Novelty and the demand for private regulation: Evidence from data privacy governance

Private regulations are often presented as low-cost and flexible institutions that can act as policy incubators. In this article, I question under which conditions they go beyond legal compliance and experiment with new rules. Based on a content analysis of 126 data privacy regulations adopted between 1995 and 2016 in the European Union and the United States and thirty-five semistructured interviews, I show that most private regulations include no regulatory novelties. By disaggregating the temporal and spatial distribution of the few novelties, I add nuance to this overall finding and show that private regulations adopted in the United States before 2000 experimented more than others. I argue that this variation reflects the different demands for private regulation in the two jurisdictions and their evolution over time. In the European Union, the early adoption of privacy laws led public regulators and businesses to look for private regulations to reduce transaction costs and thus limited their interest in experimenting with new requirements. In the United States, businesses hoped to gain a first-mover advantage by including new data privacy rules in their private regulations. However, the growing use of private regulations to ease transnational data flows also led to their use as tools to reduce transaction costs.


Introduction
Private regulation forms an integral part of today's global governance.Although private regulation is not entirely new, there is a broad consensus that its importance has risen in recent decades, leading many political economy scholars to question the sources of its emergence and legitimacy. 1 Either implicitly or explicitly, they all contributed to a broader discussion of the role of states in the global economy.If some saw the rise of private regulation as representing a form of governance beyond the state, 2 others emphasized its potential to complement public policies. 3Among all the potential contributions of private regulation, one of the most often cited is its flexibility and capacity to experiment with new ideas.Its relatively low degree of legalization is seen as allowing "private regulators [to] more easily change [their] rules in response to new information or circumstances." 4 The possibility for greater experimentation in private regulation is, in turn, considered to provide learning opportunities and help make the regulation of various issue areas more adaptive. 5This idea is at the heart of a growing experimentalist governance literature promoting the design of regulatory environments in which feedback loops can emerge among public and private regulators and shape their respective rulemaking processes. 6Paraphrasing a well-known Chinese expression, Green suggested that states may benefit to "simply let 1,000 flowers [i.e., private regulation] bloom and see which rules appear robust." 7mplementation gaps have led several scholars to question whether private regulation was not merely a "myth" and to criticize its actual contributions to global governance. 8Before even looking at implementation failures, though, one key question for those arguing that private regulations can act as "incubator[s] for ideas" 9 or "laborator[ies] of standards" 10 is under which conditions they depart from existing legal requirements.Hereafter, I argue that it depends on the nature of the demand driving the creation of private regulations.Private regulations created to reduce transaction costs and, notably, to help companies fulfill their legal obligations will tend to spur limited novelty.Meanwhile, private regulations responding to industry demands to gain a first-mover advantage or increase their reputation should lead to greater novelty as businesses try to gain a competitive edge.
I develop this argument through an abductive analysis of the evolution of private regulations governing the use of personal data in the transatlantic area between 1994 and 2018.In both the United States and the European Union, if to different degrees, policymakers presented private regulations as instrumental in achieving a more flexible and robust form of governance.While showing that some of these regulations supported the creation of new data privacy rules, I highlight that these rules were mainly limited to those adopted in the United States early on.I then argue that these variations across time and jurisdictions reflect the different demands for private regulations.In Europe, private regulations were expected to implement public requirements following the adoption of the Data Protection Directive in 1995.In the United States, private actors hoped to achieve a first-mover advantage and avoid further public regulation by demonstrating their capacity to self-regulate.However, growing demands to develop privacy programs to allow the transfer of personal data across multiple jurisdictions pushed them to increasingly approximate legal requirements from multiple jurisdictions, including Europe.Therefore, recent private regulations for data privacy adopted in both jurisdictions now aim to help companies implement their legal requirements more than anything else.
Through this work, I contribute to the literature on private governance in two distinct ways.Theoretically, I identify how the different demands for private regulation shape the extent to which they act as policy incubators.Various scholars have emphasized how governments and businesses support the creation of private regulations to obtain varying benefits.I demonstrate that these different demands also affect the content of these regulations, and thereby their potential contribution to global governance.Most notably, I show that private regulations aiming to reduce transaction costs play a limited role as policy incubators.Empirically, I build my argument while investigating the still relatively unexplored case of private regulations governing businesses' use of personal data.While early research on private forms of regulation pointed to data privacy as an area in which private regulation was growing, 11 none analyzed the evolution of their content at length.Hereafter, I use a novel dataset of 127 data privacy regulations adopted in the United States and the European Union to highlight the limited role that private regulations played as incubators for new data protection rules.I then present qualitative evidence from thirty-five semistructured interviews to explain how this reflects the different demands for their creation in both jurisdiction and their evolution over time.
The remainder of this article is divided into four sections.The first presents my argument and details how different demands for private regulation affect its role as an incubator for new regulatory ideas.The second section introduces my empirical case and methodology.The third section identifies when and where regulatory novelties emerged in data privacy governance between 1994 and 2018 in Europe and the United States.It highlights that apart from a few private regulations adopted before 2000 in the United States, most did not include any novel rules and primarily aimed to implement privacy requirements originally set out by public actors.The fourth section explains how this finding reflects the evolution of the demand for private regulation to govern data privacy in the European Union and the United States.
Private regulation, experimentation, and regulatory novelty Private regulations take many forms and names.Certifications, codes of conduct, best practices, guidelines, and standards are just a few examples that have been promoted in areas like financial reporting, 12 emissions accounting, 13 labor practices, 14 and commodity trading. 15While differing in their specific aims and functions, they all reflect attempts by nongovernmental actors to formulate rules shaping business conduct.The term "regulation" here is preferred to "governance," as the latter is considered broader, including activities such as agenda setting, implementation, and monitoring. 16oncomitantly, regulation is not assumed to be limited to state or legal actions. 17It includes policy documents codifying rules that firms and other nongovernmental actors follow voluntarily, sometimes dubbed "soft laws." 18hile some scholars have long been critical of the actual contributions of private regulations to global governance, 19 others believe they can help fill regulatory voids.At both the international 20 and national levels, 21 the presence of multiple veto points can limit the capacity of public actors to adopt new regulations, creating a risk of leaving some issues lightly or ineffectively regulated.
Private regulations are considered a potential fix for this governance failure as they face fewer constraints in their adoption process. 22More than a mere substitute or second-best option to public regulations, though, a growing body of literature emphasizes how private regulations can interact with and complement public regulations. 23One such way, and the focus of this article, is by acting as an "incubator for ideas" 24 or a "laboratory of standards." 25ublic regulators must continuously look for ways to adapt their regulatory frameworks to changing circumstances and avoid a potential "problem of fit." 26 Optimal solutions are often elusive because of uncertainty, limited access to information, and sheer problem complexity. 27Moreover, the difficulty of adopting new laws can push governments to be risk averse and follow established models.In this context, private regulations can theoretically have a positive impact by growing the size of the "soup of policy ideas." 28Their "low costs of entry" 29 allow them to proliferate rapidly and often before sufficient support for new public institutions emerges. 30In practice, not all private regulations are cheap or easy to adopt. 31Some face multiple veto points, with consequences for their design. 32However, on average, private regulations face fewer barriers to their adoption than public ones and are easier to amend once 12 Mattli and Büthe (2005).
