Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech. We’re covering the 144 new measures that have been introduced to stop cross-border data flows since 2017, two important updates on CCPA, a coalition of tech companies that has urged the U.S. and EU to ban surveillance techniques used in advertising technologies, and much more.

—The Transcend team

Since 2017, 144 new policies have been introduced worldwide to prohibit cross-border data flow, according to the Information Technology and Innovation Foundation (ITIF). During this time, the number of countries that have implemented such measures has risen from 35 to 62.


  • China has introduced 29 new laws, the most of any country.
  • Congress has yet to pass a federal law, and privacy experts have warned companies with European locations could be forced to suspend cross-border data flow due to GDPR.
  • A quick recap: In July 2020, the European Court of Justice invalidated the EU-US Privacy Shield ruling it did a poor job of protecting the privacy of European citizens.
  • Last September, Ireland's Data Protection Commission blocked Facebook from transferring EU user data to the U.S., which the social media giant is challenging in court.


California Attorney General Rob Bonta said 75% of companies that violated the California Consumer Privacy Act (CCPA) addressed the issue during the 30-day cure period. Bonta added that the remaining 25% are still in the cure period or under investigation.


  • Bonta's office released a list of 27 violations and outlined the steps the companies took to address them.
  • The right to cure provision has blocked states such as Washington from enacting new privacy rules but was included in Colorado's recent law.
  • California launched the Consumer Privacy Tool, letting individuals inform companies directly that they don't want their data sold.
  • A link to Bonta's press conference is available here.


Still in California: The Office of the Attorney General recently clarified that under law, businesses must honor the Global Privacy Control (GPC) browser signal. As a result, companies must ensure they have the infrastructure in place to receive GPC signals and maintain compliance.


  • A quick reminder: The GPC is designed to make it easier for consumers to opt-out of having their data sold by giving them a universal switch.
  • The CCPA was passed in June 2018 and always required a "do not sell" browser signal but did not mention a specific standard.
  • GPC is available as a browser extension on DuckDuckGo and Brave.


The State of Consent Management: We surveyed 100 global technical leaders on how they manage user tracking and consent preferences on their company’s websites. Leaders acknowledge they face a tension balancing customer trust and online experiences. Read the full report for more insights.

Download now
A group of tech companies is asking the U.S. and EU to outlaw the usage of surveillance techniques used in advertising technologies. Examples of surveillance techniques include harvesting data via ads or using tools provided by tech giants such as Facebook and Google. The coalition called them anti-competitive and anti-democratic.


  • The group consists of companies such as DuckDuckGo and Vivaldi, who noted they're all profitable and don't use surveillance advertising.
  • The EU and its Data Protection Supervisor are investigating companies in the targeted advertising industry to determine if their data collection methods violate privacy rights.
  • Advertisers have seen revenue decline by 15%-20% after Apple implemented its new App Tracking Transparency feature. 

CPO Magazine

The absence of a federal U.S. privacy law poses both domestic and foreign policy threats, argues Justin Sherman in a Wired op-ed. Several bills have been introduced in Congress, but none have become law, and lawmakers have expressed concerns the U.S. could fall behind Europe and China.


  • Domestically, government agencies and private companies have overwhelmingly used surveillance to target marginalized communities, deepening divisions along racial and class lines.
  • If consumer data ends up in the hands of foreign adversaries, this could pose a threat to U.S. national security.
  • The U.S. looks like a hypocrite if it criticizes privacy laws implemented in others countries but fails to curb surveillance at home.
  • Faith in American tech companies is eroded globally if the U.S. doesn't implement a law to protect user data.


Israeli firm NSO Group used its Pegasus spyware to surveil journalists and human rights activists via their iPhones, according to a report from Amnesty International. Amnesty said thousands have iPhones could have been hacked, which contradicts Apple's repeated claims that it prioritizes privacy and security.


  • Security experts urged Apple to increase collaboration with other tech giants to fix vulnerabilities in its software.
  • Amnesty says hackers tried to access iPhones via zero-click attacks on iMessage.
  • NSO Group has rejected all allegations and says its technology is only used on criminals.

Financial Times

State privacy law watch: States such as Washington are trying to implement privacy laws as efforts in Congress have stalled. Next year state lawmakers will vote on the Washington Privacy Act, which would require companies to be transparent about their data collection methods and force them to delete it if asked by consumers.


  • The Washington Privacy Act would be the strongest state law enacted so far.
  • There have been three unsuccessful attempts to pass the bill as lawmakers disagree on much responsibility companies and individuals must bear.
  • Congress has failed to pass a law as some lawmakers don't think a federal law should override a state law.
  • California, Virginia, and Colorado are the only states to implement a privacy law.


In other privacy news:
  • A new digital pact covering cross border information flows between the U.S. and Asian-Pacific countries (not including China) has been delayed due to disagreements between members of the Biden administration.
  • Google introduced a new privacy feature that lets users delete their most recent 15 minutes of search history.
  • Federal Judge William Shubb tossed out a lawsuit that accused Miniclip SA and Apple of illegally accessing iPhone data via the 8 Ball Pool application.
  • Volkswagen vowed it would comply with China's data privacy law, which goes into effect in September.
  • Uber agreed to a deal with the California Public Utilities Commission to reduce its fine from $59M to $150,000 and will donate $9M to a state victims' funds. 

Consent Management, Reinvented: Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work—want to join as a beta partner?

Get early access

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.