OneTrust_Square Banner_300x250_DD_ROS_01_19

Self-regulation is not a new concept. It’s been around for decades (centuries?), and in privacy, it dates back to at least the late 1990s. In a highly technological world, laws and government regulations often cannot keep up with rapidly changing industries, and so rather than create proscriptive law, governments set up a sort of détente with industry: Police yourselves or we will do it for you.

The concepts may not be new, but they are being newly examined as privacy hits the mainstream. In the U.S., the White House and FTC have each published reports that include the need for industry codes of conduct and multi-stakeholder processes, while, in the EU, member states continue to grapple with how to protect citizens’ data and harmonize regional laws. Likewise, the Asia-Pacific region, through the Asia-Pacific Economic Cooperative (APEC), continues to build its privacy framework based, in part, on co-regulatory concepts. (We’ll get to the differences between “self-regulation” and “co-regulation” shortly).

There’s enough activity that, this month, two conferences, one in Europe on June 3 and one in the U.S. today, June 24, have popped up to explore a new generation of self-regulation and co-regulation best practices, with the latter event focused on self-regulation only.

“It’s important for us all to come to the realization that we live in a global, commercial and social world and that we’re going to have to build interoperability standards to facilitate that,” said Genie Barton. “This is not something national governments can do on their own. It’s going to take the business community and civil society, working with regulatory communities, to create these standards.”

Barton serves as vice president and director of the Council of Better Business Bureaus’ (BBB) Online Interest-Based Advertising Accountability Program & Mobile Marketing Initiatives, and she’s no stranger to self- or co-regulation. Last month, the BBB made headlines when it referred SunTrust Bank to the Consumer Financial Protection Bureau (CFPB) for allegedly refusing to participate in the advertising industry’s self-regulatory process.

And this week, the BBB is hosting its first annual Self-Regulation Conference in Washington, DC. The event will include a number of industry representatives, along with other business and thought leaders, regulators and legislators. The goal is to explore and flesh out best practices for industry self-regulation.

“This is the first time the BBB is doing this,” said Barton, “and as far as I know, it’s the first private-sector conference on self-regulation writ large in the U.S. What we’re trying to do is similar to what the EU is trying to do: learn about what best practices are in self-regulation in order to generate interest among businesses in creating and sustaining the best self-regulatory practices in multiple areas.”

What that looks like in the EU is embodied in a similar event that just convened. As part of the European Commission’s Digital Agenda for Europe, the Community of Practice (CoP) held its second-ever meeting to discuss better self- and co-regulation. Topics went beyond the privacy realm into general public policy, the construction sector and the global scale, but a major component was dedicated to privacy.

A Look at Self- and Co-Regulation: Where They Differ

CoP Chairman Robert Madelin said self- and co-regulation have a large role to play moving forward in the EU but admitted stakeholders have asked for clarification in defining “self-regulation” and “co-regulation.”

“There has been some gray area,” he said, pointing to a memo he published on the matter in early March, which notes self- and co-regulation first appear in the EU landscape in 2001 and in more detail in 2003.

According to the 2003 document, self-regulation is the “possibility” for economic operators to “adopt amongst themselves common guidelines at a European level”—for example, codes of practice. Co-regulation, on the other hand, stems from a “community legislative act” that entrusts attaining its goals to economic operators.

Still, the definitions are not watertight, Madelin said, but concluded the CoP embraces the notion of “all multi-stakeholder processes striving to reach a specific societal goal.”

Indeed, that’s what the June 3 event set out to accomplish—identify the challenges and best practices for both. Significantly, the BBB’s event is attempting to accomplish a similar goal: Locate self-regulation best practices. Barton is optimistic both initiatives lead toward more global interoperability. In fact, Madelin is presenting some of the CoP’s findings at the BBB’s event on Tuesday.

In the U.S., for example, the Network Advertising Initiative (NAI) argues it has some of the strongest self-regulatory standards. FTC Commissioner Julie Brill recently said the NAI “has been an exceptional leader in the self-regulatory community.” The NAI holds its more than 90 members to promises made prior to becoming members. According to its 2013 Code of Conduct, NAI members “are held to the promises they make to adhere to the NAI code through a rigorous compliance and enforcement program that includes annual reviews, ongoing technical monitoring, mechanisms for accepting and investigating complaints of non-compliance and sanction procedures.” The updated code, it should be noted, was influenced by the FTC’s 2009 Staff Report on Self-Regulatory Principles for Online Behavioral Advertising.

Barton said that, in a sense, the BBB does both self- and co-regulation. The Advertising Self-Regulatory Council (ASRC) is administered by the BBB, and under the Children’s Advertising Review Unit (CARU), for example, advertising to children is policed, and it has been operating under the Children’s Online Privacy Protection Act safe harbor programs. If a company belongs to such a safe harbor, they must be compliant, and in this case, Barton said the BBB has jurisdiction.

The BBB’s work enforcing the ASRC Accountability Program, however, even though it refers noncompliant companies to government regulators, is self-regulation. “We think in most cases,” Barton notes, “it’s self-regulation if it is independently enforced with government backup.”

The recent SunTrust case may serve as one example. The accountability program had sent a letter to the financial institution inquiring as to how it was using third parties to collect users’ web-browsing habits. In this case, it appeared the bank was not in compliance.

SunTrust declined to cooperate with the self-regulatory body and the BBB referred them to the CFPB—a relatively new regulatory agency designed to curb financial violations in the marketplace—which, on its website, says it can protect customers by restricting “unfair, deceptive or abusive acts or practices.” It’s still unknown if the agency plans to pursue any action against SunTrust.