15 Auld (2014); Cashore (2002); Gulbrandsen (2014).adopted because of their lower degree of legalization. 33Therefore, some hope they can support a more experimentalist form of governance. 34xperimentalism is understood here as a specific governance process through which regulators recursively update their policies or regulations as they learn from their implementation. 35Private actors can contribute to this process by updating their private regulations as they implement them.Over time, public regulators can benefit from these repeated experimentations among private actors by institutionalizing those that prove most successful, spurring further experimentation by private actors.Many representatives from the industry specifically tout this potential contribution in the context of the regulation of new technologies, which are considered to evolve too quickly for governments to regulate effectively.One interviewee for this research made this very argument when asked about what their private regulation was aiming to achieve: "The problem with legislation is that it takes a long time.It is not enough in a world of fast-paced technological change." 36Such statements should not, however, be taken at face value.As previous contributions have highlighted, private regulations can emerge in an attempt by industry actors to avoid further government intervention. 37In this context, they may be more interested in limiting their regulatory constraints than supporting an experimental form of governance.
A key question, then, is under which conditions private regulators will experiment with new regulatory ideas instead of simply implementing existing legal requirements.Up to now, the literature on private authority has emphasized the possibility for industry groups or firms to create new principles and rules. 38However, the conditions under which they do so remain largely unexplained.The emphasis is on private actors' potential to experiment with new rules, not the actual demand by private actors for them.In one contribution, Stefan Renckens notes how preferences for differentiation were the source of "upward divergence" in the regulation of organic products. 39What drives the creation (or not) of rules in other issue areas remains an open question.
Meanwhile, experimentalist scholars disagree on the need for central oversight to ensure that private governance systems will lead to "ratcheting up" 40 or "upward harmonization." 41Their focus is on the effectiveness and normative contribution of private governance.They investigate the role that public pressure must play to spur private actors to improve their standards rather than progressively weaken them.Yet they do not so much consider what drives private actors to include new rules.As the term "upward harmonization" implies, private actors can adopt existing public or private rules that appear as best practices.Therefore, they do not specify when we should expect private regulators to experiment with new regulatory ideas.
In this article, I argue that the tendency of private regulations to include new rules depends on the origin of the demand for their creation.Following an abductive method, 42 I use existing explanations for the emergence of private authority as an initial theoretical frame to consider when we should expect private regulations to include novel rules.Previous research has emphasized that private regulations emerge to provide at least three benefits. 43irst, they can help reduce transaction costs. 44Transaction costs include information, bargaining, and policing costs incurred in carrying out market transactions. 45Governments can notably benefit from private regulation to achieve legal compliance without developing the necessary knowledge or expertise to audit every business. 46Meanwhile, private companies can aim to reduce their transaction costs by leveraging the knowledge of industry associations or certification companies to meet their legal requirements.Rather than investing time and resources to develop in-house expertise, they can rely on readily available compliance programs to achieve comparable outcomes. 47Second, private regulations can provide a first-mover advantage.By regulating first, private companies can avoid potentially more restrictive public regulation and the potential costs of switching to another standard of practice. 48hird, private regulations can offer reputational gains.Private companies can use them to differentiate themselves and reap economic rewards 49 or at least avoid negative publicity. 50ore than simply affecting where and when private regulations emerge, I infer from my empirical analysis that these three different demands also shape their content.Private regulations adopted to reduce transaction costs in highly regulated environments tend to closely approximate legal requirements and include few regulatory novelties.Businesses have few reasons to go beyond legal compliance as they cannot realize additional benefits.Adding new rules can even go against the original demand for private regulation, which broadly aims to make compliance more straightforward for private companies.In contrast, private regulations created to make reputational gains and gain a first-mover advantage are more likely to include new rules.By including new rules, they can differentiate themselves and gain positive visibility.Notably, they can aim to show that they are being more proactive in the hope of raising their public profile.Adding new rules can also help them keep control over the regulatory agenda by acting before other private actors, thereby avoiding potential costs associated with adopting another standard.Finally, it allows them to showcase their goodwill to public actors and fend off additional oversight.I develop this argument by combining insights from a content analysis and interview data.In the next section, I start by introducing the case of data privacy and my methodology.
Data and methods: Regulatory novelties in European and US data privacy regulations Both the United States and the European Union rely on a mix of public and private regulations to govern the use of personal data in the private sector.In the United States, next to sectoral laws covering specific types of data (e.g., health data) or categories of users (e.g., children), industry self-regulations are the main source of obligations for the use of personal data in the private sector. 51In comparison, the European Union has had a comprehensive privacy regulation covering the use of personal data throughout the private sector since the adoption of the European Data Protection Directive (DPD) in 1995.At the same time, European regulators continuously involved private actors in the regulation of privacy.Article 27 of the DPD indicated that member states and the European Commission should promote the adoption of codes of conduct in various economic sectors.Article 42 of the General Data Protection Regulation (GDPR) now requires them to also support the creation of certification schemes. 52The inclusion of private forms of regulation was significantly seen as a valuable complement to public regulations by offering "greater flexibility in the way that [its] rules are implemented on the ground." 53o observe when private regulations go beyond legal compliance and experiment with new rules, I built an original dataset of 127 public and private regulations adopted in the United States and the European Union between 1994 and 2018.The choice to focus on these two jurisdictions reflects their historically prominent role in global privacy debates.If China was notably presented as a third "data realm," 54 it only recently contributed to shaping global privacy debates. 55Meanwhile, the time frame is used to reflect on the extent to which private regulation acted as incubators for regulatory ideas before and after the adoption of the DPD and GDPR in Europe.It also broadly follows the growth in online data collection following the commercialization of the Internet in 1995 and the accompanying surge in industry codes and certifications, as illustrated hereafter. 56 identified each private regulation based on extensive research in the literature and previous work mapping out the ecosystem of private regulation dealing with data privacy. 57I also asked all interviewees for this research to name the main private organizations in the privacy field to be as exhaustive as possible.For this project, I only consider regulations adopted by private organizations aiming to codify rules for multiple businesses (i.e., industry codes or certification schemes).In other words, the privacy policies of individual companies are excluded.Looking at corporate practices, Bamberger and Mulligan significantly found that companies in countries with privacy regimes as different as the United States and Germany showed themselves to be innovative and to go beyond legal compliance. 58They emphasized that privacy officers in both countries pushed to integrate privacy concerns in the decision-making process of their respective businesses, including audits and other managerial practices.
The focus of this study differs slightly in that it aims to assess the extent to which private actors create new substantive standards or rules.In that regard, private regulations adopted by industry associations or certification companies help determine the privacy policies of large companies like Facebook or Apple that follow them, but also smaller ones that lack the resources to have full-time legal teams.In their work, Bamberger and Mulligan mainly looked at the practices of large companies, with half representing global corporations in the Forbes 2000 list. 59Moreover, industry associations and certification companies are generally well-positioned to experiment with new rules as they can learn from the practices of their respective members while also developing a specific expertise in drafting data privacy regulations.This research thus complements Bamberger and Mulligan's work by looking at the extent to which private actors create new substantive data privacy rules while looking at industry-wide codes of conduct and certification schemes.At the same time, it is important to note that individual companies could still experiment with new substantive data privacy rules, a point I come back to in conclusion.
In the United States, the dataset includes privacy guidelines and certification programs developed by organizations like TrustArc (previously TRUSTe), the Better Business Bureau, and the Entertainment Software Rating Board.For organizations maintaining multiple programs, I only kept those applicable to all companies and types of data practices.In Europe, the dataset includes those of organizations operating at the European level, like the Federation of European Data and Marketing, EuroCommerce, and the European Society for Opinion and Market Research, as well as those operating in multiple European member states, such as TrustedShops.Private regulations operating in only one European member state are excluded.While they may include different rules, most are affiliated with European associations and thereby follow them.As discussed in the empirical section, the early adoption of the European DPD in effect set the baseline for data protection in Europe and pushed national industry associations to work through their umbrella organizations at the European level. 6054 Aaronson and Leblond (2018).55 Geller (2020).

