Hello all, and happy Thursday!
Plenty of states in the US have a data privacy law, but there are plenty that don’t, too. Some businesses in states without a comprehensive privacy law might not feel all that concerned about data privacy compliance.
The key word to focus on here is “comprehensive”—not every state has a comprehensive data privacy law, but all of them have a consumer protection law with privacy-adjacent requirements.
Case in point: the New York Attorney General just settled with an app developer for a little north of half a million dollars over privacy violations. New York doesn’t have a comprehensive privacy law in place, but Saturn, a small business that developed a social media app intended exclusively for high schoolers, still ran afoul of state law due to its privacy practices. Specifically, Saturn did not verify users’ school email and age, allowing non-high schoolers to interact on the app.
It’s also notable that Saturn is a small business—large businesses might get the seven or eight figure fines that make headlines, but this can create the illusion that regulators only care about enterprises and privacy violations.
The bottom line is that if you handle consumers’ data (that’s every business out there), then data privacy is a factor you need to consider.
Best,
Arlo
P.S. We heard about an opening for a data privacy professional at a great company and thought we might as well give it a shout: Columbia Sportswear is hiring a Director of Global Privacy! If you’re passionate about privacy (and stylish outerwear), why not apply?
Highlights from Osano
What's New
Video: March’s Ask a Privacy Pro Series
Check out what questions Osano’s privacy experts fielded in the last month in our latest Ask a Privacy Pro video! This month, we touch on Amazon’s My Health, My Data suit; whether you need a “reject all” button on your banner; and more.
Blog: How Osano Does DSARs
We’re subject to privacy laws too! That means we need to operationalize compliance, just like any other business. If you want to steal all our secrets and build an efficient subject rights request workflow at your organization, check out this blog.
In Case You Missed It...
On-Demand Webinar: Weathering the 2025 Whirlwind: How to Keep Calm and Carry On
Miss our recent webinar on all the new data privacy law updates in 2025? Don’t worry. You can access the recording free and on-demand here.
Upcoming Webinars and Events...
A Blueprint for Efficient SRRs: Mastering Your Subject Rights Workflow
Whether you are swamped by a deluge of subject rights requests or just want more time to spend on strategic work, managing SRRs effectively is a highly sought-after goal—one that's seldom achieved. In this webinar, Osano’s Senior Product Manager Chris Simpson and Lead Implementation Manager Christie Roy will show you the best (and worst) approaches to handling your SRR workflow.
Save your seat | March 27th
The Privacy Pro Survival Summit 2: This Time It’s Personal
In our second Privacy Pro Survival Summit, we’re putting the personal in personal data and showcasing a suite of thought leaders and experts from privacy, security, GRC, and related experts. Learn, connect with your peers, and maybe have a little fun along the way!
Save your seat | April 10th
Top Privacy Stories of the Week
Why Privacy Should Be the Marketing Industry Nonnegotiable in 2025
2025 is shaping up to be an inflection point for consumers, privacy professionals, and marketers alike. What’s driving this new consumer awareness of data privacy, and how should marketers adjust their strategy in light of it?
NY AG Settles with App Developer for $650k Over Failing to Protect Young Users’ Privacy
New York Attorney General Letitia James recently announced a settlement with Saturn Technologies, a developer of an app called Saturn used by high school students, for failing to protect young users’ privacy. Saturn failed to verify users’ school email and age to ensure they were high school students and allowed users from different high schools to interact with each other. As a result, Saturn Technologies must pay $650,000 in penalties and significantly change its practices to protect users.
CJEU Rules on Right of Rectification of Gender Identity
The Court of Justice of the EU (CJEU) recently ruled that the right of rectification (in Article 16 GDPR) requires a national authority to correct a person’s gender identity, where it is shown to be inaccurate. The authority, however, may require that person to provide relevant and sufficient evidence to establish that the information concerning their gender is inaccurate, but may not go so far as to require proof of gender reassignment surgery.
U.S. Senate Introduces Genomic Data Protection Act
Senators Bill Cassidy (R-LA) and Gary Peters (D-MI) introduced the federal Genomic Data Protection Act (GDPA). The Senators introduced the same bill at the end of last year, but the bill stagnated, and Congress adjourned soon after. While the GDPA bears some resemblance to state direct-to-consumer genetic privacy laws, the bill has certain unique features, such as applying to companies that purchase data from direct-to-consumer genomic testing companies and requiring that a direct-to-consumer genomic testing company provide notice to consumers if the company is purchased or otherwise acquired.
The Clash Between the UK Gov and Apple Over iPhone Encryption Is Making Waves
Privacy advocates worry that a change in an iPhone security feature in the United Kingdom, and the ongoing battle between Apple and the UK government, could have worldwide ripple effects. Earlier this year, the UK demanded, under the Investigatory Powers Act, that Apple create a backdoor to allow the government to access encrypted data on people's phones. But instead of making a backdoor, Apple burned the whole house down in the UK market, pulling the data protection tool, to avoid having to comply.
Like what you hear from the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
📖 The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!