Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech for better cross-functional outcomes. We’re covering an antitrust investigation the EU launched against Google, Colorado's new privacy law, Canada's cyberspy agency being accused violating privacy laws, and more.

—The Transcend team

The European Union (EU) has launched an antitrust investigation against Google to determine if it restricts competitors from accessing user data. Google's plan to replace third-party cookies in Chrome with its Privacy Sandbox will also be reviewed by regulators.


  • The wide-ranging investigation will mark the first time Google’s online display advertising business has come under scrutiny from the EU.
  • The investigation is significant as Google's advertising business brought in $147B in revenue last year.
  • Earlier this month, Google said it would work with U.K. regulators to implement Privacy Sandbox. The U.K. is no longer part of the EU.

The Verge

Colorado became the third state behind California and Virginia to pass a data privacy reform bill earlier this month. The bill now awaits the Governor's signature. The bipartisan Senate Bill 21-190 has been sent to Gov. Jared Polis (D), who's expected to sign it. The bill would require companies to be transparent about what data they collect, how long it will be stored, and what they will do with it. The law would go into effect in 2023, and users will be given the option to opt out of having their data collected.


  • Both the Virginia and Colorado bills mandate data protection assessments for certain actions such as targeted advertising and sales.
  • Controllers in Virginia and Colorado must establish a process that lets consumers file an appeal when controllers refuse to honor their requests.
  • Senate Bill 21-190 makes the global privacy control mandatory, unlike in California where it's optional.

Colorado Newsline

A message from TRANSCEND

What's really involved in building a privacy request system in house?

In this guide, we provide a breakdown of the essential elements to build an automated privacy request workflow, with advice from our experts who build these systems for a variety of multinational companies.

Also included: The six key questions you should have answers for before you start to guide your cross-functional conversations.

Get the guide

Canada's Communications Security Establishment (CSE) may have violated the country's privacy law when it shared the personal information of citizens. While the CSE conceals the identity of people in its reports, other agencies can access this information if they have the legal authority and a sufficient reason.


  • The National Security and Intelligence Review Agency (NSIRA) investigated 2,351 disclosures of information from a five-year span and found that more than 25% didn't provide proper justification.
  • The CSE approved 99% of requests and sometimes shared information beyond what was asked.
  • The NSIRA found that only the Canadian Security Intelligence Service, RCMP, and Canada Border Services Agency requested information that aligned with their mandate.
  • The NSIRA says the CSE should only share information with these three agencies until it implements the recommendations.

CTV News

Consent Management, reinvented: Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work—want to join as a beta partner?

Get early access
The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) are pushing for a ban on facial recognition in public spaces due to privacy concerns. In April, the European Commission proposed a ban on AI-powered surveillance in most cases, except for migration and law enforcement. The proposal would have to be approved by the bloc before it becomes law.


  • The European Commission's proposal says companies found violating the rules could be fined up to 6% of their global revenue.
  • The EDPB and EDPS say biometrics used to segregate individuals into different categories based on ethnicity, gender, political or sexual orientation should also be prohibited.
  • Both privacy watchdogs argue that any technology that can predict an individual's emotion should be forbidden unless needed for health purposes.
  • While neither agency's opinion is legally binding, they have significant influence within the EU.
  • In related news: The UK’s chief data protection regulator has also expressed concerns about live facial recognition.


Weak privacy practices can damage a company's brand, says Transcend's Kate Parker. 93% of Americans would choose a company that places a strong emphasis on data privacy and Parker argues marketers should view this as an opportunity to enhance customer experience.


  • Parker says companies must track a consumer's data journey to better understand how it's being managed.
  • Parker says companies should be transparent about what data they collect and how it's being used to build trust amongst consumers.
  • Companies should study market research and let customer insights guide their decisions. For example, it's clear data privacy will increase in importance over the next few years, and firms must adjust accordingly.
  • New laws, new opportunities: Companies should view privacy legislation as something that can help strengthen their brand and serve as a growth strategy.


The Indian government accused Twitter of failing to adhere to its new IT laws, which activists say will weaken privacy and online speech. Twitter said it's in the process of complying with the law, noting that it recently appointed an interim chief compliance officer, which is one of the requirements.


  • The law forces social media companies to remove posts within 36 hours when ordered by the government or law enforcement. Employees that don't comply can be prosecuted.
  • They must assist police during investigations and determine the source of “mischievous information.” 
  • Social media companies are opposed to the bill as Twitter last month called it a "potential threat to freedom of expression.”
  • However, the company has complied with most of Indian Prime Minister Narendra Modi's demands since he took office in 2014.

Associated Press

Finally, Canon installed AI-powered cameras at its Chinese offices that only allow smiling employees to enter rooms or book meetings. The move comes as more Chinese firms are using AI cameras to monitor employee behavior and measure their productivity.


  • Chinese workers have said the fear of surveillance has led to them being overworked, resulting in health issues.
  • It's important to note that this practice isn't limited to China. Amazon uses algorithms to measure, identify and terminate its least productive employees.
  • During the COVID-19 pandemic, companies are using software to measure the performance of employees that are working remotely.

The Verge

In other privacy news:
  • European Central Bank executive board member Fabio Panetta said a digital euro would strengthen consumers’ privacy.
  • California launched its "Digital COVID-19 Vaccine Record" as critics argue that a "vaccine passport" would violate privacy rights.
  • Apple CEO Tim Cook warned the privacy of iOS would be diminished if it was forced to permit the sideloading of apps, which Android does.
  • A new study shows that 90% of health apps monitor and aggregate user data, and 28% haven't disclosed their privacy policies.
  • The Canadian province of Ontario could introduce a new privacy law that would force companies to report breaches and levy multi-million dollar fines to violators.
  • A Chinese court case that concluded earlier this month revealed that Alibaba customers had their personal information accessed by a consultant who was given a three-year jail term.
  • Baltimore could ban the use of facial recognition for everyone except law enforcement and certain private uses.
  • A new survey shows that security and privacy are the two most important factors for U.S. digital banking consumers.

Transcend in 10 Mins: In this short on-demand demo, Transcend CEO Ben Brook walks through how we can help improve your privacy ROI with scalable, secure, and future-proof privacy infrastructure.

Watch now

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.