60
A few national industry associations, such as Adigital in Spain and ECP in the Netherlands, were sometimes mentioned as pioneers in the mid-1990s.Neither has adopted a private regulation since then.Adigital is now a member and implements the code of Ecommerce Europe, the main industry association for online merchants in Europe.
Public regulations covered in the dataset include "hard" or "soft" laws adopted by the US federal government, the European Union, and international institutions in force after 1994 to identify the extent to which private regulations moved beyond their legal obligations and experimented with new rules.These notably include US laws adopted to govern the use of personal data by private companies in limited sectors (e.g., children's data or health data), European directives and regulations, and the Organisation for Economic Co-operation and Development's privacy guidelines.State laws in the United States and national laws in the European Union are excluded.
While being a limitation of this study, the first state privacy law in the United States was adopted in California in 2018, or the last year of the period covered by this research.The adoption of the first data breach notification law in 2002 in California is an important exception, and necessary caveats will be made when needed.Meanwhile, national governments in Europe were required to implement the DPD.If they could technically go further and experiment with new rules, the European Commission in the years following the adoption of the DPD was mainly concerned with a lack of transposition of European standards, especially in the first few years of its entry into force when most private regulations included novelties, as will be shown in the next section. 61igure 1 depicts the growth in the cumulative number (i.e., the stacked distribution) of private regulations in force in the United States and the European Union from 1994 to 2018.Private regulations are considered to be in force until the industry group adopting them stops maintaining them or ceases their activities altogether.Each shared area reflects a region's total number of regulations.Private regulations that are transnational are presented separately.
The data presented in Figure 1 reveals a significant increase in the total number of private regulations in force since 1994.Moreover, it shows that private regulations initially grew more quickly in the United States than in the European Union.The number in the latter quickly caught up, however, indicating a similar interest in using private regulations to govern the use of personal data by private companies following the entry into force of the DPD in 1998.While the total number of private regulations has remained relatively stable since then, partly because some industry groups closed down their selfregulatory programs as new ones emerged, Figure 1 does not fully encapsulate the continued dynamism of private regulators in this space.Many of them regularly revised and adopted new versions of their regulations, including additional requirements.Considering these revisions separately, four new private regulations were created on average each year, for a total of 105 from 1994 through 2018.
The recursive process of adopting and revising private regulations broadly aligns with the argument that they can facilitate a more experimental form of governance.Some might indeed assume that it reflects these associations' tendencies to adjust their regulations as they learn from their implementation.Such an assumption, however, fails to consider the extent to which revised regulations create new requirements rather than simply transposing more of their existing obligations, including legal ones, into business practices.
Drawing meaningful inferences about the degree to which private regulations experiment with new rules requires going one level deeper and looking at how their content changes over time.For that purpose, I manually coded the text of all these different regulations using Nvivo. 62Among all 127 identified public and private regulations, I identified 14 principles and 73 rules.Principles are "open-ended as to the range of actions they prescribe, while rules prescribe specific actions." 63As opposed to technical standards defining, for example, detailed production techniques, many rules are general in their prescriptions.Yet they always prescribe a relatively clear action rather than a broad objective.For example, the first principle identified in the dataset is transparency, which is divided into eleven more specific rules.The latter notably include the obligation for companies to have a privacy policy informing individuals of how their data is being used, to provide information about the type of 61 Newman (2008, 94).62 I collected the text of each regulation from the publicly available websites of each organization behind them.In cases in which older versions were no longer accessible on an organization's website, I used the Wayback Machine to collect them from the internet archive.

