to extract data from most encrypted phones, according to a study by the non-profit group Upturn.


  • The Upturn study found that 2,000 U.S. state and local law enforcement agencies have purchased these forensic tools and have performed hundreds of thousands of "cellphone extractions" since 2015, often without a warrant.
  • Cellebrite boasts it can "determine locks and perform a full file system extraction of all iPhone devices from iPhone 4S to the latest iPhone 11/11 Pro/Max running the latest iOS versions" up to 13.4.1.
  • In addition, the company claims it can "bypass or determine locks and perform a physical extraction (full-disk encryption) or full file system extraction (file-based encryption) on most Android devices on the market."
  • Yet, FBI Director Christoper Wray complained in Senate testimony this month that device encryption limits law enforcement's ability to "bring perpetrators to justice."


In other privacy news
  • Social platform privacy updates: TikTok announced that starting April 15, users will not be able to opt out of personalized ads; Clubhouse is ending its policy of requiring access to contact lists before letting a user invite friends to an audio chat. 
  • Sky Global Jean-Francois Eap, who was recently indicted by the U.S. Department of Justice (DoJ) for providing encrypted chat services to cybercriminals, argues that the DoJ is retaliating against him for taking a stand against "unwarranted surveillance."
  • The American Civil Liberties Union and the Electronic Frontier Foundation are calling for limits on data collection by government-run license plate readers.

How Transcend and Mailgun help Patreon deliver privacy-respecting email: Seamlessly handling your data privacy operations is an essential part of ensuring that your emails get to the right people’s inboxes with all of the right permissions.Read how mutual customer Patreon leverages Transcend and our integration with Mailgun to ensure a compliant and secure email program.


Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.