New York University Public Law and Legal Theory Working Papers

Document Type



I/S: A Journal of Law and Policy for the Information Society, Vol. 6, p. 356, 2011)


According to its many critics, privacy self-regulation is a failure. It suffers from an overall lack of transparency, weak or incomplete realization of the Fair Information Practice Principles, inadequate incentives to ensure wide-scale industry participation, and ineffective compliance and enforcement mechanisms. Rather than attacking or defending self-regulation, this Article explores co-regulatory approaches in which government plays a role in setting requirements for industry guidelines and imposing sanctions for non-compliance. It examines innovative policy tools such as regulatory covenants and develops a normative framework for evaluating self-regulatory mechanisms. It then considers four case studies, including a voluntary code governing online behavioral advertising practices, a government-negotiated program enabling data flows between Europe and the U.S., a statutory safe harbor program designed to protect children’s privacy, and a variety of privacy covenants. This Article argues that while statutory safe harbors have many strengths and privacy covenants offer the promise of achieving even better results, both would benefit from being redesigned. Finally, it offers specific policy recommendations: (1) to the FTC on how it might begin to use the covenanting approach to experiment with innovative technologies and address hard problems such as online behavioral advertising; and (2) to Congress on how best to structure new safe harbor programs as an essential component of omnibus consumer privacy legislation. All of these approaches to regulatory innovation move beyond purely voluntary codes in favor of co-regulatory solutions.

Date of Authorship for this Version