Business and Politics
data that they use, and to communicate how they might disclose this data.Clear inclusion and exclusion coding rules for each principle and rule are available in a codebook. 64 created the codebook following a two-step process. 65In the first step, I deductively identified a set of principles and rules based on legal resources put out by law firms and data protection authorities to help businesses implement the GDPR.In the second step, I used this first set of principles and rules to code a randomly selected pool of twenty regulations while respecting a balance between regulations adopted over time in the United States and the European Union.Based on this first coding, I revised the original codebook to include principles and rules that did not fit any deductively identified codes.This combination of deductive and inductive work proved essential in the absence of previous studies looking comprehensively at the content of data privacy regulations and the interest of this research in identifying novelty.
Using the final codebook, I coded the entire dataset of public and private regulations.I then identified when and where regulatory novelties emerged.For this article, the latter are understood as the first instance that a specific data privacy rule is enunciated.In the rare cases where two regulations adopted the same rule for the first time in the same year, both were considered to include a regulatory novelty.This is not the only form regulatory novelty can take.The application of an existing rule in a new context could be considered novel but is not investigated here.With that caveat in mind, I consider the enunciation of new rules to be a crucial way to observe whether and when private regulations act as "incubators" or "laboratories" for new regulatory ideas.
I supplement this content analysis with interview data conducted with thirty-five representatives from public and private organizations in the United States and Europe conducted between November 2018 and June 2019.I selected interviewees based on their current or past employment with public and private organizations that adopted privacy regulations between 1994 and 2018.
They include directors, heads of units, public affairs officials, and legal advisers.As a whole, they represent almost all public and private organizations involved in regulating privacy in the United States and the European Union.It was impossible to identify interviewees for only a few defunct private organizations. 66I collected each interviewee's name and contact information from publicly available resources or from other interviewees.In terms of geographical diversity, 40 percent of interviewees worked for organizations in the United States and 60 percent in Europe.
All interviews lasted about an hour.I conducted a third of them in person during a research stay in Brussels and the other two-thirds over the phone.I asked every interviewees to comment on the 64 The codebook and full dataset are included as supplementary material for replication purposes.65 Campbell et al. (2013, 311-12).

66
The full list of interviewees' organizations can be found in Appendix I. To protect anonymity, I use codes associating quotes with interviews.Codes indicate the interviewees' jurisdiction of activity (EU or US), organizational membership (GOV for government representatives and IND for industry representatives), and identification number associated randomly.process of developing privacy regulations and how they interacted with other public and private regulators in their work.I transcribed and coded interview notes using Nvivo according to inductively identified concepts (e.g., fragmentation, implementation, transaction costs, reputation gains, etc.).To ensure confidentiality and to promote transparent discussions, interviews were not recorded.Interview quotes are used to support and help explain the results from the content analysis in the last section. 67The next section first presents the extent to which private regulations included regulatory novelty and how their content evolved more broadly.

