Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. Coming in at slightly under 1,200 words, we’re covering a French regulator questioning Apple's privacy compliance, Virginia's new privacy law spurring other state action, Mozilla adding a privacy-focused Referrer Policy to Firefox, and more.

—The Transcend team

The French data protection regulator CNIL is questioning whether Apple's consent policy when collecting personal data for advertising would comply with EU data privacy laws. A confidential note seen by Politico concluded that "Apple's practices suggest a lack of consent collection" when it comes to targeted advertising.


  • The confidential note, signed by CNIL President Marie-Laure Denis, was an opinion provided to France's competition authority, which was ruling on the anti-competitive impact of Apple's new app tracking transparency policy.
  • The competition authority ruled in favor of Apple and against French advertisers regarding the new policy.
  • However, the CNIL note suggests that Apple may run into trouble with the EU's General Data Protection Regulation with its own advertising platform. 


Virginia's passage of a comprehensive data privacy law is spurring action in other state legislatures. For example, data privacy bills were passed by one legislative chamber in Oklahoma and Washington, while bills were introduced in Illinois, Massachusetts, and Minnesota.


  • In Florida, the Senate Committee on Commerce and Tourism approved the Florida Privacy Protection Act this week.
  • Other states with active data privacy legislation include Arizona, Texas, Kentucky, Alabama, South Carolina, Maryland, New Jersey, New York, Connecticut, Rhode Island, and Vermont.
  • In the U.S. Congress, Rep. Suzan DelBene (D-Wash.) introduced a data privacy bill that would give consumers the right to "opt-in" to sensitive data collection and use by companies.


Mozilla is introducing a privacy-enhancing default Referrer Policy to protect the privacy of Firefox users. The policy, which will be introduced in Firefox 87, will limit user-sensitive data such as path and query string information accessible from the HTTP Referrer header to prevent accidental data leaks.

More from Firefox:

  • Browsers send the HTTP Referrer header to indicate to a website which location referred the user to that website's server.
  • The HTTP Referrer header contains private user data such as which articles a user read on the referring website and information on a user’s account.
  • The Firefox policy "will not only trim information for requests going from HTTPS to HTTP, but will also trim path and query information for all cross-origin requests," explained Mozilla's Dimi Lee and Christoph Kerschbaumer.


Privacy tech stack, decoded—free guide: Cross-functional conversations on privacy engineering start with speaking the same language. Designed for non-engineering leaders, our Tech Stack Decoded guide covers 11 technical concepts we believe are crucial to any modern data privacy tech stack, including encryption, pseudonymization, and more.

Download Now

The difference between structured and unstructured data has significant privacy implications, argues Transcend Co-founder and CEO Benjamin Brook. Yet, privacy laws treat both data the same way. 


  • Unstructured data is a major challenge when it comes to complying with privacy laws because it is harder to write code to automate user data deletion and access requests. 
  • There are engineering options for automating unstructured data that remove headcount costs, reduce the need for workflow tooling or shoulder-tapping, and create automated end states that can handle access and deletion requests in the data layer.
  • In the future, handling unstructured data will become easier as artificial intelligence and machine learning models advance.


Advertisers are unclear about how Google's Privacy Sandbox will replace third-party cookies, reported Digiday. Advertisers will be able to use their first-party data in some ways, but this use varies depending on which of the Google-developed methods are employed. 


  • Google's Privacy Sandbox is designed to enable advertisers to target ads while eliminating third-party cookies from the Chrome browser.
  • The lack of details about how the Privacy Sandbox would work in practice has confused advertisers, agencies, ad tech providers, and publishers.
  • "People refer to the Google Privacy Sandbox as one thing when it’s really a collection of many potential solutions. Terms are being used in more of an umbrella fashion when in reality the proposals all solve for very specific things,” commented Amanda Martin, vice president of enterprise partnerships at digital agency Goodway Group.


China has issued new rules that give users the right to refuse collection of personal data not considered "necessary" for mobile apps to provide basic functions and services. The rules on "necessary" personal data collection, which take effect May 1, cover 39 app categories, including messaging, online shopping, payments, ride-hailing, short video, live streaming, and mobile games.


  • The new rules come in response to the practice among some mobile apps requiring users to give "bundled consent" for processing their personal information.
  • The Cyberspace Administration of China, the Ministry of Industry and Information Technology, the Public Security Bureau, and the State Administration for Market Regulation jointly issued the new rules this month.
  • Separately, the 2,000-member China Advertising Association is testing a mechanism to bypass Apple's new app tracking transparency rules.


Despite former President Trump's targeting of TikTok, the popular video-sharing app poses no more of a threat to data privacy than Facebook, concluded a report by the University of Toronto's Citizen Lab. The report examined the source code for TikTok and found no evidence that the app collects user data without permission.


  • Citizen Lab also found that TikTok collected device information and usage patterns and used third-party advertisements and tracking services. These practices do not differ from industry norms, it concluded.
  • Former President Trump tried to ban TikTok in the U.S. market over data privacy and national security concerns, but his effort was held up in the courts.
  • As part of Trump's effort, Oracle and Walmart agreed to buy TikTok's U.S. operations to avoid the ban. 
  • The new Biden administration has put a temporary hold on the ban and sale while it reviews TikTok's privacy and security risks.


In other privacy news:
  • The Indian government is asking the country's high court to block Facebook's WhatsApp from rolling out its new privacy policy update that expands data sharing with the parent company.
  • The U.S. Department of Homeland Security has awarded the University of Washington Applied Physics Lab close to $1M to develop digital contract tracing app testing criteria, including privacy and civil liberties protections.
  • The Australian privacy commissioner is pushing for more privacy protections in the data availability bill being considered by the country's parliament.

How Transcend and Mailgun help Patreon deliver privacy-respecting email: Seamlessly handling your data privacy operations is an essential part of ensuring that your emails get to the right people’s inboxes with all of the right permissions. Read how mutual customer Patreon leverages Transcend and our integration with Mailgun to ensure a compliant and secure email program.

Learn more

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.