ADMT & Employment
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: December 8, 2022
Hello all! I hope all of our subscribers in the northern hemisphere are surviving the short winter days.
There is some significant GDPR-related news in our newsletter today: Meta may no longer serve targeted advertisements to EU citizens without their consent.
For those of you familiar with EU law, it’s probably a surprise that Meta was able to serve targeted ads without consent in the first place—users must explicitly opt into the data collection and processing required for ad personalization in the EU, so personalizing ads without that consent seems like a clear violation.
However, consent is just one way to obtain a legal basis for processing personal information. Meta attempted to sidestep this requirement by burying targeted advertising language in its terms and conditions. In this way, they hoped to rely on another legal basis for data collection and processing: the performance of a contract. If users agreed to the terms and conditions of Facebook, WhatsApp, or Instagram, Meta argued they were agreeing to receive the “service” of being presented personalized ads, and therefore to the data collection and processing necessary to present those ads.
According to reporting from the Wall Street Journal, the European Data Protection Board (EDPB) has deemed this to be an inappropriate legal basis. However, the EDPB hasn’t actually made any orders to Meta; rather, it has requested that the Irish Data Protection Commissioner (DPC) issue public orders and fines.
It should be noted that all of this comes from unnamed sources in the WSJ article and that nothing has been officially declared yet. Further, the Irish DPC has a history of playing nice with tech companies (in fact, the Irish DPC worked with Meta on establishing its original consent bypass strategy).
Still, if the news is to be believed and if the Irish DPC enforces the EDPB’s findings, it could be a major blow to Meta’s business in the EU. When asked whether they’re comfortable with being tracked—even for something as seemingly innocuous as advertising—most people respond in the negative.
Best,
Arlo
Names, personal information of more than 6,000 noncitizens exposed by ICE
The personal information of more than 6,000 noncitizens was erroneously posted on the U.S. Immigration and Customs Enforcement (ICE) website, a breach that could result in retaliation from the individuals, gangs, and governments that the immigrants were fleeing. The information was up for five hours, which included the names, case status, detention locations, and other data of immigrants seeking to avoid deportation to countries such as Iran, Russia, and China.
Read more
LastPass' latest data breach exposed some customer information
LastPass recently disclosed that it was the victim of a data breach last August and that hackers accessed customer information. However, the password management company asserted that none of its customers’ passwords were exposed during the breach.
Read more
The big problem with Spotify Wrapped
More and more tech companies are coming under fire for surveilling their user base and monetizing their users’ data—but Spotify has managed to whitewash its surveillance by wrapping it up into a consumer-facing annual event called Spotify Wrapped.
“This is a particularly shining example of the fact that Spotify’s business model is based on surveillance,” says Evan Greer, director of the digital rights advocacy group Fight for the Future. “Spotify has done an amazing job of marketing surveillance as fun and getting people to not only participate in their own surveillance, but celebrate it and share it and brag about it to the world.”
Read more
The FTC wraps up public comments on consumer-surveillance proposal
The Federal Trade Commission (FTC) has closed comments to inform new rules regulating commercial surveillance and data security practices. As part of this comment-seeking period, the FTC consulted with individual experts, the public at large, and trade organizations to determine how surveillance and data security practices impact the public and businesses alike. By the end of the comment period, the FTC gathered over 11,000 responses.
Read more
Personalized ads on Facebook, Instagram, and WhatsApp declared illegal
When the GDPR originally came into force in the EU, Meta argued that it could "bypass" the requirement to get opt-in consent from users by simply adding a provision in the terms and conditions on the grounds that targeted advertisements were part of the core service it provided consumers. However, the European Data Protection Board determined that this practice was illegal and that Meta must allow users to have access to a version of all apps that do not use personal data for ads.
Read more
Meet the MSPA, the IAB’S answer to state privacy laws
The Interactive Advertising Bureau (IAB) has released its multistate privacy agreement, or MSPA, a contractual framework designed to help ensure that companies and their vendors respect consumer consent preference signals. State privacy laws require that not only do businesses honor consumer consent, but that the downstream vendors who receive consumers’ personal information also honor that consent. The MSPA is a modular framework that ensures this can happen even with the complex patchwork of privacy laws at play in the U.S.
Read more
Meta releases new features to support teen privacy
Recently, Meta rolled out a new suite of features to protect the privacy of teens using Facebook, including default privacy settings for new accounts, measures to limit unwanted interactions with adult users, and a tool to limit the spread of teens’ intimate images online.
Read more
The EU settles on proposed AI Act language
After some debate, the EU’s member states have settled on proposed language for the upcoming AI Act. The Act is designed to ensure that AI systems used in the EU are safe and respect existing laws on fundamental rights and values.
Read more
Osano blog: 1-month countdown to 2023’s state privacy laws
The last installment in our countdown series is here! The Osano team has been producing blog posts that describe what activities businesses should carry out and when in order to enter 2023 prepared for the slew of new data privacy laws coming online in that year. In this edition, we describe the last set of steps that a business needs to take in order to have a strong foundation for compliance in the new year.
Read more
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.