Private regulations: Experimentation or implementation?
The regulation of data privacy in the transatlantic area substantively changed following the adoption of the European DPD in 1995.New rules transformed the way that private companies can collect and use personal information, such as the so-called right to be forgotten.Until the inclusion of this right in the GDPR, companies had to erase personal information if found to be erroneous or if it could lead to wrongful decisions.Someone could, for example, challenge inaccurate information used to calculate their credit score.The right to be forgotten allows individuals to request the erasure of information if they believe it to be "no longer necessary in relation to the purposes for which they were collected or otherwise processed." 68he right to be forgotten is one prominent example of a new rule, but it is not the only one.According to my content analysis, 59 rules were created between 1994 and 2018.They include new transparency rules requiring businesses to specify how long they can keep personal information and to whom they can transfer it.There are also new rules dealing with how companies can collect consent and how they should act in the event of a security breach or data leak.Figure 2 depicts the total number of regulatory novelties in public and private regulations from 1994 to 2018.Each type of regulation is represented in a different color.No bar in a year means an absence of regulatory novelties.
The first black bar in Figure 2 reflects the DPD, which is the regulation with the most novel rules in my dataset (16).Meanwhile, the last represents the GDPR, with five novel rules.These are the right to be forgotten, the right to data portability, the right to restrict the use of personal information, the right to representation, and the obligation for private companies to inform individuals of the safeguards abided by third parties to which they transfer their information.Between the adoption of the DPD and the GDPR, two-thirds (66 percent) of all novel rules came from private regulations.
For example, a private regulation was the first to require private companies to inform their consumers when they collect their personal data passively.Many companies now collect their consumers' data without having them fill out forms and instead rely on all sorts of information stored by digital devices when offering online services to their customers.This can range from a list of visited websites to geolocation data.These data collection methods are, by nature, difficult to observe.Early on, private associations set out a requirement that their member companies should minimally inform people if they used such passive forms of data collection.It often took the form of what we now know as "cookie banners."Other regulatory novelties found in private regulations include a requirement for companies to evaluate the data practices of third parties on which they rely to collect personal information and an obligation to provide training on good data practices to their employees.Despite excluding the California data breach notification law from the dataset, the first time a requirement to inform individuals whose personal data has been affected by a data breach appears in my dataset is in a public regulation. 69Interestingly, however, my dataset indicates that after the adoption of the California law, some private regulations went further and required companies to maintain a data breach management policy and notify public authorities as soon as possible.

67
Quotes were translated when the interview was not conducted in English and lightly edited for the sake of clarity.The dataset shows that private regulations can experiment with new regulatory ideas and, to some extent, provide greater flexibility to the regulation of an issue area, such as data privacy.At the same time, the almost entire absence of regulatory novelties in private regulations created since 2000 casts doubt on the idea that they are in a continuous experimentation process.The representation of yearly aggregates also hides the unequal distribution of these regulatory novelties across time and space.Figure 3 presents how each private regulation, including each revision separately, scored on a novelty ratio over time and by the region where it was adopted.The ratio represents the total number of times a regulation included the first-ever enunciation of a rule divided by the total number of rules created over that period (59). 70Black squares and gray crosses represent private regulations adopted in the European Union and the United States.
What stands out is that most private regulations do not include novel rules.Apart from a handful created between 1994 and 2000, most of the squares and crosses closely follow the x-axis. 71Strikingly, Figure 3 also shows that almost all private regulations that included new rules during that period were adopted in the United States.Only one regulation in Europe, created in 1994, before the adoption of the European DPD, experimented with more than one new rule.Since then, only two private regulations adopted in the European Union in 2001 included the same new rule requiring companies to anonymize or pseudonymize personal data before using them. 72They concomitantly have a relatively low novelty ratio (0.02) and remain close to the x-axis.
This does not mean that all private regulations created since then were alike.As Figure 4 highlights, the average number of rules found in private regulations adopted every year between 1994 and 2018 70 I use the total number of new rules as the denominator rather than the number of rules in a single regulation to allow for comparison across years.Regulations adopted early on were shorter and would automatically tend to appear more novel.Using the number of rules in a single regulation would also risk overvaluing the novelty of regulations with few rules and penalizing more comprehensive regulations.

71
Squares and crosses along the x-axis may not all appear perfectly aligned.It is only the result of the addition of small spacing between them (i.e., jitter) for visibility purposes.

72
As previously indicated, both regulations are considered to include a novelty as they included the same new rules in the same year.more than doubled and now averages close to 24.It is still much less than the GDPR, which has 50 substantive rules, but it is a significant change.Many private regulations became more comprehensive over time.For example, the 2018 version of the privacy program of TrustArc, one of the most wellknown private regulations dealing with data privacy in the United States, had 48 rules.Other private regulations recently adopted in the United States and the European Union had a similar number.
Rather than creating ever-more novel data privacy rules, what stands out is that private regulations increasingly repeated those from previous regulations and, chiefly, those first put forward by public authorities.According to my calculus, on average, only 38 percent of the rules included in private regulations adopted before 1999 repeated requirements found in a law or another type of public  regulation.The share of public rules included in private regulations quickly rose above 50 percent in the following years and is now often above 60 percent.In the case of the 2018 version of TrustArc's privacy certification, as much as 69 percent of its content repeated public rules.This indicates that as private regulations evolved and grew in length, they came to include more rules originally enunciated by public actors than private ones.It is also worth emphasizing that some early novel rules in private regulations were incorporated into laws before other private regulations adopted them.It is notably the case for rules developed to govern the use of children's data that are now found in laws in the United States and Europe. 73n the absence of a comprehensive federal privacy law in the United States, the growing inclusion of public rules in US private regulations significantly reflects the inclusion of rules from the DPD and the GDPR. Figure 5 shows the evolution in the ratio of European legal requirements included in US private regulations.The ratio represents the number of rules originally found in a European directive or regulation divided by the total number of rules present in each US private regulation.Each box then displays the spread in the ratios of all US private regulations adopted every five years.The vertical lines above or below the boxes indicate the minimum and maximum of the distribution, the bottom and top of the boxes indicate the first and third quartiles and the horizontal line indicates the median.
Figure 5 shows that the median ratio of European legal requirements in US private regulations quickly increased by 10 percent after 2000.Despite going down slightly in the following years, the diminution in the spread toward a lower ratio indicates that very few of regulations do not include multiple rules originally from the DPD compared to previous periods.After 2015, the spread goes up again, showing that some US private regulations have more than 40 percent of their content replicating European legal standards.For example, the two most recent private regulations adopted in the United States in the dataset used for this research, Verasafe and TrustArc, include the so-called right to be forgotten introduced in the GDPR.It echoes the "Brussels effect," whereby European rules gain global influence because of the European Union's market size and regulatory capacity. 74Private regulation can help US private companies by developing services allowing them to fulfill their legal requirements in multiple jurisdictions at once or at least minimize adaptation costs if they ever want to work with personal data from Europe.The next section details how this reflects the evolution of the demand for private regulations and how it shaped the inclusion of regulatory novelties in the European Union and the United States.
The different demands for private data privacy regulation My content analysis shows that apart from a short period of time, and primarily in the United States, most private regulations did not experiment with new data privacy rules between 1994 and 2018.
Instead, they began to increasingly approximate public requirements.In this section, I combine interviewee data with additional qualitative evidence to show how this reflects the different demands for private regulation dealing with data privacy and their evolution in the European Union and the United States.

