It’s been an interesting week in the world of regulatory compliance: Within the span of a few days, the FTC released a report recommending online privacy rules and the House approved the JOBS Act, which reduces regulatory compliance obligations for small and emerging businesses.
The FTC’s recommendations are part of a privacy report that expands on one originally issued in December 2010. It recommends companies improve consumer privacy by implementing privacy protections at every stage of product development and increasing transparency around the collection and use of consumer information. The FTC also recommends Congress consider privacy legislation, data security notification legislation and mandating a “Do Not Track” option for consumers to opt out of online tracking.
In another big piece of regulatory compliance news, the House approved the JOBS Act and sent it to President Obama for his signature. Under the JOBS Act, emerging companies — defined as those with at most $1 billion a year in revenue — would be exempt for five years from external auditors’ review of internal controls as stipulated under Sarbanes-Oxley requirements. It also lessens other compliance regulations that JOBS Act critics say provide checks on corporate misconduct.
An interesting aspect is that both of these issues take into account the burden of small businesses. In the FTC’s preliminary report, it recommended the proposed online privacy rules apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer or other device. But after “recognizing the potential burden on small businesses,” the FTC’s report concludes that the final framework “should not apply to companies that collect and do not transfer only nonsensitive data from fewer than 5,000 consumers a year.” As for the JOBS Act, proponents say loosening compliance regulations for small and emerging companies would boost the economy.
It’s admirable (and necessary) that the federal government is taking small businesses and their limited resources into account when developing these rules. But there are a few questions: Don’t these small and emerging companies have potential infractions? If they don’t have the resources to comply with online privacy rules and compliance regulations, doesn’t this lack of resources make them even more vulnerable? Instead of excluding these smaller and emerging businesses from the rules altogether, perhaps catering regulations to take their plight into account is a better answer. If not, we could be back in the same boat again in a few years, after these types of businesses are found to be in violation of rules designed specifically to protect consumers.