Episode Show Notes: Filling Privacy Gaps with Soft Law Solutions

Your Privacy Abbreviated hosts, Dona Frazier, Senior Vice President of Privacy Initiatives at BBB National Programs, and Jason Cronk, chair and founder of the Institute of Operational Privacy Design, return to discuss soft law versus hard law. Guest Jameson Spivack, Senior Policy Analyst, Immersive Technologies, with the Future of Privacy Forum (FPF), joins our privacy experts on this episode.

04:17 – Dona starts the conversation by asking where businesses should go for guidance on consumers’ privacy expectations in the virtual reality sector. Jameson acknowledges the absence of specific regulations for immersive technologies, such as extended reality, due to their recent introduction to the mass market. Jameson explains further, “To the extent that we have privacy laws in the US, they’re not generally written with these kinds of technologies in mind. But this doesn’t mean that they don’t apply to immersive technologies. It just means that policymakers weren’t necessarily considering them when they wrote these laws. So they’re not always going to be fit for purpose in the context of immersive technologies.”

In the absence of comprehensive federal privacy laws or immersive tech-specific laws, virtual reality (VR) companies are looking for guidance on best practices. They’re looking at the Federal Trade Commission (FTC) in the context of biometric technologies. Also, regarding youth privacy, businesses look to self-regulatory bodies like BBB National Programs and CARU for clarity and direction. Additionally, they are seeking input from industry groups and civil society organizations to develop best practices.

Inquiring about privacy in augmented reality (AR) and VR industries, Dona wonders if any organizations are developing standards or regulations. Jameson shares with listeners that trade associations like the XR Association are beginning to build some best practices and guidelines for their members. Further, he adds that the Metaverse Standards Forum focuses on developing technical standards for immersive technology. Other entities highlighted for listeners are civil society organizations like XRSI, the XR Guild, and the Responsible Metaverse Alliance, which all seek to develop best practices. 

Jameson also mentions his own organization, FPF. The nonprofit brings together industry, civil society, academics, and researchers to initiate discussions on developing industry standards and figuring out how to operationalize some privacy principles. Along those lines, Dona shares that BBB National Programs under their CARU program are in the process of developing guidelines for operations in the Metaverse environment as it relates to advertising in the space while weaving in privacy guidance as well.

12:00 – Jameson provides a great example of how these principles and best practices that are developed early on can inform and guide policymaking that comes later. “The Future Privacy Forum published Privacy Best Practices for Consumer Genetic Testing Services. Two years later, in 2020, California passed the Genetic Information Privacy Act, which largely borrowed from FPF’s best practices.” All in all, “hard law might adopt some of the recommendations originally started in soft law.”

Dona pushes the conversation to think beyond self-regulation’s compliance benefit and dive into other areas “soft law can assist, where a hard law can’t.” This leads to discussions about companies making voluntary commitments to certain principles and potentially being held accountable by the FTC for following them.

18:35 – Sparking concern for those in aid, Jason inquires about resources for small to medium-sized businesses. Jameson shares several resources and tools to include addressing the gap between HIPAA-covered data and consumer health data.

The host wraps up this insightful talk with a few questions to help listeners learn more about this episode’s guest. A vital one, “If any problem in the privacy landscape could be solved for tomorrow, what would you want it to be?” Without hesitation, Jameson replies, “Finding a model other than notice and choice for data collection, usage, and sharing.”

Listen to the complete episode here

Subscribe To Never Miss An Episode
Explore BBB NP’s Blog Post Advertising And Privacy: The Rules Of The Road For The Metaverse