In this article

Sign up for our newsletter

Share this article

Hello all, and happy Thursday! For this week, I’d like to yet again take a look at a recent Twitter development.  

In a recent statement, the social media company announced that only Twitter Blue subscribers will retain the ability to turn on SMS-based two-factor authentication (2FA) for their accounts; non-paying Twitter users will need to use an authenticator app or a security key. 

Although the announcement asserts that SMS-based 2FA was being “used—and abused—by bad actors,” one can’t help but wonder whether this is an attempt to commodify security and drive more users to Twitter’s paid account subscription. 

How does this relate to privacy? Well, security and privacy are two sides of the same coin.  

As an example of the privacy impact of this decision, consider this: If Twitter refuses to give non-paying users access to SMS-based 2FA, would that then constitute a failure to apply the GDPR’s security principle? Businesses that process consumer data are supposed to take “appropriate technical and organisational measures" to secure users’ data—does failing to offer an accessible method of securing users’ accounts represent a failure to take such measures? 

This decision also highlights why data privacy regulations are so necessary. Although Twitter may be attempting it, it isn’t so easy for businesses to commodify security in this way and risk their users’ privacy without increasing their own legal risk. 

Of course, this wouldn’t be the first of Twitter’s recent moves that have irked the EU. It will be interesting to see how Twitter’s approach to data privacy fares under the EU regulatory landscape. 



Top privacy stories of the week

EU lawmakers argue against signing U.S. data-transfer pact 

Despite a previous agreement in principle, the European Parliament's Committee on Civil Liberties, Justice and Home Affairs has argued against the adoption of the Data Privacy Framework (DPF). U.S. President Biden and EU president Ursula von der Leyen had previously agreed on adopting the DPF as an EU-U.S. data transfer framework to replace the Privacy Shield, but the European Parliament argues it fails to deliver an adequate level of protection. 

Read more 

GAO calls for improved data privacy protections 

A recent report by the Government Accountability Office (GAO) highlights the need for stronger cybersecurity generally and makes specific recommendations about the collection, use, and sharing of personally identifiable information (PII). "We have made 236 recommendations in public reports since 2010 with respect to protecting cyber critical infrastructure," the GAO added in its report. "Until these are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them." 

Read more 

Privacy regulators step up oversight of AI use in Europe 

As more businesses in more sectors adopt AI technology, EU authorities are gearing up to regulate the nascent technology. In preparation for the new AI Act legislation (which is expected to take effect next year), regulators have been hiring new experts, opening new units, and allocating budget to enforce AI Act violations. 

Read more 

SEC proposes revisions to Privacy Act 

The Privacy Act governs the collection, maintenance, use, and dissemination of information about individuals that is maintained by federal agencies. The Securities and Exchange Commission (SEC) has proposed new rules relating to how data subjects make requests regarding their data, such as the deletion, correction, and access of their data, among other proposals 

Read more 

Twitter will limit uses of SMS 2-factor authentication. What does this mean for users? 

Two-factor authentication—widely considered to be a best practice in account security—will only be available to Twitter users who have paid a monthly fee for the platform’s subscription service. In addition to the ethical quandary of making users pay for security, the change is being rolled out unevenly across the world. In many regions, the Twitter Blue subscription service is not available, effectively downgrading those users’ security by default. 

Read more 

Brussels aims to harmonize how data protection authorities enforce the GDPR throughout the EU 

A new EU regulation proposes to set clear rules for how national data protection authorities (DPAs) deal with cross-border investigations and infringements. In part, the law is a response to the outsized power that the Irish DPA holds—many international businesses keep their EU headquarters in Ireland, and therefore the Irish DPA serves as the primary GDPR authority for Big Tech companies like Meta, Alphabet, and others. The new law is expected in the second quarter of 2023. 

Read more 

California moves to finalize draft regulations while Colorado proposes a new slate of rules 

On February 3, the CPPA unanimously voted to finalize its updated set of proposed CPRA regulations, which were then sent to the California Office of Administrative Law on February 14th for review and approval. Barring any unforeseen circumstances, the new regulations should be approved and take effect in April. Meanwhile, the Colorado Attorney General and Department of Law held a rulemaking hearing on the newest slate of proposed draft rules for the Colorado Privacy Act (CPA), published on January 27, 2023. While many of Colorado’s proposed draft rules align with California, there are significant differences. 

Read more 

Register for Osano’s and Vanta’s co-webinar before March 1 

Osano is teaming up with compliance vendor Vanta to cover the changing privacy landscape in the U.S., how businesses of all sizes should respond, and how to build trust and win new business in the 2023 data privacy landscape. Our own Arlo Gilbert and Vanta’s Senior Manager of Privacy, Risk & Compliance will co-host a webinar on these issues on March 1st. Register now to save your eat. 

Register for the webinar 

If you’re interested in working at Osano, check out our Careers page! We might have the perfect opportunity for you. 

Schedule a demo of Osano today

Privacy Policy Checklist

Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.

Download Now
Frame 481285
Share this article