Technology is advancing so rapidly that industries have little time to update their privacy policies to comply with social norms, regulations and legislation, said Trevor Hughes, president and CEO of the International Association for Privacy Professionals (IAPP).
Rapid technological development leads to what Hughes calls a public policy gap, where the leading edge of technology outpaces the ability to understand what emerging tech means from a privacy perspective.
“Privacy is exploding as a risk management concern,” Hughes said. “There is no technology you can buy to solve privacy. You actually need people to manage the issue and make smart decisions throughout the organization.”
The IAPP’s goal is to help its members navigate the dynamic privacy landscape. The nonprofit, non-advocacy organization has 90 employees who help members understand current legislation, and the organization also offers professional certifications. (It has validated 10,000 professionals globally as Certified Information Privacy Professionals – CIPPs.)
In the past two years, the organization’s membership base, which includes policy chiefs and corporate and individual subscribers, has swelled from 13,000 to 23,000 worldwide.
“As we are a nascent profession, just about anyone can claim to be a privacy professional,” Hughes said. “That can make it difficult for employers to gauge the credibility of candidates for privacy positions.”
The other problem plaguing the tech world is that regulators don’t always understand how technology and coding works, said Nuala O'Connor, a member of IAPP and the president and CEO of the Center for Democracy and Technology, an advocacy organization.
“Our role is to bring our engineers and scientists to Capitol Hill and explain technology to policy makers,” she said. “A few years ago people weren’t even asking the right questions and profoundly did not understand what was happening in the tech industry.”
That’s improved to an extent, though she added that lawmakers’ questions now come “from a place of fear.”
The tech industry needs to be wary too, as privacy issues can undermine the best of intentions. The education technology InBloom amassed $100 million in funding to build a student database that educators nationwide could access. The goal was to streamline student records – but the endeavor ended due to security and data privacy concerns.
Elsewhere, in April, AT&T paid a $25 million settlement to the FCC over a consumer data breach that involved the disclosure of names and account information at call centers in Mexico, Colombia and the Philippines. That’s not going to take down AT&T, but the consequences of getting privacy wrong are escalating quickly, said Hughes, and organizations that fail to address privacy properly do so at their peril.
And the problem companies have complying with the law, Hughes added, is that there’s often no law to comply with.
But as industries beyond ad tech rely on data, privacy is becoming a greater policy concern.
“Today, every sector is dependent on data. It’s not just about banner ads and ad serving, it touches connected cars, wearables, mobile devices, retail and social platforms,” said IAPP member Jules Polonetsky, director and co-chair of the Future of Privacy Forum, a think tank that develops policy. “There’s not an area of the economy that isn’t being transformed by the dependence on data, and along with that comes a wide scope of challenges.”
Polonetsky was also Google DoubleClick’s chief privacy officer from 2000 to 2002, and was chief privacy officer and SVP of consumer advocacy for AOL until 2008.
But today, agencies like the Federal Trade Commission and even the White House are embedding tech scientists and privacy professionals on their senior staff. And O’Connor is “cautiously optimistic” that policy makers and industry execs are thinking more about digital privacy.
“There’s a growing understanding that you need to have experts that aren’t just lawyers,” she said. “On one side you’ve got engineers and computer scientists and on the other side you’ve got policy makers. What’s missing in the middle are the anthropologists.”
To that end, the Future of Privacy Forum recently hired a philosopher, Polonetsky said.
Yet one of the fears of the ad tech industry, besides legislation, is overly broad legislation, and many wonder whether future regulation will be blanket data legislation or if it will focus on a specific industry (ad tech or education tech, for example).
According to Hughes, blanket policy reform may be a ways off – at least in the US – but state legislation could move more quickly than at the federal level.
“We will certainly see a new, broad-based regulation emerge in Europe soon,” said Hughes. “In the US, there does not appear to be any major effort to move forward with broad legislation, despite strong support from many corporations, advocates and the FTC.”
He added, however, that targeted legislation such as the CAN SPAM Act, which focused on email marketing, is much more likely.
“While no broad-based legislation is on the horizon, state legislatures have shown clear willingness to bring new public policy ideas to into privacy legislation,” he said. “The ad tech and education tech industries certainly should be closely monitoring such developments.”
O’Connor agreed that, in the short term, targeted legislation focused on specific practices or specific data is likely, particularly concerning data breach legislation or regulation around student or health data.
But, she added, “I don't think responsible advertisers necessarily need to be adverse to reasonable, principled legislation that creates good standards and prevents bad actors in any industry, as it could provide better consumer confidence and diminish bad acts.”
And the IAPP is working to professionalize the ethos and responsibilities around data.
“What we need to understand in an [Internet of Things] and big data future,” said Hughes, “is that everyone who touches data and makes decisions about data is going to have to understand privacy.”