r/dataprotection

Collection of biometric data without consent

I work for a large publicly traded company and they recently installed cameras in all their vehicles that collect biometric data on the driver (probably a good discount on their insurance)
Anyways I didn’t sign the release until a month or two after they were up and running. I wasn’t even aware that there was a consent form to be signed.
It just seems super unethical to be collecting my biometric data without my consent and seems like something they could get sued for. Thoughts please

Edit: I did end up signing the release once I was made aware of it because I knew if I didn’t I would be fired and I live in a state with biometric protection laws

reddit.com
u/Upset_Rabbit_2 — 8 hours ago
▲ 10 r/dataprotection+1 crossposts

AI age verification with KYC data

I have thought for a while that.. Why can’t these AI age verifications be done either locally, or by sending an E2E signal to the vendor, maybe sounding like ”Is this user over the age of X?” And the vendor doesn’t get your facial data etc because it is E2E and they would just retain a simple signal (is this user over age X?” and delete that after some time.

Ofcourse the best scenario is that we shouldn’t have to worry about things like this, but this is what we can closest to get in the world of AI age verification done by KYC data, that is vulnerable.

reddit.com
u/Loose_Cow_9808 — 2 days ago
▲ 23 r/dataprotection+3 crossposts

'No hope of protecting it': inside the data oversight crisis facing the public service

One in three public-sector data professionals do not trust the data held within their own departments, a recent survey showed.

The survey of 111 public-sector data professionals between February and April 2026 suggested tools for tracking data assets, and more than half said departments did not document the reasons for collecting data.

Canberra-based Aristotle Metadata and public-sector platform Public Spectrum carried out the survey at the AusGov Data Summit, the annual collaborative forum for public sector data and technology leaders, held in April 2026.

The findings come amid several significant data management incidents in 2026, including an incident where 13 federal agencies engaged a transcription provider that shared sensitive court transcripts with unvetted offshore personnel in India.

Fewer than one-third of data professionals surveyed were familiar with their organisation's data governance policies and about half said they could not easily locate the data required for their duties.

The research also found 37 per cent of respondents didn't know their organisation was failing to give the true value of its data and 67 per cent said they could not easily find documentation describing what their organisation's data meant.

Aristotle Metadata owner Sam Spencer said the results showed a gap between high-level digital strategies and daily data management operations. He said without clear visibility into what data agencies held, it was difficult to ensure its protection.

"I stand by the fact that if somebody doesn't know what data they've got, they have no hope of protecting it. It's your social security data. It's not an abstract technical issue but 'how we know things get done', from public servants being paid correctly to patients receiving timely medical care," he said.

The federal government now relies on the Australian Government Data Catalogue, a centralised registry that contained more than 36,000 records drawn from various public databases for data governance.

An analysis of the registry by Aristotle Metadata showed that of those 36,000 entries, 99 per cent were duplicates from older platforms.

The data also showed that 505 unique assets had not been updated by nearly a dozen large agencies in more than two years.

To manage these records, the Office of the National Data Commissioner used a framework called ONDC26, which listed 26 metadata attributes.

Ten fields were designated as mandatory and 16 as optional, including fields describing the purpose of collection, who could use the data, who it was shared with and when it should be disposed of.

Although agencies were required by the Australian PSPF to use the fields, the Aristotle Metadata analysis showed agencies fell short on the 36 optional attributes – such as the underlying purpose of collection and data licensing rules – with even the largest four agencies, on-site across large agencies such as the education department and the Australian Taxation Office (ATO), showing four per cent completion rates for the optional fields.

A Finance department spokesperson said metadata in the Australian Government Data Catalogue had been published based on requirements for making data discoverable and accessible outside the agency that held the data.

"Mandatory fields are those which are most important for users requesting data, including security classification," the spokesperson said.

For Mr Spencer, treating these 36 optional fields as secondary overlooked their role in day-to-day security.

Classifying attributes like the purpose of data collection or licensing guidelines as optional left agencies without the baseline visibility needed to track how sensitive material was being handled, leaving it exposed to misuse and error, Mr Spencer said.