European Union
In Europe, only one private regulation adopted in 1994 experimented with more than one new rule.As noted by an interviewee working closely with the association behind this regulation, it reflected an attempt by the industry "to preserve the public trust." 75The interviewee added that by acting first, they hoped to gain "a first-mover advantage" by contributing to setting the rules of the game. 76In that respect, the adoption of the DPD in 1995 limited the possibility for other European industry actors 73 The case of the US children's privacy law is discussed at greater length in the next section.to gain a first-mover advantage.Private regulations adopted after could no longer, at least in the short term, remove the threat of regulation or hope to set the rules for their industries.
The DPD effectively required all European member states to adopt a law to ensure its application in their territory by 2000.This is why most private regulations adopted in Europe came after the turn of the millennium.Before then, private regulations came mostly from the United States, as highlighted in Figure 1.As European private regulations could not impede the adoption of privacy laws, industry actors decided to wait and see what public regulations would require.A similar process took place after the adoption of the GDPR.One interviewee working for an industry association behind one of these early private regulations noted this incentive to wait: "Nobody wanted to make the jump without knowing what [public regulators] actually wanted.People feared it could quickly become useless.At the same time, they did not want to go too far if it was not needed." 77They added that all industry actors waited on "clarifications from the European Data Protection Board before doing anything." 78nother interviewee noted that their suggestion to create "a bridge between the GDPR" and their existing code was swiftly rejected by the data protection authorities with which they were in contact.Their national contact point made clear that the GDPR needed to be the starting point for future regulatory development, not previous private regulations.Without clarity on which direction European privacy regulators wanted industry actors to implement the GDPR, the same interviewee added that their organization consciously decided to wait before making any changes.This is reflected in the absence of new private regulations created in Europe in the two years following the adoption of the GDPR in 2016.
Once the DPD entered into force and European member states started adopting national privacy laws, private regulations became useful tools to help companies reduce the transaction costs associated with the directive's implementation.This was especially true in the context of the still-fragmented European digital market.As one interviewee argued, the adoption of the DPD did not lead to a uniform set of rules across Europe: "All the industry was complaining that rules applicable to data protection were applied in a fragmented way." 79 While all member states of the European Union had to implement the DPD in their national law, they diverged slightly in their level of stringency and timing of adoption. 80Therefore, one interviewee noted that private regulations could "help harmonize and implement European regulation." 81This is in line with comments made by another interviewee for whom private regulations were useful when "businesses look for clarifications on how to implement the regulation." 82Other interviewees were also keen to point out that the objective behind the creation of their organizations' regulations was to help small and medium-sized enterprises (SMEs).One noted that many SMEs were interested in the possibilities offered by the digital economy, "but there were a lot of question marks and interrogations regarding the legal framework." 83In this context, their organization looked to "build a framework which would not only be for big companies with the means to apply it." 84Similarly, another interviewee pointed out that the regulation put forward by their organization aimed to help "the SMEs, not the Amazon and eBay of this world." 85his specific demand for private regulation to reduce transaction costs created an incentive for private actors to stay as close as possible to the legal requirements.As one interviewee who worked on the development of an industry code in Europe stated, "It is just such a big job [for companies] to decide how to interpret their existing obligations and they do not want to make their jobs harder than it already is." 86This was reinforced by the active promotion by the European Union of the possibility to use private regulations to reduce transaction costs.The DPD specifically stated that European member states should encourage the development by private associations of codes of conduct "to contribute to the proper implementation" of its requirements (Article 27).It also indicated that data protection supervisors could review and approve codes of conduct.Going through this process fundamentally meant being assessed over how well they included the requirements of the DPD.Although only one code was ultimately approved, this illustrates the early interest that European public regulators had in influencing the content of private regulations.Throughout the years, they took a variety of other measures toward this goal, including organizing events to provide feedback on the content of regulations developed by European industry associations.As one interviewee working for the European Commission stated, "We try to drive them to include what we think should be in [a] code." 87In at least two cases, the European Commission even provided funding to support the development of private regulation that went to pay for an external expert and ensure they would be developed in line with the objectives of the DPD.An interviewee closely working with the development of these two codes stated that the European Commission wanted an expert "holding the pen for private actors." 88ost interviewees from European industry associations also mentioned that their interactions with public regulators significantly shaped what they chose to include in their regulations.One interviewee noted that the level of interaction was such that "it might be more accurate to name it co-regulation" 89 instead of self-regulation.Another interviewee indicated that employees from the European Commission would "recommend [them] to look at specific issues and tell them what key questions they would like them to answer." 90Yet another emphasized the deep influence of European regulators by noting the number of times they met with them: We had roundtables organized with the European Commission, eight to be precise.[...] At one point, we were meeting every quarter.They wanted to follow very closely our progress.Up to a point, where we didn't have the time to digest what we were reading anymore. 91nother interviewee finally maintained that these interactions with European regulators did not merely help define what to include, but also set limits on what private regulations could achieve.They specifically lamented that asking questions about what was allowed was often criticized and considered suspicious.They recalled being told in a meeting with European regulators that "if you are asking questions, it means that you are trying to go around the law and this is problematic." 92It reflects the belief expressed by one interviewee working for the European Commission that private regulations "are there to help compliance." 93They should help with the implementation of European laws and any attempts at departing from it could lead to new criticisms.
Finally, private regulations seemed to provide limited reputational gains.Although two interviewees mentioned that their regulations were aimed at "giving the industry an edge" 94 or were about providing "prestige," 95 most did not mention this as one of its potential benefits.Some also pointed out that an early multiplication of codes and associated logos only created "confusion." 96Therefore, private companies did not have an interest in using them to differentiate themselves from others.What private regulations could instead do is help their adopters avoid criticisms from public regulators by focusing on approximating their requirements.One interviewee was specifically critical of what they saw as a tendency from industry associations to develop codes "not to protect citizens, but mostly with a defensive attitude towards themselves." 97

