Recent EU Enforcement Action on GDPR Highlights Value of U.S. Approach

March 11, 2019

DAA’s self-regulatory regime raises industry standards collaboratively with “teeth” of regulatory backstop for non-compliance, avoids “fine first” mentality.

As the U.S. Congress begins to deliberate the contours of a national standard around privacy, recent enforcement news from Europe around the European Union’s (EU) General Data Protection Regulation (GDPR) highlights the value and effectiveness of our uniquely American model for industry self-regulation and enforcement, coupled with a federal backstop for non-compliance. In some ways, this U.S. model could almost be considered co-regulation, a combination of industry leadership with the support and muscle of the federal government, as needed.

Punitive - Is That The Best Way to Educate

Rather than the “fine first, explain later” approach encouraged by GDPR, the DAA’s YourAdChoices program in the U.S. starts with education, then offers opportunities for remediation, and reserves aggressive regulatory escalation for the infrequent cases where the companies do not come into compliance.

To help ensure broad industry compliance, YourAdChoices works collaboratively with industry to set (and update) clear standards, then educate thousands of stakeholders, so industry participants easily understand what standards they must adopt for consumer privacy.

A Better Way: Cooperation...'With Teeth'

When companies fail to meet those standards, our two independent enforcement partners at the Council of Better Business Bureaus’ (CBBB) Advertising Self-Regulatory Council (ASRC) and the Association of National Advertisers (ANA) Data Marketing & Analytics Division (DMA) can work with those companies to bring them into compliance. 

If companies do not come into compliance, our enforcement partners can take a range of additional steps, up to and including formal referrals to the Federal Trade Commission (FTC) or other relevant enforcement agencies for action, as the ASRC did earlier this past week for a company refusing to participate in the self-regulatory review process.

Over the last ten years, that “first educate, then fix, then enforce” approach has allowed the industry to bring the vast majority of companies into compliance without needing to impose massive fines or punitive sanctions.

To ensure full transparency, the DAA’s enforcement partners have publicly announced nearly 100 of those compliance actions, so other companies can learn from their experiences.   These cases are illustrated and shared in our Enforcement in Action casebook series – serving as an industry resource for those businesses engaged in responsible data collection for interest-based advertising.

The former head of the Federal Trade Commission called the DAA model “self-regulation with teeth,” but I would take that metaphor a step further. The most important part of enforcement is not the bite, but the growl of warning before it. If you don’t know what you’re doing wrong, you can’t fix it. And if the industry is deeply confused by the requirements for compliance, the opportunity for broad adoption of strong pro-consumer privacy standards disappears.

 We believe this type of escalating ladder of enforcement actions, starting with broad education and clear guidance for industry, offers an effective – and uniquely American – approach for congressional consideration as it shapes federal legislation in this area.


Back to Top