The consensus approach to monitoring online privacy is more effective than imposing inflexible rules
Data protection is unique among legal disciplines in that it is defined in large part by societal attitudes rather than on a rule or legal precedent. These attitudes evolve, changing the standard for compliance around a particular practice or disclosure. As a result, best practices can be an integral part of data protection compliance as they help define a de facto standard.
In rapidly evolving industries such as technology, best practices are important in defining a baseline data protection standard that balances innovation with privacy.
The EU Cookie Directive, which arose out of 2009 amendments to the directive on e-privacy, requires notice, “informed” consent and the ability to opt out from cookies and other online trackers. The informed consent mandate is especially problematic, as requiring consent every time an ad is served results in a negative user experience. It can also disrupt the flow of online advertising and add to compliance costs.
Companies have been slow to comply with the directive. Many have resorted to simpler fixes, such as directing users to change their browser settings rather than investing in the notice, choice and control mechanisms required. And there’s been little EU enforcement of the informed consent standard.
On both sides of the Atlantic we have seen the development of transparency standards through a consensus process involving stakeholders from government, industry and the advocacy community.
In the EU last year a cross-industry self-regulatory initiative was developed to introduce pan-European standards to enhance transparency and user control for online behavioural advertising (OBA). The European Interactive Digital Advertising Alliance (EDAA) is responsible for enacting key aspects of these and acts as the central licensing body for the OBA icon that signifies compliance. To date, more than 180 companies have signed up.
In the US, the Department of Commerce was tasked with leading multi-stakeholder proceedings to develop codes of conduct for privacy – starting with an effort around mobile transparency. Most stakeholders coalesced around a mobile short-notice format that uses a mix of icons and descriptions to provide disclosure.
A consensus-driven effort has been shown to be best at maintaining the privacy-innovation balance. There are examples of other industry-based, consensus-driven processes that have not gone well – efforts around ‘do-not-track’, for example. However, in areas such as data protection and privacy, which are shaped by societal attitudes, a standard that has investment from a broad range of stakeholders is better than a mandate.
The EU Data Protection Regulation just came a step closer to becoming law, with a key vote in the European Parliament. However, if the regulation is to succeed it needs not just to jump regulatory hurdles but also to achieve consensus from all those who will have to comply with it.