That’s improved to an extent, though she added that lawmakers’ questions now come “from a place of fear.”
The tech industry needs to be wary too, as privacy issues can undermine the best of intentions. The education technology InBloom amassed $100 million in funding to build a student database that educators nationwide could access. The goal was to streamline student records – but the endeavor ended due to security and data privacy concerns.
Elsewhere, in April, AT&T paid a $25 million settlement to the FCC over a consumer data breach that involved the disclosure of names and account information at call centers in Mexico, Colombia and the Philippines. That’s not going to take down AT&T, but the consequences of getting privacy wrong are escalating quickly, said Hughes, and organizations that fail to address privacy properly do so at their peril.
And the problem companies have complying with the law, Hughes added, is that there’s often no law to comply with.
But as industries beyond ad tech rely on data, privacy is becoming a greater policy concern.
“Today, every sector is dependent on data. It’s not just about banner ads and ad serving, it touches connected cars, wearables, mobile devices, retail and social platforms,” said IAPP member Jules Polonetsky, director and co-chair of the Future of Privacy Forum, a think tank that develops policy. “There’s not an area of the economy that isn’t being transformed by the dependence on data, and along with that comes a wide scope of challenges.”
Polonetsky was also Google DoubleClick’s chief privacy officer from 2000 to 2002, and was chief privacy officer and SVP of consumer advocacy for AOL until 2008.
But today, agencies like the Federal Trade Commission and even the White House are embedding tech scientists and privacy professionals on their senior staff. And O’Connor is “cautiously optimistic” that policy makers and industry execs are thinking more about digital privacy.
“There’s a growing understanding that you need to have experts that aren’t just lawyers,” she said. “On one side you’ve got engineers and computer scientists and on the other side you’ve got policy makers. What’s missing in the middle are the anthropologists.”
To that end, the Future of Privacy Forum recently hired a philosopher, Polonetsky said.
Yet one of the fears of the ad tech industry, besides legislation, is overly broad legislation, and many wonder whether future regulation will be blanket data legislation or if it will focus on a specific industry (ad tech or education tech, for example).
According to Hughes, blanket policy reform may be a ways off – at least in the US – but state legislation could move more quickly than at the federal level.
“We will certainly see a new, broad-based regulation emerge in Europe soon,” said Hughes. “In the US, there does not appear to be any major effort to move forward with broad legislation, despite strong support from many corporations, advocates and the FTC.”
He added, however, that targeted legislation such as the CAN SPAM Act, which focused on email marketing, is much more likely.
“While no broad-based legislation is on the horizon, state legislatures have shown clear willingness to bring new public policy ideas to into privacy legislation,” he said. “The ad tech and education tech industries certainly should be closely monitoring such developments.”
O’Connor agreed that, in the short term, targeted legislation focused on specific practices or specific data is likely, particularly concerning data breach legislation or regulation around student or health data.
But, she added, “I don't think responsible advertisers necessarily need to be adverse to reasonable, principled legislation that creates good standards and prevents bad actors in any industry, as it could provide better consumer confidence and diminish bad acts.”
And the IAPP is working to professionalize the ethos and responsibilities around data.
“What we need to understand in an [Internet of Things] and big data future,” said Hughes, “is that everyone who touches data and makes decisions about data is going to have to understand privacy.”