Chapter 5: Federal and State Regulators and Enforcement of Privacy Law
Self-Regulation and Enforcement
Self-regulation spans legislation, enforcement, and adjudication. Under Section 5/UDAP it is only quasi-legislative (a government agency still enforces). PCI DSS is a fuller self-regulatory system, and seals/trust marks and the DAA's AdChoices program provide oversight and choice.
Self-regulation can occur across legislation, enforcement, and adjudication. Under Section 5 or state UDAP laws, it operates only at the quasi-legislative stage - a company or industry writes the rules, but a government agency still enforces and adjudicates. Other systems handle all three roles privately.
🧩 PCI DSS as full self-regulation
PCI DSS is a privately drafted, enforceable standard for payment card data. Non-compliance can cut a merchant off from card networks and bring penalties of $5,000 to $100,000 per month.
Privacy seal / trust mark programs (BBB, TrustArc) let third parties oversee compliance, and the DAA / AdChoices icon program gives consumers choice over online behavioral advertising. Self-regulation is controversial - European regulators favor data protection authorities defining and protecting privacy as a fundamental right, while supporters cite industry expertise.
Key terms - quick answers
What is “Self-regulation”?
Industry-led approaches to privacy that can cover rule-making, enforcement, and adjudication, sometimes with and sometimes without government involvement.
What is “PCI DSS”?
The Payment Card Industry Data Security Standard - a privately drafted, enforceable security standard for payment card data with penalties from $5,000 to $100,000 per month.
What is “Privacy seal / trust mark”?
A third-party certification (e.g., BBB, TrustArc) a company displays to show compliance with a self-regulatory program.
What is “DAA / AdChoices”?
The Digital Advertising Alliance's icon program letting consumers exercise choice over online behavioral advertising.