Self-regulation is not a new concept. It’s been around for decades (centuries?), and in privacy, it dates back to at least the late 1990s. In a highly technological world, laws and government regulations often cannot keep up with rapidly changing industries, and so rather than create proscriptive law, governments set up a sort of détente with industry: Police yourselves or we will do it for you.
The concepts may not be new, but they are being newly examined as privacy hits the mainstream. In the U.S., the White House and FTC have each published reports that include the need for industry codes of conduct and multi-stakeholder processes, while, in the EU, member states continue to grapple with how to protect citizens’ data and harmonize regional laws. Likewise, the Asia-Pacific region, through the Asia-Pacific Economic Cooperative (APEC), continues to build its privacy framework based, in part, on co-regulatory concepts. (We’ll get to the differences between “self-regulation” and “co-regulation” shortly).
There’s enough activity that, this month, two conferences, one in Europe on June 3 and one in the U.S. today, June 24, have popped up to explore a new generation of self-regulation and co-regulation best practices, with the latter event focused on self-regulation only.
“It’s important for us all to come to the realization that we live in a global, commercial and social world and that we’re going to have to build interoperability standards to facilitate that,” said Genie Barton. “This is not something national governments can do on their own. It’s going to take the business community and civil society, working with regulatory communities, to create these standards.”
Barton serves as vice president and director of the Council of Better Business Bureaus’ (BBB) Online Interest-Based Advertising Accountability Program & Mobile Marketing Initiatives, and she’s no stranger to self- or co-regulation. Last month, the BBB made headlines when it referred SunTrust Bank to the Consumer Financial Protection Bureau (CFPB) for allegedly refusing to participate in the advertising industry’s self-regulatory process.
And this week, the BBB is hosting its first annual Self-Regulation Conference in Washington, DC. The event will include a number of industry representatives, along with other business and thought leaders, regulators and legislators. The goal is to explore and flesh out best practices for industry self-regulation.
“This is the first time the BBB is doing this,” said Barton, “and as far as I know, it’s the first private-sector conference on self-regulation writ large in the U.S. What we’re trying to do is similar to what the EU is trying to do: learn about what best practices are in self-regulation in order to generate interest among businesses in creating and sustaining the best self-regulatory practices in multiple areas.”
What that looks like in the EU is embodied in a similar event that just convened. As part of the European Commission’s Digital Agenda for Europe, the Community of Practice (CoP) held its second-ever meeting to discuss better self- and co-regulation. Topics went beyond the privacy realm into general public policy, the construction sector and the global scale, but a major component was dedicated to privacy.
A Look at Self- and Co-Regulation: Where They Differ
CoP Chairman Robert Madelin said self- and co-regulation have a large role to play moving forward in the EU but admitted stakeholders have asked for clarification in defining “self-regulation” and “co-regulation.”
“There has been some gray area,” he said, pointing to a memo he published on the matter in early March, which notes self- and co-regulation first appear in the EU landscape in 2001 and in more detail in 2003.
According to the 2003 document, self-regulation is the “possibility” for economic operators to “adopt amongst themselves common guidelines at a European level”—for example, codes of practice. Co-regulation, on the other hand, stems from a “community legislative act” that entrusts attaining its goals to economic operators.
Still, the definitions are not watertight, Madelin said, but concluded the CoP embraces the notion of “all multi-stakeholder processes striving to reach a specific societal goal.”
Indeed, that’s what the June 3 event set out to accomplish—identify the challenges and best practices for both. Significantly, the BBB’s event is attempting to accomplish a similar goal: Locate self-regulation best practices. Barton is optimistic both initiatives lead toward more global interoperability. In fact, Madelin is presenting some of the CoP’s findings at the BBB’s event on Tuesday.
In the U.S., for example, the Network Advertising Initiative (NAI) argues it has some of the strongest self-regulatory standards. FTC Commissioner Julie Brill recently said the NAI “has been an exceptional leader in the self-regulatory community.” The NAI holds its more than 90 members to promises made prior to becoming members. According to its 2013 Code of Conduct, NAI members “are held to the promises they make to adhere to the NAI code through a rigorous compliance and enforcement program that includes annual reviews, ongoing technical monitoring, mechanisms for accepting and investigating complaints of non-compliance and sanction procedures.” The updated code, it should be noted, was influenced by the FTC’s 2009 Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.
Barton said that, in a sense, the BBB does both self- and co-regulation. The Advertising Self-Regulatory Council (ASRC) is administered by the BBB, and under the Children’s Advertising Review Unit (CARU), for example, advertising to children is policed, and it has been operating under the Children’s Online Privacy Protection Act safe harbor programs. If a company belongs to such a safe harbor, they must be compliant, and in this case, Barton said the BBB has jurisdiction.
The BBB’s work enforcing the ASRC Accountability Program, however, even though it refers noncompliant companies to government regulators, is self-regulation. “We think in most cases,” Barton notes, “it’s self-regulation if it is independently enforced with government backup.”
The recent SunTrust case may serve as one example. The accountability program had sent a letter to the financial institution inquiring as to how it was using third parties to collect users’ web-browsing habits. In this case, it appeared the bank was not in compliance.
SunTrust declined to cooperate with the self-regulatory body and the BBB referred them to the CFPB—a relatively new regulatory agency designed to curb financial violations in the marketplace—which, on its website, says it can protect customers by restricting “unfair, deceptive or abusive acts or practices.” It’s still unknown if the agency plans to pursue any action against SunTrust.