For Barton, this is still self-regulation. The accountability code was created by industry—not any regulatory agency—and was independently enforced by the BBB. “The point is, we believe best practices in self-regulation must be independent, transparent and enforceable—and are backed up by regulators for referrals in cases of non-cooperation.”

“Is that co-regulation? We don’t think so because the standards are set by stakeholders.” For Barton, if a regulator had played a role in developing the accountability codes along with industry, then it would be a case of co-regulation.

The Limits of Self-Regulation

It’s true that industry self-regulation provides businesses with a flexible framework to keep up with changing technology, legislation and social norms, but some think it has significant limits without regulatory or legal backing.

“We are supporters of self-regulation as an industry practice,” said National Consumer League Executive Director Sally Greenberg, “but never as a substitute for the rule of law. Appropriate laws and regulations are necessary to ensure that all players have to abide by the same rule.”

Greenberg stressed that self-regulation—by definition—is voluntary. “It’s helpful to know what the industry standards are,” she conceded, “but industry can’t discipline the outliers who do not play by the rules. That’s why we need law.”

Greenberg, who will also take part in the BBB conference, recently testified at a Senate Subcommittee hearing on geolocation and “stalking” apps in the mobile space and expressed harsh words for the DAA, which has a self-regulatory framework for geolocation in its accountability program. During the hearing, DAA Executive Director Lou Mastria, CIPP/US, testified that laws regulating apps that use geolocation would stymie innovation and hurt the mobile ecosystem.

But Greenberg disagreed.

“Mastria’s testimony is full of holes,” she said in a phone conversation with The Privacy Advisor. She listed off a number of exceptions within the DAA’s geolocation rules for when an app does not need permission prior to collecting geolocation data, including if the data will only be kept by the first party or for market research purposes, among others.

“They’ve carved out so many exceptions that are not protective of consumer privacy,” she said, “and they came late to the table. We think this is all for PR purposes only.”

During his testimony to the Senate, Mastria said consumers are getting more tools to navigate the ecosystem. “Companies are increasingly offering consumers new privacy features and tools such as sophisticated preference managers, persistent opt-outs, universal choice mechanisms and shortened data retention policies.” He also reiterated the DAA’s track record of accountability through its self-regulatory principles and the BBB’s enforcement.

Greenberg countered, however, that accountability “works for them but not for consumers.” One obvious reason: If a company doesn’t care about being part of the industry group policing the self-regulatory framework, it certainly won’t care about being kicked out or censured. The SunTrust case may end up being a bellwether. In this case, a company is being policed by a self-regulatory body but is not part of that body.

Yet, even among regulators, industry self-regulation is seen as a valuable piece to governance.

The FTC and Self-Regulation

“Self-regulation has become an important part of the dialogue in privacy,” said Federal Trade Commissioner Maureen Ohlhausen.

A keynote at the BBB event, Ohlhausen said self-regulation has been a key role in the advertising ecosystem. She said the AdChoices program, for example, provides consumers with more information about third-party data collection and online behavioral advertising as well as the choice to opt out.

Ohlhausen also pointed to the agility that self-regulation provides, noting it can keep up with technology, sometimes better than laws and regulations. She said the DAA originally started out with principles for desktops, but now they’ve produced mobile guidance. “This is a good example,” she said, “of the nimbleness that self-regulation can provide.”

There is a significant role for regulators here as well.

“I think it’s important that self-regulation is backed up by enforcement,” she said. “If a company makes a promise publicly and it doesn’t adhere to that, we can bring an enforcement action.” She said the BBB’s monitoring of the ecosystem is important and that industry self-regulation, she said, “has to be more than a show.”

For Ohlhausen, having industries self-regulate, come up with codes of conduct and other transparency mechanisms, is a good complement to the agency’s Section 5 authority. Once a company pledges to take part in a self-regulatory program, it must live up to that promise; otherwise, the FTC has authority to step in. Plus, she said, self-regulation and the FTC have had a long and successful history together in other industries so there’s no reason to believe it won’t be equally successful in the privacy realm.

Self-Regulation and an Organization’s Strategic Goals

Making public promises such as joining a self-regulatory group is an important consideration for businesses to weigh, notes the Future of Privacy Forum’s Joshua Harris. A former member of the Department of Commerce, Harris was instrumental in helping get the APEC privacy framework set up.

By taking part in a self-regulatory program, Harris said, a business is creating liability for itself but is also potentially creating consumer confidence in its product or service: “Will you put your money where your mouth is? Will you raise the bar and become one of the privacy leaders” by joining a self-regulatory program?

The answer lies heavily in what your organization’s strategic goals are, so it’s paramount to get buy-in from the C-suite. And in making an internal pitch, he said, you must consider those strategic goals. For domestic consumption, by selling on privacy, you can sell your organization as “one of the good guys.”

Or, in another example, does your organization have designs in other markets? Joining mutual assistance programs, as seen in the APEC privacy framework and which were recommended in the White House blueprint for privacy, can potentially help a business streamline compliance frameworks and expand its business into other desirable markets.

Ultimately, all stakeholders—industry, advocacy, legislators and regulators—have to understand an important balance, according to the BBB’s Barton. “If the standards are so weak that regulators and consumer advocates don’t find it credible, then more needs to be done, but, if standards are so stringent that industry won’t comply, you equally have a failure.”

With a Congress unable to even pass a budget, and an apparent long slog ahead for EU data protection reform, developing self-regulation best practices, specifically at next week’s conference, may be one step toward preventing that overall failure to create a safe place for consumers expecting privacy protections.

Written By

Jedidiah Bracy, CIPP/E, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»