Privacy XFN

Welcome to Privacy XFN, curating the best reads at the intersection of data privacy and tech. This week we’re covering news of a new data privacy law in China, ongoing confusion about HIPAA, Google's meetings with digital publishers over Privacy Sandbox, and more.

—The Transcend team

China will pass the Personal Information Protection Law this week. The bill will force government agencies and private businesses to obtain consent before aggregating data. They will also be required to limit the amount of data they collect.


  • Experts say private businesses will face more scrutiny from regulators than government agencies over compliance.
  • For years, Chinese citizens have called on the government to strengthen privacy laws to combat surveillance and prevent companies from having unfiltered access to their personal data.
  • On Tuesday, China's State Administration for Market Regulation published new draft rules prohibiting companies from using user data to influence consumer behavior.
  • Last week, the Chinese government ordered automakers to keep locally generated data in the country.
  • In March, government and military officials were blocked from driving Teslas due to concerns the data collected by the cars could lead to national security leaks.


The 1996 Health Insurance Portability and Accountability Act (HIPAA) has reemerged in the spotlight during the COVID-19 pandemic — but it's largely misunderstood. Nebraska ended its state of emergency on Jun. 30 and claims it can only provide weekly updates about COVID-19 due to HIPAA. However, health law experts argue the public needs daily detailed updates, especially as cases across the U.S. rise due to the Delta variant.


  • What is HIPAA:  The law mandates that health-care providers and health insurance companies obtain a patient's consent before sharing information about their health.
  • The law isn't applicable to employers, schools and most private businesses or when 18 specific identifiers such as name and age are removed.
  • HIPAA allows for minimal data to be disclosed to "someone reasonably able to prevent or lessen a health threat."
  • However lawyers have failed to reach a consensus on if this exception applies to the general public.

Bloomberg Law

Google has held monthly meetings with 20 digital publishers since March to discuss the technologies it's building for Privacy Sandbox. Google will replace third-party cookies with Privacy Sandbox by 2023, and last month released a timeline outlining how the transition will occur.


  • While some publishers have expressed a desire to test certain technologies such as FLoC, others have criticized Google for its "aggressive" timeline.
  • The meetings are designed to help publishers adapt to Privacy Sandbox and allow them to share any concerns.
  • Last year, Google said it wanted publishers to play a greater role in the development of Privacy Sandbox.
  • While Google has shared details about Privacy Sandbox at W3C meetings and forums, smaller publishers have said the content discussed is "too technical."


The State of Consent Management: We surveyed 100 global technical leaders on how they manage user tracking and consent preferences on their company’s websites. Leaders acknowledge they face a tension balancing customer trust and online experiences. Read the full report for more insights.

Download Now
The U.S. could fall behind the rest of the world if it doesn't implement a federal privacy law, argues Cameron Kerry of the Brookings Institution. Kerry notes that there has been minimal action in Congress so far besides the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act introduced last month by Sens. Roger Wicker (R-MS) and Marsha Blackburn (R-TN). 


  • In June, Sen. Richard Blumenthal (D-CT) said Congress might hold hearings on privacy legislation during the summer, however that has failed to materialize.
  • A quick reminder: Last month, President Biden signed an executive order urging federal agencies such as the FTC to introduce new rules limiting the amount of data that tech giants can collect.
  • Kerry praised the move but said it isn't enough to protect individual privacy.
  • He says that over 100 countries, including allies such as India and adversaries like China, have laws designed to protect privacy rights.

Brookings Institution

Apple said it will match images from multiple databases as part of its plan to use iCloud to detect child sexual abuse material (CSAM). The databases will be from at least two different countries to ensure a single government doesn't gain access to unrelated images for censorship purposes.


  • As we mentioned last week, Apple has faced both external and internal criticism, but the tech giant has defended the move saying it will advance privacy rights.
  • An iCloud account will only be flagged if at least 30 photos are designated as CSAM.
  • Apple has only named the U.S.'s National Center for Missing and Exploited Children as a partner and is working to establish agreements with databases in other countries.
  • The company has published a paper providing additional details of its proposed implementation.

The Verge

Congressional Democrats sent letters to 12 gaming companies, including Microsoft and Nintendo, urging them to voluntarily apply the U.K's “Age Appropriate Design Code" rules in the U.S. The law, which goes into effect next month, requires social media and gaming companies to provide stronger privacy settings for younger age groups.


  • Products must be designed in the “best interests” of children," and companies can't try to persuade users to keep using a service via "nudging techniques.”
  • The U.K. law applies to everyone under 18, while the U.S.'s Children’s Online Privacy Protection Act only covers kids under 12.
  • A quick reminder: The Protecting the Information of our Vulnerable Children and Youth Act which bans targeted advertising against children under 18, was introduced by Rep. Kathy Castor (D-FL) last month.

The Verge

40% of organizations lack a chief data officer, according to a new survey from 451 Research. 90% of respondents said they prioritize data quality and trust over volume or quantity.


  • 84% work for an organization that's subject to a data protection law such as GDPR.
  • 83% said their organization will have limited access to data over the next two years
  • 451 Research surveyed 525 data leaders across North America and Europe that work for organizations with at least 1,000 employees.


In other privacy news:
  • UN-affiliated human rights experts are calling for a global moratorium on the sale of surveillance technology until there are rules that regulate its usage.
  • Google introduced new privacy settings for both its search engine and YouTube. Videos uploaded by users 17 and under will automatically be set as private.
  • Google's not alone: TikTok also introduced new privacy policies for minors. The Direct Message setting for new users between 16-17 will automatically be turned off, while existing users will receive a prompt informing them of this option.
  • British education firm Pearson reached a $1M settlement with the SEC after an investigation revealed the company misled investors about a 2018 data breach.
  • T-Mobile said a data breach impacted over 47 million current and former customers. A Vice report over the weekend said hackers accessed the information of 100 million customers.
  • Facebook added end-to-end encryption on voice and video calls for Messenger.

Consent Management, Reinvented: Existing consent managers are broken. They only regulate 3rd party scripts – leaving your company non-compliant, and users with a terrible experience. So, we reinvented how they work.

Get early access

Privacy XFN is delivered to your inbox every Thursday morning and is sent by Transcend. We're an engineering company that makes it simple for companies to give their users control over their personal data. Learn more.