.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.svg){kind=small}
.webp?width=1220&height=1090&name=Osano-guarantee-seal%20(1).webp)
Hello all, and happy Thursday!
Privacy compliance can be tough to commit to, but it’s especially challenging for data brokers. Most privacy laws have lower applicability thresholds and more requirements for data brokers. Unlike other companies that can argue compliance has an indirect impact on their revenue, data brokers take a direct hit.
So it’s understandable that some data brokers would try to do as much as is legally possible to avoid receiving opt-outs. Unfortunately, trying to stretch the law not only risks breaking it, it also tends to backfire.
Take one of our stories this week: When journalists from the Markup and CalMatters discovered data brokers in California had de-indexed their opt-out pages from search engines, they named and shamed the offending data brokers. Whether or not this constitutes a violation of the CCPA depends on whether or not delisting a privacy page counts as a dark pattern.
Not only did this practice attract the attention of the news media, the Markup hinted that it may have attracted the attention of Tom Kemp, Executive Director of the California Privacy Protection Agency (CPPA):
Kemp said that, when determining whether a company has violated the privacy act, it’s important to determine whether there’s a pattern of activity making it difficult for consumers to exercise their rights. Hiding a privacy instructions page could be the first “thread” in determining whether a company is shirking their obligations.
You don’t have to have a big neon sign pointing to your privacy pages—but trying to hide them from the public can invite more scrutiny than you’d expect.
Best,
Arlo
Highlights From Osano
New From Osano
Meetup Series: AI, IRL: At Home
Join us in the Osanoverse Saloon for the first meetup of our AI, IRL series! In August, we'll be chatting about how we use AI in our personal lives. From wearables to wellness hacks to therapists and home devices, data privacy and AI expert speakers will talk about all the risks and opportunities AI presents in our personal lives. Find out more about the meetup series and register with the link below.
In Case You Missed It...
Blog: What Is the Processing of Personal Data?
Data privacy laws define “processing” so broadly, many people don’t realize their daily work involves processing personal data. We define the term in plain English and provide common examples of personal data processing in our blog.
Blog: Optimizing Privacy Operations: Making Compliance Less of a Fire Drill
Achieving compliance is one thing; doing so efficiently, repeatedly, and at scale is another. Focusing on privacy operations is your key to making compliance feel less like an emergency and more like a standardized practice.
Top Privacy Stories of the Week
CPPA Automated Decision-Making Regulations Are Moving Forward: Here is What You Need To Know
Consumer protections have expanded in California following the approval of CCPA regulations by the California Privacy Protection Agency (CPPA). The regulations, updating certain existing CCPA regulations and introducing regulations regarding automated decision-making technology (ADMT), risk assessments, and cybersecurity audits, will go into effect as early as January 1, 2026, pending review by California’s Office of Administrative Law.
US Court Says Trump's DOGE Team Can Access Sensitive Data
A federal appeals court has granted DOGE—the Department of Government Efficiency—permission to access personal data (like SSNs and citizenship records) from major agencies, despite constitutional objections. The court reasoned that challengers had not shown how they would be injured by DOGE accessing agencies' computer systems and that they lacked legal standing to sue because that access is not a "final agency action" that can form the basis of a lawsuit, the court said.
Students Have Been Called to the Office—and Even Arrested—for AI Surveillance False Alarms
In Tennessee, a student was arrested, interrogated, and strip-searched after a school’s AI surveillance system misinterpreted a tasteless but ultimately benign message as a threat. Two-thirds of such flagged incidents turn out to be false alarms.
Data Brokers Are Hiding Their Opt-Out Pages From Google Search
An investigation found over 30 data brokers deliberately hiding their CCPA-opt-out and deletion pages, making them impossible to find in search engines. Two companies said they added the code intentionally to avoid spam at the recommendation of experts and would not change it. The other 24 companies didn’t respond to a request for comment; however, three removed the code after journalists contacted them. Regulators warn these could be dark patterns—and that privacy rights are pointless if consumers can’t discover how to exercise them.
Australia's Privacy Regulator Sues Optus Over 2022 Data Breach
The Australian Information Commissioner (AIC) has sued Optus for violating the Privacy Act and failing to protect the data of almost 10 million users in the 2022 breach. Specifically, the AIC claims Optus failed to take reasonable steps to protect their personal information from misuse, interference and loss, and from unauthorized access, modification or disclosure. Although the AIC did not disclose the total sum it was seeking, Optus’s violations could result in a penalty of up to A$2.2 million.
Like what you hear from the Privacy Insider newsletter?
There's more to explore:
🎙️The Privacy Insider Podcast
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
đź“– The Privacy Insider: How to Embrace Data Privacy and Join the Next Wave of Trusted Brands
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If you’re interested in working at Osano, check out our Careers page!