"There are seven areas about children in schools, not one of those records was written down who's allowed to use it, whether or not it's sensitive and when it's deleted," he said.

Mr Spencer said the ATO listed a single data asset in the catalogue. "Does that sound right to you?" he said.

A government spokesperson from Public Service Minister Katy Gallagher's office said that established data governance frameworks were in place and that accountable authorities were responsible for implementing them within their respective agencies.

The spokesperson said a biennial Data Maturity Assessment evaluated organisational capabilities and helped agencies identify capability priorities.

The inaugural 2024 assessment established an average public service data maturity rating of "developing", with a score of 2.02 out of five, identifying data quality, reference and metadata as the lowest-scoring focus areas.

Mr Spencer said advocating for improved data governance came with personal difficulties.

He had compiled the research and repeatedly taken it to the Office of the National Data Commissioner, ministers and chief data officers, but received little engagement in return.

"I have no budget, no mandate and now I have no friends, because I'm making people very annoyed about this, because I'm making a lot of noise," he said.

Mr Spencer said there was a tendency to invest in large international software products rather than the known work of foundational governance.

"We'll get squeezed over the smallest amount of money for infrastructure, but all of a sudden there's a blank chequebook for international big tech firms," he said. "It's like they're just going to fix anything with a flashy name."

canberratimes.com.au
u/sam-at-aristotle_mdr — 6 days ago

AI meeting notes tools that actually pass compliance in PE, what survived our evaluation

Anyone else spent months trying to get an AI meeting notetaker approved only to have compliance kill it? Feels like every tool is either built for individual consumers with zero governance, or it's Gong priced for 500-person sales orgs.

We went through the evaluation at our fund (about 60 people, 12 active portfolio companies and the compliance filter eliminated most options before we even got to features. Sharingwhat survived and why since I couldn't find anything PE-specific when I was researching. What compliance cared about (in order): Does it train on customer/client dataAdmin-level access controls (not user-optional) Configurable data retention with auto-delete SOC 2 certification Ability to scope deal teams to only their own meetings

What got eliminated:Otter AI: minimal admin controls. Transcription is fine individually but compliance wouldn't approve it for firm-wide use. Data handling policy is vague on whether content improves their models. Fathom: Good product for personal use. No org-level admin controls, no compliance certifications beyond basic encryption. Can't scope access by deal team. Solo analyst tool,not a firm tool. A Chrome extension one of our associates was using that explicitly trains on data per its own ToS. That discovery is what triggered the whole evaluation. What passed: Fellow AI: SOC 2 Type II, HIPAA, GDPR. No training on data. Admin controls. Botless option for LP-facing calls. AI meeting summary quality was strong across IC meetings, board prep,and portfolio reviews.

Gong: Passed compliance but pricing and feature set is built for revenue teams, not deal teams. Would've been paying for call scoring and pipeline analytics we'd never use. Stayed on the shortlist for sales coverage specifically. The searchable AI meeting notes archive across months of portfolio company discussions has been the highest value feature. When a board member references something from a previous quarter or a deal team member transitions, the context is actually retrievable instead of gone. If your fund is evaluating, start with compliance requirements and work backwards. Feature comparisons are irrelevant if the tool can't clear your CCO.

reddit.com
u/chipskaapacket — 6 days ago
▲ 3 r/dataprotection+1 crossposts

Urgent: Personal data leaked to another user’s device (No shared account/iCloud)

I am seeking advice or similar experiences regarding a critical data privacy breach I just experienced.

My group memberships, and personal data appeared on a family member's phone. To be absolutely clear:

  • We use completely separate devices, phone numbers, and Apple IDs.
  • The family member’s device was purchased today and has no connection to my account history.
  • I have never linked my account to their device (QR code).
  • My primary device was logged out, and I received a notification that my number was registered elsewhere.

Despite this, when they opened their own WhatsApp (registered to their own number), they saw my personal profile, my group chats, and my recent activity—all while their own profile picture remained visible in the "You" tab.

This indicates a massive server-side data synchronization error where my account data was mistakenly merged into their app instance. I have already confirmed this with screenshots showing the mismatch between the account identity and the chat data.

