ADMT & Employment
Hello all, and thanks for reading today.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Published: February 23, 2023
Hello all, and happy Thursday! For this week, I’d like to yet again take a look at a recent Twitter development.
In a recent statement, the social media company announced that only Twitter Blue subscribers will retain the ability to turn on SMS-based two-factor authentication (2FA) for their accounts; non-paying Twitter users will need to use an authenticator app or a security key.
Although the announcement asserts that SMS-based 2FA was being “used—and abused—by bad actors,” one can’t help but wonder whether this is an attempt to commodify security and drive more users to Twitter’s paid account subscription.
How does this relate to privacy? Well, security and privacy are two sides of the same coin.
As an example of the privacy impact of this decision, consider this: If Twitter refuses to give non-paying users access to SMS-based 2FA, would that then constitute a failure to apply the GDPR’s security principle? Businesses that process consumer data are supposed to take “appropriate technical and organisational measures" to secure users’ data—does failing to offer an accessible method of securing users’ accounts represent a failure to take such measures?
This decision also highlights why data privacy regulations are so necessary. Although Twitter may be attempting it, it isn’t so easy for businesses to commodify security in this way and risk their users’ privacy without increasing their own legal risk.
Of course, this wouldn’t be the first of Twitter’s recent moves that have irked the EU. It will be interesting to see how Twitter’s approach to data privacy fares under the EU regulatory landscape.
Best,
Arlo
EU lawmakers argue against signing U.S. data-transfer pact
Despite a previous agreement in principle, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs has argued against the adoption of the Data Privacy Framework (DPF). U.S. President Biden and EU president Ursula von der Leyen had previously agreed on adopting the DPF as an EU-U.S. data transfer framework to replace the Privacy Shield, but the European Parliament argues it fails to deliver an adequate level of protection.
GAO calls for improved data privacy protections
A recent report by the Government Accountability Office (GAO) highlights the need for stronger cybersecurity generally and makes specific recommendations about the collection, use, and sharing of personally identifiable information (PII). "We have made 236 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure," the GAO added in its report. "Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them."
Privacy regulators step up oversight of AI use in Europe
As more businesses in more sectors adopt AI technology, EU authorities are gearing up to regulate the nascent technology. In preparation for the new AI Act legislation (which is expected to take effect next year), regulators have been hiring new experts, opening new units, and allocating budget to enforce AI Act violations.
SEC proposes revisions to Privacy Act
The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained by federal agencies. The Securities and Exchange Commission (SEC) has proposed new rules relating to how data subjects make requests regarding their data, such as the deletion, correction, and access of their data, among other proposals
Twitter will limit uses of SMS 2-factor authentication. What does this mean for users?
Two-factor authentication—widely considered to be a best practice in account security—will only be available to Twitter users who have paid a monthly fee for the platform’s subscription service. In addition to the ethical quandary of making users pay for security, the change is being rolled out unevenly across the world. In many regions, the Twitter Blue subscription service is not available, effectively downgrading those users’ security by default.
Brussels aims to harmonize how data protection authorities enforce the GDPR throughout the EU
A new EU regulation proposes to set clear rules for how national data protection authorities (DPAs) deal with cross-border investigations and infringements. In part, the law is a response to the outsized power that the Irish DPA holds—many international businesses keep their EU headquarters in Ireland, and therefore the Irish DPA serves as the primary GDPR authority for Big Tech companies like Meta, Alphabet, and others. The new law is expected in the second quarter of 2023.
California moves to finalize draft regulations while Colorado proposes a new slate of rules
On February 3, the CPPA unanimously voted to finalize its updated set of proposed CPRA regulations, which were then sent to the California Office of Administrative Law on February 14th for review and approval. Barring any unforeseen circumstances, the new regulations should be approved and take effect in April. Meanwhile, the Colorado Attorney General and Department of Law held a rulemaking hearing on the newest slate of proposed draft rules for the Colorado Privacy Act (CPA), published on January 27, 2023. While many of Colorado’s proposed draft rules align with California, there are significant differences.
Register for Osano’s and Vanta’s co-webinar before March 1
Osano is teaming up with compliance vendor Vanta to cover the changing privacy landscape in the U.S., how businesses of all sizes should respond, and how to build trust and win new business in the 2023 data privacy landscape. Our own Arlo Gilbert and Vanta’s Senior Manager of Privacy, Risk & Compliance will co-host a webinar on these issues on March 1st. Register now to save your eat.
If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Arlo Gilbert is the CEO & co-founder of Osano. An Austin, Texas native, he has been building software companies for more than 25 years in categories including telecom, payments, procurement, and compliance. In 2005 Arlo invented voice commerce, he has testified before congress on technology issues, and is a frequent speaker on data privacy rights.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.