United States
In contrast to Europe, the United States still lacks a comprehensive federal privacy law covering the private sector.US regulators argued early on that the private sector should lead the regulation of the digital economy. 98At the same time, they made clear that they could regulate the digital economy if needed and, indeed, adopted several sectoral laws to oversee the use of personal data in specific sectors.Private actors could thereby hope to gain a first-mover advantage and avoid greater public oversight by adopting data privacy regulations and showing their goodwill.
In the mid-1990s, fears that a growing industry of data brokers was notably selling sensitive information without enough sufficient safeguards led three senators to ask the Federal Trade Commission (FTC) to consider the potential need for regulation. 99In reaction, a group of leading companies came together to create the Individual Reference Services Group (IRSG) principles in 1997.According to my content analysis, this private regulation includes the most regulatory novelties (8).It notably laid out a new rule requiring companies to confirm the quality of their source of information when not collecting personal information from concerned individuals.It also required private companies to indicate when they collected personal data "passively" and established a new compliance mechanism where private companies had to go through an annual "assurance review."The adoption of the regulation had the expected effects with the FTC effectively commending the industry in its final report for having built "an innovative and far-reaching self-regulatory program" and recommending that the federal government do not take any other regulatory actions to cover the data broker industry. 100round the same time, multiple industry associations adopted privacy requirements specifically tailored to children as reports emerged of private companies collecting their personal information online. 101While industry groups did not impede the adoption of the Children's Online Privacy Protection Act (COPPA) in 1998, my content analysis indicates that they were behind six of the eight rules now overseeing the collection and use of personal data from children and that have made their way into COPPA.These include requirements to provide special notification to children before collecting their data, obtain parental consent, and abstain from conditioning participation in games or offering prizes in exchange for children disclosing more personal information than legitimately needed.This finding is in line with one interviewee who used the example of COPPA to maintain that the industry could sometimes move first to set out ethical practices: "Sometimes, ethical requirements come before legal ones.We had requirements to protect children's data before COPPA." 102In addition to shaping the content of COPPA, it is worth noting that private regulations also successfully carved out a role for themselves in the implementation of this law such that they can act as "safe harbor" providers.The latter means that private companies abiding by a certified private regulation are presumed to comply with COPPA and can showcase a seal demonstrating their compliance.By moving first, private companies in effect helped legitimize their involvement in the regulation of children's privacy.
After 2000, however, industry groups in the United States almost entirely ceased to include regulatory novelties.While their regulations grew in length, as illustrated in Figure 5, they did not include new rules.Instead, they increasingly approximated legal requirements, notably coming from Europe.This chiefly reflects the tendency for most representatives from US private associations interviewed for this study to describe their role as helping companies implement their legal obligations and achieve greater accountability rather than aiming to create new data privacy rules.One interviewee, for example, stated that his role was "to implement, not create rules," 103 and another that their work was to help their clients understand how to "respect their [legal] requirements." 104This tendency for private regulation to help achieve greater legal compliance rather than experiment with new rules partly reflects that the threat of public regulation has not been constant over time and notably diminished following the adoption of the first few private regulations at the end of the 1990s. 105At the same time, there were clear periods when the prospect of public oversight grew stronger.By the mid-2000s, the FTC was notably more critical of the early industry efforts at regulating themselves.Yet, despite spurring the adoption of new private regulations it did not lead to the creation of more new rules.Instead, they increasingly approximated rules put forward by public actors from other jurisdictions, notably Europe, as highlighted in Figure 5.
This progressive change toward an implementation role coincided with the growing promotion of private regulations as certification mechanisms for international transfers after 2000.In addition to establishing a baseline protection level for data privacy, the DPD restricted the transfer of European data to countries with sufficient protections and risked disrupting transatlantic data flows. 106ithout a federal privacy law, the United States could not obtain an adequacy decision allowing data transfers to continue without restrictions with the European Union.US companies faced the possibility of having to rely on individual consent and contractual agreements to transfer personal data from one jurisdiction to the other.To avoid this potentially cumbersome and costly outcome, US and European negotiators agreed to establish an international safe harbor inspired by the mechanism commonly found in US laws, such as COPPA. 107The latter represented a limited adequacy decision where only firms self-certifying to adhere to a set of privacy rules and an enforcement mechanism were considered adequate and allowed to transfer personal data across both jurisdictions.Following the adoption of the safe harbor agreement, multiple private regulations were developed or updated to help US companies self-certify themselves, not specifically intended for companies looking to conduct business in Europe or with European partners.
Private regulation now forms the core of the United States' strategy for international data transfer.In addition to renegotiating the original safe harbor agreement after it was struck down (twice) by the European Court of Justice, the US government negotiated agreements with other countries to promote   Gellman and Dixon (2016, 55).
program.The more you add requirements that go beyond and above the law the harder you made it to join. 113 addition, private regulations did not seem to provide meaningful reputational benefits.While no interviewees from industry associations in the United States maintained that the multiplication of private regulations created confusion like in Europe, none also raised reputational gain as one of the main driving forces for their creation.A previous study found that early private regulations dealing with data privacy provided limited signaling benefits and did not help companies differentiate themselves from their competitors. 114In effect, the study shows that a private regulation (i.e., Webtrust privacy program) developed by the US and Canadian associations of accountants and broadly recognized for its thoroughness ended up ceasing its activities because of a lack of companies adhering to it.My content analysis shows that this regulation included the second-highest number of rules after the IRSG.The IRSG also ceased to operate four years after it was created. 115Meanwhile, the privacy program of TrustArc remains the most popular private regulation in this space despite seldom including new rules and facing multiple complaints of failing to implement its standard.

