Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. We’re covering privacy group Nyob's efforts to combat "cookie terror", Venmo's new privacy features, hopes of Congress passing a national data privacy law begin to fade, and more.

—The Transcend team

Privacy group Nyob has filed hundreds of complaints against companies that it accuses of deliberately making it difficult to opt-out of tracking cookies.  Nyob – which is led by privacy advocate Max Schrems – says companies are legally obligated to provide a "clear yes/no option" but have failed to do so since the introduction of the EU's General Data Protection Regulation (GDPR) in 2018.


  • Nyob developed an automated system that locates violations and files a complaint. Fines can reach €20M ($24.3M) or 4% of a company's revenue.
  • Marketing groups have blamed the EU's privacy rules for creating this issue.
  • Nyob said it will provide draft complaints to Europe's 10,000 most popular websites and share instructions on how to change settings. It will file a formal complaint against any site that doesn't cooperate within a month.
  • There have been calls for cookies to be replaced, and Google has begun to stop support for them on its Chrome browser due to privacy concerns.


Mobile payment app Venmo has added new privacy features after Buzzfeed reporters were able to find President Joe Biden's personal account within 10 minutes. Users will now be able to set their friends list public, visible to friends, or private. They can also control if they want to appear in other users' friend lists.


  • Venmo's default option will continue to make the friends list public, hence users will have to adjust their settings.
  • Reporters also found the personal accounts of Biden's children and grandchildren.
  • The changes address a key privacy hole that existed in Venmo for years, as there was previously no way for users to make their friends list private.

Business Insider

A message from TRANSCEND

What's really involved in building a privacy request system in house?

In this guide, we provide a breakdown of the essential elements to build an automated privacy request workflow, with advice from our experts who build these systems for a variety of multinational companies.

Also included: The six key questions you should have answers for before you start to guide your cross-functional conversations.

Get the guide

It's looking unlikely that Congress will pass a national data privacy law as lawmakers haven't held any hearings, and none are currently scheduled, recaps Politico’s Alexandra Levine. Both parties believe there should be limits on what data companies can take, and users should be given control over how and whether it can be shared. There's bipartisan agreement that companies should be transparent over how the data will be collected and used.


  • As states such as California introduce new privacy laws and COVID-19 related scams increase, pressure continues to mount on Congress.
  • The tech industry has lobbied lawmakers to establish a national data privacy law to ensure easier compliance.
  • There was hope President Biden would prioritize data privacy, however, he has been slow to appoint individuals to fill key positions such as the chair for the Federal Trade Commission.
  • One potential reason for the lack of progress is lawmakers are focused on protecting American citizens' data from the Chinese government.


Building a privacy tech stack in-house:

Many companies are investing in automated backend workflows to efficiently process privacy requests. So what's involved in building such a system internally? Our latest guide offers tactical, expert guidance on the processes, people, and steps involved.

Download now

Not waiting on U.S. Congress, the Colorado Senate unanimously passed SB21-190 last week, which could make it only the third state to pass a data privacy law behind California and Virginia. The bill would go into effect in July 2023 and enable users to block companies from tracking specific information such as the websites they visit. Users would also be able to deny them access to sensitive information, including health conditions.


  • Companies would have to be transparent about what data they'll aggregate and how long it will be stored.
  • Privacy groups have said the bill isn't sufficient, while businesses have expressed compliance concerns due to different regulations in various states.
  • What's next: The bill must clear the House before Gov. Jared Polis can sign it. It's attracted bipartisan support in the House but must be passed before the Colorado Legislature closes on June 12

Denver Post

WhatsApp announced users who don't accept its new privacy policy won't lose functionality, backtracking a previous announcement. Last month, WhatsApp warned users would gradually lose functionality if they didn't accept the changes by May 15.


  • The new policy sparked fears that WhatsApp would share more personal data with its parent company Facebook. WhatsApp has denied this claim.
  • The company revealed the new changes had been accepted by most users who have seen the update. WhatsApp said it would continue to issue periodic reminders to users who haven't accepted the new policy.
  • Countries such as India, which is WhatsApp's largest market, have urged the company to remove the new policy.

The Verge

EU Justice Commissioner Didier Reynders revealed the bloc is trying to accelerate rulings for time-sensitive data privacy investigations. Reynders cited an April data leak of more than 500 million Facebook accounts, including his own, as an example of a case he feels should be prioritized.


  • Last year, the EU's Court of Justice nullified Privacy Shield, the EU-U.S. data sharing agreement. However, Reynders is optimistic a new agreement could be reached within months.
  • If the U.K. amends its data protection standards, Reynders warned the EU could reverse its decision to move its data there.
  • He rejected his predecessor Viviane Reding's suggestion that the enforcement mechanism in the bloc's privacy code needs to be reformed.


Several privacy groups filed complaints across Europe against facial recognition company Clearview AI. Clearview takes photos from public websites and has built a database of more than three billion images. It sells access to the database to law enforcement and private agencies.


  • The groups say Clearview's methods violate European privacy laws, and they filed complaints in Austria, France, Greece, Italy, and the U.K.
  • Last year the U.K. and Australia launched a joint privacy investigation into Clearview's data collection practices.
  • In February, Canada's privacy commissioners declared Clearview's methods to be illegal.

BNN Bloomberg

other privacy news:

  • Automakers such as BMW, Daimler, and Ford have established centers in China to store data locally as they face greater scrutiny from the government.
  • German food delivery service Lieferando has been accused of violating privacy laws by illegally tracking and collecting workers' personal data.
  • A European human-rights tribunal ruled the U.K. violated its privacy laws after it engaged in a largescale interception of online communication, following leaks by whistleblower Edward Snowden.
  • Foreign tech giants such as Facebook, Twitter, and LinkedIn are in full or partial compliance with India's new IT rules according to TechCrunch.

Transcend in 10 Mins:

In this short on-demand demo, Transcend CEO Ben Brook walks through how we can help improve your privacy ROI with scalable, secure, and future-proof privacy infrastructure.

Watch Now

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.