Hello all, and happy Thursday!
When it comes to data privacy and data privacy regulations, a pretty common refrain is: “I don’t care if these companies are tracking me. All they’re doing is advertising stuff to me, and if I have to see advertisements anyways, I’d rather they be relevant.”
Let’s set aside the fact that not everybody feels this way, or the fact that you wouldn’t want sensitive information like your health data being used for advertising.
Data is like toothpaste—once it’s out of the tube, it’s not going back in. Once your data is out in the world, it’s relatively easy for it to find its way into the hands of people who want to use it for more than just advertising.
Just recently, the FBI admitted that it purchased data originally intended for advertising. Specifically, it purchased the locations of smartphone users. You might not care if your data is used to figure out which brand of soda people in your area like more, but you probably do care about your data being used by federal agencies for some classified purpose.
Federal agencies buying personal data isn’t anything new; the U.S. Customs and Border Protection, Department of Homeland Security, and the Defense Intelligence Agency regularly do so. This practice comes in response to a relatively recent Supreme Court decision (Carpenter v. United States) holding that the warrantless acquisition of location data violated the Fourth Amendment. Now, agencies purchase consumer data as a workaround to securing a warrant.
Data privacy regulations thankfully prevent just anybody from buying user data willy-nilly—users need to be informed and given the choice to opt-in or out (depending on the regulation). However, most U.S. regulations create exemptions for federal agencies, law enforcement, and the like, which is a practice that has long attracted criticism from data privacy advocacy groups.
It goes to show that even with regulation, your data isn’t just being used for advertising. It may be the case that total privacy isn’t possible in the digital world. More privacy, however, is very achievable.
Best,
Arlo
P.S. The Osano team will be attending the International Association of Privacy Professional’s (IAPP’S) Global Privacy Summit in Washington D.C. this April fourth and fifth! If you’ll be attending as well, come by booth 318 to ask questions, talk about all things data privacy, or just say hi.
Colorado Privacy Act rules finalized
The Colorado Attorney General’s Office filed the final Colorado Privacy Act (CPA) Rules with the Colorado Secretary of State’s Office this week, following the completion of a review confirming the rules are legal and constitutional. The rules will be published in the Colorado Register later this month, and they will go into effect on July 1, 2023.
The FBI just admitted it bought U.S. location data
For the first time, the FBI acknowledged the practice of purchasing location data rather than obtaining a warrant for the same information. During a U.S. Senate hearing on global threats, FBI Director Christopher Wray admitted that it purchased location data from companies originally intended for advertising purposes. Director Wray claimed that this was no longer the practice at the FBI, and that the agency instead relies on court-authorized processes.
Bird & Bird’s UK & EU data protection bulletin: March 2023
Legal firm Bird & Bird has released its March UK & EU Data Protection Bulletin, covering items including the work undertaken by a cookie banner task force investigating NOYB’s (none of your business, a data privacy advocacy group) claimed infringements, Court of Justice of the European Union cases on personal data and erasure requests, UK proposals to update cybersecurity regulations, and more.
FTC says it’s conducting an investigation into Twitter’s privacy practices
In a rare move, the Federal Trade Commission (FTC) has confirmed that it’s investigating whether or not Twitter has violated the FTC settlement it signed in 2011, in which the social media company promised to improve its protection of user data.
Cerebral admits to sharing patient data with Meta, TikTok, and Google
Telehealth startup Cerebral revealed that it inadvertently shared patient data such as patient names, phone numbers, email addresses, birth dates, IP addresses, insurance information, appointment dates, treatment, and more with third-party advertisers. The leak occurred due to Cerebral’s use of tracking pixels from Meta, Google, and others.
Project Clover is TikTok's effort to get ahead of EU privacy and security concerns
TikTok’s new data policy, dubbed Project Clover, is an attempt to convince EU authorities that the social media platform is not a threat to EU citizens’ privacy. Project Clover will introduce “security gateways” that limit employee access to EU users’ information and data transfers out of the EU. Furthermore, a third-party security firm will be responsible for overseeing TikTok’s new data security controls and conducting audits of the company’s data practices.
Osano blog: 5 red flags in a CMP implementation
Compliance is already complex. So, when implementing a consent management platform (CMP) is even more complex, it can be frustrating. Only, it’s tough to tell how easy or difficult it will be to use a given solution before you actually get your hands on it. In this blog, we identify 5 red flags you can keep an eye out for to see whether a CMP will be more trouble than it’s worth in advance.
Press release: Osano is a Great Place to Work! Again!
For the second year in a row, Osano has been certified as a Great Place to Work. Ninety-eight percent of Osanians said we’re a great place to work—a full 41 points higher than the average U.S. Check out the press release to learn all about how Osano earned this prestigious certification, what the Great Place to Work certification is about, and more.
If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.