Why we developed the ISL Consumer Safety Scorecard
With all the current activity in US privacy laws, both at the state and federal level, trying to stay up to date with the changes in proposed legislation can be an overwhelming and time-consuming task due to the sheer volume of dense materials. Just in the past six months alone we’ve seen rulemaking activity arise from both the CPPA and the FTC, as well as multiple drafts of a federal privacy law (ADPPA). Whew!
We review legislation in our Policy and Legal Advisory Panel (PLAP), which is open to everyone. Members of PLAP are thought leaders, subject matter experts, advocates, and passionate users. But the flurry of policy activity has challenged everyone’s ability to keep on top of the latest policy drafts.
We realized that we needed a more efficient and practical way to evaluate proposed regulations. As a result, we developed our ISL Consumer Safety Scorecard for Regulation (Table 3, below).
Introduction to ISL Consumer Safety Scorecard for Regulation
The ISL Consumer Safety Scorecard for Regulation compares the text of proposed regulations against our “must have” regulation safety principles to arrive at an overall ISL safety score for the regulation. This score lets people know how effective the regulation is at keeping people safe while using connected software products and services.
Table 1: Legend
Table 2: Terminology Mapping
Table 3: ISL Consumer Safety Scorecard v1.0
In the coming days and weeks we will be publishing our scorecards for current and proposed legislation. We hope that our ISL Consumer Safety Scorecard helps make it more digestible and accessible for everyone to easily understand how well regulation serves to keep citizens safe online.
A special thank you to all our PLAP members who contributed to this work!
By the way, we know that the diversity of our members’ points of view is crucial to assessing software safety (especially given that many policymakers may not fully understand how technology behaves). Together, we can all co-create a safer online ecosystem by voicing our concerns and contributing meaningful public comments on proposed regulations. It’s easy to join any of our current panels to help make software safer for everyone.
[i] Age must not be remembered, B-s must calculate age every time and forget it every session. Note that if safety principle #1 is in place, there is less of a need for age validation.
[ii] Me2B Relationship refers to the relationship a user (Me) forms with a business (B) and with the products and services that the business provides. Just like human relationships, the Me2B Relationship changes over time, generally increasing in trust and intensity. The state of the Me2B Relationship is therefore crucial context for data sharing norms.
[iii] Direct Relationship means the data subject has an account and has entered into some kind of service agreement with the company and can thus correct/view personal information. Data Brokers typically have no direct relationship with the data subjects.
[iv] A duty of loyalty has well-established roots in the common law of fiduciaries and trusts. A hallmark of the obligation is to have no conflicts of interest between the client and third parties, and to always act in the client’s best interest. Modern examples of entities with these same duties are doctors, lawyers, and certain financial advisors.