Has anyone here ever encountered a "cross-account" data leak like this? Does anyone have advice on how to force a platform-level investigation by Meta beyond the standard automated support replies? I am not looking for standard "check your linked devices" advice; this was a fundamental failure of server-side identity verification.

Any technical insights on how to hold the platform accountable for this specific type of breach would be appreciated.

reddit.com
u/Kindly_Ad8953 — 6 days ago
▲ 5 r/dataprotection+1 crossposts

Does the this iOS app violate App Store privacy rules? Looking for opinions.

App Link: https://apps.apple.com/ge/app/infosha-find-any-phone-number/id6502995963

Hey everyone,
I’ve been looking into an iOS app called **"Infosha"** and its privacy policy raises some major red flags for me. I wanted to share the details here and ask for your input on whether this goes against Apple's platform guidelines, as I have already reported it to Apple support but haven't seen any action yet.
According to their official Privacy Policy and Terms, here is how the app operates:

  1. **Sharing Third-Party Contacts Without Their Knowledge:** When a user registers, they upload their phone book, and the app makes those contact details public (including names, phone numbers, workplaces, and photos of the people in that contact list). This means third-party individuals have their private information exposed to the public database **without ever knowing it or giving their own consent**. The app tries to shift all responsibility by stating the user must have their contacts' permission.
  2. **No Option to Delete or Modify Data:** Section 9 of their policy explicitly states: *"we do not modify, remove, or supplement any data within our social network. All data is entirely generated and updated by the users of our platform."* This means if your data gets uploaded, there is absolutely no mechanism provided to delete or edit your profile or information.
    From what I understand, this seems to directly conflict with several Apple Developer Guidelines:
    **Guideline 5.1.1 (c) (Access to Contacts):** Apple strictly states that apps should not target third-party data collection or harvest address books to build public directories.
    **Guideline 5.1.1 (v) (Account Deletion):** Apple mandates that if an app supports account creation, it must also allow users to initiate deletion of their account and all personal data from within the app. Infosha's policy explicitly denies this.
    Given these details, does this behavior actually violate Apple's App Store guidelines, or is there a loophole they are using? I'd love to hear your thoughts on this. Thank you!
u/quebeck999 — 6 days ago

WE CAN SUE GOOGLE!!?

So apparently the internet is flooded with news coming from America that Google just got sued and have to pay there users millions of dollars in fine... But I don't understand if the floor is in the privacy terms then it must theirfore would be affecting people globally but only users in us can claim that compensation but as the company is globally used by millions of uses outside us...can we also sue the company in our countries???

reddit.com
u/ratfuker_Asap — 11 days ago
▲ 5 r/dataprotection+2 crossposts

Multiple social media account are compromised

It all started last week when a bot posted elon coin scam on my Instagram and Facebook, which led to both accounts getting suspended. Yesterday somebody tried to do the same thing on my Discord (which uses a different email altogether). Not once did I get a notification of somebody trying to log in, so I'm thinking they accessed them through my cookies.

I did an in-depth and offline scan with Windows Defender, founding nothing. Also deleted a bunch of browser extensions and cleared history and cookies on Brave. This didn't help as my Telegram account got hacked after the fact. Just not sure what to do at this point.

reddit.com
u/Eyedea92 — 13 days ago
▲ 23 r/dataprotection+1 crossposts

PSA: the Login.gov "front door" for your federal benefits is sharing your ID data with private firms

Was reading through the March 2026 privacy assessment for Login.gov (the thing millions of us are forced to use for VA, Social Security, student aid, IRS, etc) and some of it genuinely surprised me.

The identity info you hand over doesn't just go to the agency. It gets shared with two commercial data companies, LexisNexis and Socure. And Google is collecting behavioral stuff during sign-in via reCAPTCHA, including keystrokes and mouse movements, literally while you're uploading your ID and typing your SSN.

The LexisNexis part is what got me. They had a breach earlier this year that hit records on federal judges and DOJ staff

https://www.gsa.gov/system/files/Login_PIA_%28March_2026%29.pdf 
https://therecord.media/lexisnexis-says-hackers-accessed-legacy-data 

u/privacyovermatter — 13 days ago