Guest Blog on Privacy Safe Harbors


The following is a guest post to the FPF Blog from Ira Rubinstein, a Senior Fellow at the Information Law Institute and Adjunct Professor at New York University School of Law

In early May, Reps. Rick Boucher (D-VA) and Cliff Stearns (R-FL) released a discussion draft of comprehensive privacy legislation. The draft bill would require companies that collect and use personal data to disclose their privacy practices and obtain consent for various uses of such data, including express consent for the collection or use of sensitive information. The bill also regulates online ads and specifically addresses targeted ads based on a user’s Web browsing history. Section 3(e) requires opt-in consent for third-party information sharing (e.g., with advertising networks) but offers a very narrow “safe harbor” exception for firms that follow certain defined practices (such as allowing a person to manage their preference profiles and to opt-out of receiving targeted ads).

Safe harbors are a very powerful regulatory instrument. In what follows, I offer some fairly radical ideas for greatly expanding the use of safe harbors in privacy law by adopting a regulatory approach sometimes referred to as “co-regulation.” I have written about these ideas at greater length in a law review article, Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes, I/S: A Journal of Law and Policy for the Information Society (forthcoming Winter 2011) available at All page references below are to the draft version currently posted on SSRN…

To read Rubinstein’s full blog about this issue click here