👋 Hi, Luiza Jarovsky here. Read about my work, invite me to speak, tell me what you've been working on, or just say hi here.
This week's edition of The Privacy Whisperer is sponsored by MineOS:
The Texas Data Privacy and Security Act (TDPSA) is now officially signed into law. As the second most populous and second largest state economy in the US, Texas’s new data privacy law immediately becomes a headliner for American data privacy. The kicker? Its broad applicability could foster national data compliance across the US. Check out the details and how MineOS gives companies the easy-to-use tools they need to comply with any & all data regulations globally. Get the complete TDPSA guide, broken down from the data privacy perspective.
🔥 Five growing trends in privacy & AI
Below, I list some of the most important trends in the current privacy & AI landscape and explain how they are already influencing companies, organizations, and individuals around the globe.
This week's case study (below) deals with the growing legal scrutiny around manipulation, and it is also a trending issue that most companies are still not aware of.
#1: Privacy UX
One of the most popular topics in this newsletter, privacy UX is the set of design and user experience (UX) practices that surround the collection and processing of personal data and the exercise of data subjects’ rights.
There have been various legal decisions that have scrutinized how a company designs its privacy-related UX interfaces. (A reminder that privacy-related interfaces will be any interface that collects personal data or affects the exercise of privacy rights - so the scope is broad).
Among the decisions, you can read my article on FTC vs. BetterHelp, where the screenshots make clear that colors, sizes, and language matter to privacy compliance; my article on the FTC vs. Epic Games, where there were various UX issues affecting privacy and the recent decision of the Italian Data Protection Authority against Ediscom.
To dive deeper, join my Dark Patterns & Privacy UX masterclass.
#2: Car manufacturers’ privacy practices
A set of privacy implications that have been relatively under-explored in recent years are those related to car manufacturers' data practices.
Advocates such as Andrea Amico - from Privacy4Cars - have been talking about the topic for years, and last year I wrote this article about Tesla's privacy practices. This year, there were a few incidents, such as one involving Tesla's employees sharing images from customer cameras and another involving Toyota's exposure of customers’ location data for a decade.
This week, the Mozilla Foundation published the article It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy, where they compared 25 car brands and concluded that “All of the car brands we researched got our ‘data use’ and ‘security’ dings -- and most earned dings for poor data control and bad track records too! We can’t stress enough how bad and not normal this is for an entire product guide to earn warning labels.” Make sure to read their report.
With more incidents, reports, and scrutiny, the topic is getting more awareness, and my guess is that: a) data protection authorities are keeping an eye on it, and b) people are slowly starting to take into consideration privacy practices when choosing a car.
#3: Brain privacy
If you believe that there are no technologies capable of reading your thoughts, you are probably wrong. Recent advancements in neurotechnology are capable of revealing insights that might tell more than what you want to share on what goes on inside your brain.
In China, for example, employees’ brain waves are being monitored. According to this World Economic Forum article, “the technology works by placing wireless sensors in employees' caps or hats which, combined with artificial intelligence algorithms, spot incidents of workplace rage, anxiety, or sadness.”
As I wrote in my article Brain Privacy: Neurotechnology is Coming For Your Brain, there are major tech companies investing billions in Neurotech, and there is no coming back. This is definitely a growing privacy concern and an important issue in privacy & AI.
Earlier this year, I spoke with Prof. Nita Farahany about her book “The Battle for Your Brain” as well as concepts such as cognitive liberty and brain privacy. Make sure to listen to our 40-minute conversation on my podcast or on YouTube.
#4: AI privacy
This newsletter topic is privacy, tech & AI, and what happened in the last few months - especially due to the buzzing arrival of ChatGPT - is that AI privacy became a prominent topic.
AI is definitely not a new topic, it has been discussed since the 50's. The intersection of privacy and AI is also not new: Article 22 of the General Data Protection Regulation (GDPR), for example, talks about “the right not to be subject to a decision based solely on automated processing, including profiling.” (On the topic, make sure to listen to my 60-minute conversation with Prof. Orly Lobel, where she talks about the right to automated processing and “human-out-of-the-loop”).
This latest AI wave brought broader awareness of current AI capabilities. If, before, the most advanced models were restricted to research labs or industry experts, today, millions of people in the world are experimenting with AI-based tools and being encouraged to become “prompting pros” to increase their productivity.
With usage and awareness came more scrutiny and the realization that current AI systems can infringe on privacy rights and be incompatible with privacy principles and rules. This is a trending topic and definitely fascinating. To dive deeper: join my AI & Privacy masterclass next week.
#5: The interdisciplinary privacy professional
As a result of items #1 and #4 above, today's privacy professional - who is usually a tech-savvy person with their fair share of knowledge on law (even if not a lawyer) and code (even if not a software engineer) - is facing the pressure to become an even more multi-skilled professional.
With the arrival of the Digital Services Act (DSA, topic of last week's edition), the approaching and closely monitored legislative process around the AI Act (check the archive to read my articles), and the growing scrutiny over design practices, the privacy professional is expected to be able to navigate various topics that are not necessarily connected to privacy but might affect it.
One of the signs of this new interdisciplinarity is that the IAPP and the Future of Privacy Forum - two organizations deeply connected with the privacy community - are now constantly producing new reports and initiatives around AI-related topics.
*It is precisely due to the growing interdisciplinary pressure on privacy professionals and the difficulty of keeping up with all new reports, publications, cases, laws, and tech-related discussions that I created this newsletter (thank you for reading!) and co-founded Implement Privacy - our privacy training company.
🔥 Zero tolerance for manipulation
This week's case study deals with the rising scrutiny around various forms of manipulation and why most companies do not get it right - and inadvertently manipulate users: