Privacy XFN

Welcome to this week’s Privacy XFN, curating the best reads at the intersection of data privacy and tech. We’re covering Amazon's record $887M GDPR fine,  Zoom's $85M settlement, two privacy bills introduced in Congress, and much more.

—The Transcend team

Amazon was fined a record $887M by Luxembourg’s National Commission for Data Protection (CNPD). Regulators said Amazon's advertising business doesn't comply with GDPR when it processes data. The CNPD ordered Amazon to amend unspecified business practices.


  • Companies can be fined up to 4% of their annual revenue under GDPR.
  • Amazon made $386B last year, and $887M is 0.23% of that total.
  • Amazon rejected the allegations and said it would appeal the ruling.
  • The previous record? A $57M fine given to Google in 2019.


Zoom agreed to an $85M settlement after it was accused of violating privacy rights by sharing users' data (without their consent) with Facebook, Google, and LinkedIn. Zoom also allegedly failed to prevent hackers from "Zoombombing," which is when they interrupt meetings and display vulgar content.


  • As per the settlement, users are eligible to receive a 15% refund or $25,
  • Zoom said it would take additional steps to protect user data and notify users when other participants use third-party apps.
  • Employees will receive extra training on how to handle user data and protect privacy.
  • Despite the settlement, Zoom hasn't denied all allegations.


Sens. Roger Wicker (R-MS) and Marsha Blackburn (R-TN) introduced the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act. The bill would force companies to delete personal data within 90 days if requested by a user. Companies would only be allowed to collect data that's “reasonably necessary, proportionate, and limited” to their business.


  • Under the bill, companies would have to be transparent about their privacy policies and hire privacy and data-security officers.
  • In related news: Rep. Kathy Castor (D-FL) introduced the Protecting the Information of our Vulnerable Children and Youth Act blocking targeted advertising against individuals under 18.
  • It would force companies to obtain permission before they collect data from children and teenagers.
  • The current Children’s Online Privacy Protection Act only applies to children younger than 13.


The State of Consent Management:

We surveyed 100 global technical leaders on how they manage user tracking and consent preferences on their company’s websites. Leaders acknowledge they face a tension balancing customer trust and online experiences. Read the full report for more insights.

Download Now

Michigan Gov. Larry Hogan signed multiple executive orders creating new roles for a state chief data officer and state chief privacy officer. The data officer will monitor how state agencies share and manage data. The privacy officer will establish frameworks for how agencies must protect data and ensure compliance.


  • Each state agency is also required to hire individuals to oversee data and privacy.
  • Maryland became the 28th state with a chief data officer and the ninth with a chief privacy officer.
  • A quick recap: In 2019, Hogan signed an executive order creating the chief information security officer, Office of Security Management, and the Maryland Cybersecurity Coordinating Council to protect the state from cyber attacks.


Both Safari and iOS lack a global privacy control (GPC) despite Apple consistently emphasizing the importance of privacy, according to Gilad Edelman of Wired. Edelman acknowledged the importance of Apple's App Tracking Transparency framework but said it was flawed as it relies on the tech giant identifying violators. He adds that hackers can bypass Safari’s tracking-prevention feature.


  • A quick reminder: GPC is designed to make it easier for consumers to opt out of having their data sold by giving them a universal switch.
  • California and Colorado have passed privacy laws that force companies to respect GPC.
  • Edelman notes that Safari is the most popular mobile browser and second most popular desktop browser in the U.S.
  • He adds that Google hasn't incorporated GPC into Chrome or Android.


Google showed off the Play Store's safety section design, which will be rolled out in Q1 2022. In the safety section, users will be able to read about what data is being collected and how it's being used. The tech giant first announced the safety section in May, and all third-party and first-party Google apps must have it.


  • In Dec. 2020, Apple added "privacy labels" to the App Store.
  • Privacy expert Ashkan Soltani notes that Apple lets users block location tracking in some cases, while Google doesn't.
  • Both Google and Apple won't audit the content in the labels, and Soltani says it's unknown how they'll act if developers provide inaccurate information.

The Verge

A coalition of attorney generals from 48 states and territories will appeal a dismissal of their antitrust lawsuit against Facebook. In June, Judge James Boasberg tossed out a lawsuit – first filed in December – that accused Facebook of reducing competition and "cutting privacy protections” via its 2012 acquisition of Instagram and 2014 purchase of WhatsApp. Boasberg said the states waited too long to file a complaint.


  • The FTC filed a similar lawsuit that was also tossed out.
  • However, Boasberg said the FTC could file an amended complaint by Aug. 19 but prohibited states from taking similar action.
  • The FTC has yet to act, but last month Facebook asked Chair Lina Khan to recuse herself from any antitrust issue due to previous criticisms she's made of the tech giant.


In other privacy news:

  • lawsuit against Walmart over an alleged data breach was dismissed by a California judge.
  • The Census Bureau's decision to introduce differential privacy into last year's results has led to concerns it will impact the distribution of funds and prohibit researchers from using the data.
  • Instagram will limit the number of ads shown to individuals under 18 and make their accounts private by default as part of its new privacy policy.
  • The Chinese Supreme Court said commercial venues must obtain permission from customers before using facial recognition technology and limit the amount of data they collect.
  • Facebook warned revenue would "decelerate significantly" in the next few quarters due to Apple's recent privacy policy changes.

Consent Management, Reinvented:

Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work—want to join as a beta partner?

Get early access

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.