Conclusion
Private regulations are often presented as flexible and low-cost institutions that can more easily be adapted to specific circumstances and change over time than public regulations.As such, some argue that they can help support the emergence of a more experimentalist form of governance. 116rivate regulations can more easily experiment with new regulatory ideas that public regulators can later adopt if they prove successful.In this article, I examine the conditions under which private regulations play an incubator or experimenter role.I argue that it depends on the demand driving their creation.Private regulations adopted to help companies reduce transaction costs in highly regulated environments should lead to the creation of few novel requirements and tend to approximate private companies existing legal obligations.In this case, the goal of private regulation is to reduce the costs of doing business and experimenting with new rules risks doing the contrary.Meanwhile, private regulations driven by a desire to obtain a first-mover advantage or make reputational gains should tend to experiment with more new rules, as in doing so, they can help their adopters keep control over the regulatory agenda or gain a competitive edge over their competitors.
Looking at the case of data privacy, I show how the different demands and their evolution over time in the United States and the European Union can help explain the inclusion of new data privacy rules in private regulation from 1994 to 2018 in both jurisdictions.Following the adoption of the DPD in Europe, private companies were mainly interested in using private regulations to help them reduce their transaction costs by providing them with ready-made solutions to fulfill their legal requirements.In effect, only two included a regulatory novelty in 2001.All others mostly approximated existing legal requirements to help businesses achieve legal compliance.Meanwhile, in the absence of a federal privacy law, private companies in the United States could hope to gain a first-mover advantage and avoid additional public oversight.In the mid-1990s and early 2000s, it effectively led them to include several new rules in their regulations to showcase their goodwill to public regulators and remove the threat of greater public oversight.Since then, the growing significance of international data flows and the existence of competing models of privacy governance, however, prompted them to increasingly approximate legal requirements from other jurisdictions, notably Europe.Private regulations adopted recently in the United States, in effect, primarily aim to help private companies operate in a transnational context.Instead of offering a first-mover advantage, they provide their adopters with an integrated solution, allowing them to reduce their transaction costs associated with implementing their legal obligations in multiple jurisdictions.
These findings offer a cautionary tale to the idea that private actors are better positioned to help define how to regulate new or quickly evolving issues.In effect, their potential contribution depends on the benefits they can hope to achieve by self-regulating themselves.In cases where governments have yet to regulate, private actors may not be interested in experimenting with new rules if they are not likely to gain a first-mover or competitive advantage.These are notably a function of the likelihood of public regulation being enacted and the social pressure on companies to showcase their goodwill.It is especially important to keep in mind in the context of social values like privacy for which we may not want to rely on the presence of such incentives to regulate.
Private regulations could still offer other benefits, like supporting greater legal compliance.As this article has shown, private regulations can help companies integrate their legal obligations.To what extent this translates to actual business practices, however, remains an open question.Cases like TrustArc and recent research 117 show that it is far from a given.At the same time, Bamberger and Mulligan's work on corporate practices highlight their potential capacity to be more innovative. 118uture work could build on the present research findings by looking at how the demands for private regulation play out at different levels of governance and sectors.One limitation of this study is its focus on private regulations applicable to multiple businesses and developed to operate throughout the United States or the European Union.Codes of conduct developed for individual US states or European countries or corporate practices developed by single companies can significantly differ in what drives their demand, affecting their tendency to be innovative.Transaction costs may, for example, not have the same influence on regulations aiming to operate locally.When developing their privacy policies or corporate practices, individual companies may also have a stronger incentive to burnish their reputation.Recent research in the organic sector finally suggests that private actors can sometimes still seek to differentiate themselves through private regulation after government interventions.Examining the variations in the underlying demand prompting the adoption of private regulations at different levels of governance and in different sectors could thus yield new insights into their possible experimentation benefits.

Figure 1 .
Figure 1.Cumulative sum of private regulations in force including data protection rules in the United States and European Union, 1994-2018.

68
General Data Protection Regulation, Article 17(a).69 The first instance of this rule in my dataset is the Madrid resolution adopted in 2009 by the International Conference of Data Protection and Privacy Commissioners.https://doi.org/10.1017/bap.2023.16Published online by Cambridge University Press

Figure 2 .
Figure 2. Number of regulatory novelties in public and private regulations, 1994-2018.

Figure 3 .
Figure 3. Novelty ratio of private regulations in the United States and the European Union, 1994-2018.

Figure 4 .
Figure 4. Evolution of the average number of rules in private regulations, 1994-2018.

Figure 5 .
Figure 5. Evolution of the distribution of the ratio of European legal requirements included in US private regulations by fiveyear periods. 105