With rapidly changing regulations, I am expanding our regulatory team at Osano and am hiring several full-time Privacy Analysts. If you think you would be a good fit, check out the role description here!
But I won’t harp on about how busy 2023 will be for data privacy compliance. If that’s something you’re interested in diving into, I recommend reviewing our six-month and three-month countdown blogs. (Keep your eyes peeled for the one-month installment in the near future.)
Instead, I’d like to draw attention to a topic covered in one of our stores in this edition of Privacy Insider: Data brokers.
NPR’s Planet Money podcast recently provided an overview of what data brokers are, and how many app developers aren’t even aware that some of the SDKs they rely on to build their apps’ functionality supply these brokers with their end users’ data. In fact, some data brokers market their SDKs to developers precisely so they can tap into end users’ data.
It’s an excellent example of how data collection and processing are so frequently concealed from the general public. The average consumer has a decent understanding that if they use a free social media platform, their data is being collected. That’s thanks in part to regulation and clear privacy policies. But social media is just the tip of the iceberg when it comes to data collection.
The average consumer will almost never interact with a data broker or become familiar with the million different ways their data is being collected, analyzed, packaged, and sold. Not all of this data collection is necessarily noncompliant or opaque—but a lot of it is. When consumers aren’t informed about data collection and when there are no checks on what businesses can do with that data, everybody loses.
So, if 2023’s new data privacy laws have you feeling anxious, just know that these regulations have been a long time coming and will ultimately lead to a safer, more privacy-aware internet.
California’s new child privacy law could become a national standard
The California Age-Appropriate Design Code Act serves as the U.S.’s most comprehensive children’s privacy law since 1998’s Children’s Online Privacy Protection Act (COPPA). Due to the technical challenges of implementing different technological designs in different regions, tech companies may be forced to apply privacy protections for all users in the U.S. The law requires tech companies to design their platforms with children’s well-being in mind and regulates eight common data-collection practices.
CPRA regulations enter the home stretch
The California Privacy Protection Agency (CPPA) recently approved draft regulations for the California Privacy Rights Act (CPRA) and opened a public comment period that will run until November 21st. If no further action is needed after that comment period closes, then the CPRA’s rules will be finalized, offering businesses much-needed insight into their obligations. Notably, a potential delay to the beginning of enforcement is on the table.
California expands scope of Confidentiality of Medical Information Act
After a rise in telemental health services, California passed Assembly Bill 2089, which will broaden the scope of the Confidentiality of Medical Information Act (CMIA) to explicitly cover “mental health application information.” Under the expanded law, telemental health services will be subject to the CMIA.
What data brokers do with your geolocation data
NPR’s Planet Money Podcast dives into how app developers are (sometimes inadvertently) funneling users’ geolocation data to data brokers. These data brokers then sell that information to third parties who use the data for a multitude of purposes, ranging from the innocuous to the nefarious, and sometimes expose that data to outside parties unintentionally.
What you need to know about Indonesia’s Personal Data Protection Law
Indonesia has joined a host of other countries with a data privacy law on the books. Ratified on 17 October 2022, the Personal Data Protection Law (PDP Law) contains 76 articles, which are divided into 16 chapters, and broadly mirrors the EU’s General Data Protection Regulation (GDPR). JDSupra covers key concepts in the law around data processing, personal data controllers and personal data processors, data protection officers, and data transmission.
Tech giants warn that Australian privacy bill applies to customers outside of Australia
A potential bill that would strengthen data privacy protections and penalties for data breaches in Australia has been criticized by tech giants, including Meta, Google, and Twitter. The businesses claim that the bill’s current language implies that any foreign organization carrying on business in Australia would be regulated, regardless of whether it actually processed the personal information of Australian citizens.
LinkedIn wins suit against data scraper
hiQ labs, a “people analytics” company, was sued by LinkedIn after the social media platform discovered hiQ was violating their terms of service by scraping data from user profiles and avoiding technical defenses against such actions. After a six-year battle, the U.S. District Court for the Northern District of California ruled in favor of LinkedIn. The ruling has implications for the unauthorized use and collection of profile data by bots.
Listen to Osano’s VP of Finance & Operations, Jonathan Grant, on the Founders & Friends Podcast
Recently, our very own Jonathan Grant, VP of Finance & Operations at Osano, was invited to make a guest appearance on Kruze Consulting’s Founder and Friends Podcast. On the podcast, Jonathan talked about his experiences working at a SaaS startup, the impact of strategic finance on businesses and the insights it can produce, and the future of Osano.
Interested in working at Osano? Check out our Careers page! We might have the perfect opportunity for you.