Privacy Policy Regulation

With rapid advances in data science, there is an ever increasing need to better regulate data and people’s privacy.  In the United States, existing guidelines such as FTC Guidelines and California Online Privacy Protection Act are not sufficient in addressing all the privacy concerns.  We need to draw some inspiration from the regulations suggested in  European Union General Data Protection Regulation (GDPR) Some have criticized GDPR for potentially impeding innovation .  I don’t agree with this for two reasons 1) There is a lot of regulation in the traditional industries in the US and organizations still manage to innovate. Why should data-driven organizations be treated any differently 2) I feel that majority of the data-driven organizations have been really good at innovating and coming up with new ideas. If they have to innovate with more regulated-data, I believe they will figure how to do it.

From the standpoint of data and privacy, I believe we need more regulation in the following areas

  • Data Security – We have seen a number of cases where user information is compromised and organizations have not been held accountable for the same. They get away with a fine which pales in comparison to the organizations’ finances.
  • Data Accessibility – Any data collected on a user should be made available to the user. The procedure to obtain the data should be simple and easy to execute.
  • Data Recession – Users should have the choice to remove any data they wish to be removed.
  • Data Sharing – There should be greater regulation in how organizations share data with third parties. The organization sharing the data should be held accountable in case of any complications that arise.
  • A/B Testing – Today, there is no regulation on A/B testing. Users need to be educated on A/B testing and there should be regulation on A/B testing with respect to content.  Users must be consented before performing A/B testing related to content and users should be compensated fairly for their inputs. Today, organizations compensate users for completing a survey. Why shouldn’t users be compensated for being a part of an experiment in A/B testing.

The privacy policy of every organization needs to include a Privacy Policy Rubric as shown below. The rubric would indicate a user about the organization’s compliance with the policy regulations. It can also be used to hold an organization accountable for any violation of regulations.


Lastly, there needs to stricter fines for any breach in regulation. GDPR sets a maximum penalty of 4 % of total global revenue, with penalties befitting the nature of the violation. The top-level management of an organization needs to be held accountable by the organization board for failing to meet the regulations.

Leave a Reply