For Barton, this is still self-regulation. The accountability code was created by industry—not any regulatory agency—and was independently enforced by the BBB. “The point is, we believe best practices in self-regulation must be independent, transparent and enforceable—and are backed up by regulators for referrals in cases of non-cooperation.”
“Is that co-regulation? We don’t think so because the standards are set by stakeholders.” For Barton, if a regulator had played a role in developing the accountability codes along with industry, then it would be a case of co-regulation.
The Limits of Self-Regulation
It’s true that industry self-regulation provides businesses with a flexible framework to keep up with changing technology, legislation and social norms, but some think it has significant limits without regulatory or legal backing.
“We are supporters of self-regulation as an industry practice,” said National Consumer League Executive Director Sally Greenberg, “but never as a substitute for the rule of law. Appropriate laws and regulations are necessary to ensure that all players have to abide by the same rule.”
Greenberg stressed that self-regulation—by definition—is voluntary. “It’s helpful to know what the industry standards are,” she conceded, “but industry can’t discipline the outliers who do not play by the rules. That’s why we need law.”
Greenberg, who will also take part in the BBB conference, recently testified at a Senate Subcommittee hearing on geolocation and “stalking” apps in the mobile space and expressed harsh words for the DAA, which has a self-regulatory framework for geolocation in its accountability program. During the hearing, DAA Executive Director Lou Mastria, CIPP/US, testified that laws regulating apps that use geolocation would stymie innovation and hurt the mobile ecosystem.
But Greenberg disagreed.
“Mastria’s testimony is full of holes,” she said in a phone conversation with The Privacy Advisor. She listed off a number of exceptions within the DAA’s geolocation rules for when an app does not need permission prior to collecting geolocation data, including if the data will only be kept by the first party or for market research purposes, among others.
“They’ve carved out so many exceptions that are not protective of consumer privacy,” she said, “and they came late to the table. We think this is all for PR purposes only.”
During his testimony to the Senate, Mastria said consumers are getting more tools to navigate the ecosystem. “Companies are increasingly offering consumers new privacy features and tools such as sophisticated preference managers, persistent opt-outs, universal choice mechanisms and shortened data retention policies.” He also reiterated the DAA’s track record of accountability through its self-regulatory principles and the BBB’s enforcement.
Greenberg countered, however, that accountability “works for them but not for consumers.” One obvious reason: If a company doesn’t care about being part of the industry group policing the self-regulatory framework, it certainly won’t care about being kicked out or censured. The SunTrust case may end up being a bellwether. In this case, a company is being policed by a self-regulatory body but is not part of that body.
Yet, even among regulators, industry self-regulation is seen as a valuable piece to governance.
The FTC and Self-Regulation
“Self-regulation has become an important part of the dialogue in privacy,” said Federal Trade Commissioner Maureen Ohlhausen.
A keynote at the BBB event, Ohlhausen said self-regulation has been a key role in the advertising ecosystem. She said the AdChoices program, for example, provides consumers with more information about third-party data collection and online behavioral advertising as well as the choice to opt out.
Ohlhausen also pointed to the agility that self-regulation provides, noting it can keep up with technology, sometimes better than laws and regulations. She said the DAA originally started out with principles for desktops, but now they’ve produced mobile guidance. “This is a good example,” she said, “of the nimbleness that self-regulation can provide.”
There is a significant role for regulators here as well.
“I think it’s important that self-regulation is backed up by enforcement,” she said. “If a company makes a promise publicly and it doesn’t adhere to that, we can bring an enforcement action.” She said the BBB’s monitoring of the ecosystem is important and that industry self-regulation, she said, “has to be more than a show.”
For Ohlhausen, having industries self-regulate, come up with codes of conduct and other transparency mechanisms, is a good complement to the agency’s Section 5 authority. Once a company pledges to take part in a self-regulatory program, it must live up to that promise; otherwise, the FTC has authority to step in. Plus, she said, self-regulation and the FTC have had a long and successful history together in other industries so there’s no reason to believe it won’t be equally successful in the privacy realm.
Self-Regulation and an Organization’s Strategic Goals
Making public promises such as joining a self-regulatory group is an important consideration for businesses to weigh, notes the Future of Privacy Forum’s Joshua Harris. A former member of the Department of Commerce, Harris was instrumental in helping get the APEC privacy framework set up.
By taking part in a self-regulatory program, Harris said, a business is creating liability for itself but is also potentially creating consumer confidence in its product or service: “Will you put your money where your mouth is? Will you raise the bar and become one of the privacy leaders” by joining a self-regulatory program?
The answer lies heavily in what your organization’s strategic goals are, so it’s paramount to get buy-in from the C-suite. And in making an internal pitch, he said, you must consider those strategic goals. For domestic consumption, by selling on privacy, you can sell your organization as “one of the good guys.”
Or, in another example, does your organization have designs in other markets? Joining mutual assistance programs, as seen in the APEC privacy framework and which were recommended in the White House blueprint for privacy, can potentially help a business streamline compliance frameworks and expand its business into other desirable markets.
Ultimately, all stakeholders—industry, advocacy, legislators and regulators—have to understand an important balance, according to the BBB’s Barton. “If the standards are so weak that regulators and consumer advocates don’t find it credible, then more needs to be done, but, if standards are so stringent that industry won’t comply, you equally have a failure.”
With a Congress unable to even pass a budget, and an apparent long slog ahead for EU data protection reform, developing self-regulation best practices, specifically at next week’s conference, may be one step toward preventing that overall failure to create a safe place for consumers expecting privacy protections.