Hello all, and happy Thursday!
Every year, data privacy regulations give millions more people across the globe data privacy rights that they lacked just a few years before. But consistently, those regulations carve out an exception for the employees of a business.
California and the EU do provide protections for employee data, but most data privacy laws in the US do not. Absent a federal comprehensive data privacy regulation with protections for employees, US workers have had to rely on the guidance of federal regulatory agencies.
One of our stories this week focuses on the Consumer Federal Protection Bureau, which recently issued guidance warning companies to follow Fair Credit Reporting Act (FCRA) requirements when conducting background checks, such as obtaining consent and allowing for disputes of inaccurate information.
Unfortunately, this is a fairly narrow slice of the data rights pie—businesses get a lot of data from their employees, and they don’t always treat it with the respect it deserves. Consider Wells Fargo choosing to fire employees over their use of mouse jigglers to fool remote monitoring software.
Human resource data is already subject to a number of regulations, it’s true; but do those regulations provide an equivalent level of protection for employee data as the CCPA or GDPR? How much control should an employer have over its employees’ personal data?
Best,
Arlo
P.S. If you, like many privacy professionals, are feeling a little isolated in your organization, you might want to check out our upcoming webinar on November 7th. We dive into how collaborating with your colleagues in IT, Security, and GRC isn’t just a great way to achieve compliance outcomes, it can also showcase privacy’s value to leadership. Register for Unlock Privacy ROI: Why Making Cross-Functional Allies Is Key here.
Hear from Osano’s Head of Privacy Rachael Ormiston on what insights she’s gleaned from recent industry events, like IAPP’s Privacy. Security. Risk. (PSR) conference in September.
Missed our inaugural Privacy Pro Survival Summit? No worries: You can watch our sessions on privacy program management, AI governance, cross-collaboration, and avoiding privacy burnout here.
How can privacy prove its value to the business and be seen as more than "just" a cost center? Find out how to demonstrate ROI and gain allies in this webinar.
November 7th | Save your seat
Privacy, sales, and marketing are natural allies—not opponents. They have more to gain by working together than they do by working against one another. We’ll explain why and how in this webinar.
November 14th | Save your seat
This IAPP report analyzes the similarities and differences between enacted US state comprehensive privacy laws. Though the full report is restricted to IAPP members, highlights are accessible using the link below.
The Consumer Financial Protection Bureau (CFPB) recently issued its final "open banking" rule. Starting for some institutions as early as 2026, financial service providers must, upon a consumer's request, make financial data available to them and authorized third parties. Financial institutions must provide this data electronically in a secure and reliable manner, requiring third-party data accessors to protect consumers' privacy. In theory, this rule will empower consumers to compare service providers and switch more easily, encouraging competition in the industry.
Despite dire warnings from the pro basketball league and the U.S. Chamber of Commerce about “abusive” litigation under the Video Privacy Protection Act (VPPA), a US appeals court last week revived a class action accusing the NBA of improperly allowing Facebook to harvest personal data from viewers of NBA-posted videos.
Recently, the CFPB issued guidance to protect workers from unchecked digital tracking and opaque decision-making systems. The guidance warns that companies using third-party consumer reports—including background dossiers and surveillance-based, “black box” AI or algorithmic scores about their workers—must follow Fair Credit Reporting Act (FCRA) rules. This means employers must obtain worker consent, provide transparency about data used in adverse decisions, and allow workers to dispute inaccurate information.
Ireland’s Data Protection Commission hit LinkedIn with a 310 million euro ($335 million) fine over concerns about the “lawfulness, fairness and transparency” of its personal data processing for advertising purposes. The watchdog said it carried out an investigation that found LinkedIn did not have a lawful basis to gather data so it could target users with online ads, which is a breach of the GDPR.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!