Most of our privacy laws in the US and Europe date back at least 10 years, some go back 20 or more. This is true for both the private and public sectors. With the U.S. Congress focused on other more pressing matters, such as cyber-security, and Europe continuing its 5-year long effort to modernize the 1998 Data Protection Directive, the result is a growing gap between effective regulation and the world we actually live in.
An example of how some regulators are trying to deal with the situation can be found in the recent sharply divided FCC Declaratory Ruling on the Telephone Consumer Protection Act (TCPA) which set forth new statutory and policy pronouncements on all types of calls or text messages for informational or marketing purposes. While some clarification is provided by the FCC ruling, other aspects of it raise interesting questions. There will no doubt be appeals for reconsideration as the ruling is further analyzed.
For those who are interested, an excellent summary of key areas where many were looking for clarification can be found at:
In the TCPA situation, the Declaratory Ruling stated that “little or no modern dialing equipment would fit the statutory definition of an autodialer…. But …” the agency said: “[W]e do not at this time address the exact contours of the “autodialer” definition or seek to determine comprehensively each type of equipment that falls within that definition that would be administrable industry-wide….“
The ruling dealt with such basic issues as what equipment falls within the definition of an auto-dialer and is thus subject to provisions in the law. Sounds scarily similar to the ongoing debate about the definition of ‘personal information’ and thus what is and is not subject to various privacy laws.
This is but one of many examples of how poorly privacy laws are aging as we move into the world of Big Data and the Internet of Things. When updating the laws proves to be too big a hill to climb, regulators have approached these issues in two ways. First they have looked for ways to use Congressional intent, rather than a strict reading of the law, to establish more reasonable regulations. Second, they have published guidance for the industry, like the FTC has through workshops and whitepapers, and encouraged the development of industry best practices and self-regulatory codes of conduct.
The later has proved to be much more workable for industry. We are seeing more and more examples of best practices and enforceable codes of conduct step into fill this growing gap. Of course, organizations like the Direct Marketing Association (https://thedma.org/wp-content/uploads/DMA-Ethics-Guidelines.pdf) and the Digital Advertising Alliance (http://www.aboutads.info/) have had broad enforceable ethical guidelines and codes of conduct for some time that have proven very effective with both their membership and the industry as a whole. More recently we have seen emerging guidance from industries like automotive for the smart car (http://www.hotforsecurity.com/blog/smart-car-makers-to-comply-with-privacy-principles-starting-2016-10995.html).
While what industry is already doing is working very well, it is not nearly enough to cover the huge chasm that grows every day between sound guidance and what is technologically possible. Every organization should be encouraging, even pushing, their trade groups to be more aggressive in updating and creating new guidance for the industry. We have a window of opportunity right now that we should not let pass us by. While some may say there is no great urgency as long as Congress is distracted with other matters, it should be acknowledged that development of good codes of conduct take years to accomplish and the challenges that need to be tacked today get more and more difficult to satisfy.
NOW is the time to be aggressively working on the rules for tomorrow because tomorrow will be here before we know it. And remember that just because you can do it, doesn’t mean you should.