Self-Regulatory Organizations and the Future of Data Privacy Compliance

Hwang, Timothy [Browse]
Senior thesis
100 pages


Felten, Ed [Browse]
Woodrow Wilson School of Public and International Affairs [Browse]
Class year
Restrictions note
Walk-in Access. This thesis can only be viewed on computer terminals at the Mudd Manuscript Library.
Summary note
This thesis looks at the pressing policy question of how to regulate corporations and entities that utilize consumer data amidst the growing number of devices and applications that collect a myriad of data from geolocation to health data. The current legal status quo involves leveraging a self-regulatory regime by industry-organized groups. The question presented to policy makers is whether or not these self-regulatory organizations have been effective at promoting consumer data protection. This thesis examines the historical and legal framework underlying the status quo and draws comparisons from other self-regulatory regimes in industries vast as tobacco, food, and forestry as well as the academic literature on selfregulation. Furthermore, the thesis takes a closer look at the individual selfregulatory organizations and attempts to measure the privacy standards of the top websites visited by the United States as measured by Alexa. Finally, the thesis examines international alternatives and comparisons to the American self-regulatory regime. The findings indicate that the self-regulatory regime underpinning data privacy concerns have not worked and traditionally have not worked in other industries. In fact, the purpose for the majority of these organizations has been to drum up public relations and delay political support. Specifically in data privacy, most of the self-regulatory regimes have not worked and the organizations have now become defunct. As a result, in the context of the absence of legislation and regulation (apparent in other countries), there is now a gaping liability in the way Americans interact with their connected devices and the Internet. As a result, we call for a baseline level of privacy with enforcement authority through the Federal Trade Commission (FTC).

Supplementary Information