Anne P. Mitchell
Internet Law & Policy Lawyer
Founder of ISIPP SuretyMail
First of all, just what the heck does ISIPP stand for?
(laugh) ISIPP stands for the Institute for Social Internet Public Policy. I know, a mouthful, right?
So what does ISIPP do?
Well, as one of the first Internet law and policy attorneys in the U.S., I got very involved in, among other things, dealing with issues around email marketing, spam, how to distinguish one from the other, etc..
So in addition to doing consulting on Internet law and policy, and running conferences dealing with various aspects of Internet law, we developed SuretyMail, which is an email reputation certification program. In fact, we are one of only two companies in the world who provide email reputation certification.
How does that work?
Basically, if you send email in the course of business, as just about any business in the U.S. does now, you have to worry about your email ending up in the spam folder, or not even getting to the recipient at all.
What we do is certify to ISPs, email inbox providers, spam filters, and other email receivers, that your email is actually wanted email, and not spam, so that they deliver it to the inbox.
We do this by providing DNS lookups for the systems receiving the email, which tells them that you are certified with us (or not). If you are at all familiar with an email blacklist, it’s the same technology, only our system provides positive email reputation.
What else is keeping you and ISIPP busy these days?
GDPR. That’s the big one. We generally stay on top of law and policy changes that affect doing business on the Internet, and GDPR is huge. GDPR stands for General Data Protection Regulation, and is the new law coming online out of the EU that deals with data collection, handling, and privacy, and which goes into effect on May 25th of this year.
The thing is, even though it’s an EU law, it affects everyone, including businesses in the U.S. and other non-EU countries.
In fact, pretty much any business anywhere is going to need to comply with GDPR, but few businesses in the U.S. have even heard of it, and fewer still realize that they need to comply with GDPR, let alone know what they need to do in order to be in compliance.
Other companies have heard of it but are sticking their heads in the sand, thinking that the EU won’t enforce it against a U.S. company – that’s big mistake. In fact, GDPR specifically states that it will be enforced against any company anywhere if they violate GDPR with respect to the data of someone who has a connection to the EU.
There are companies who think that they can avoid having to comply by simply refusing to do business with anyone in the EU, but GDPR also specifically prohibits automated profiling in order to determine, among other things, the location of an individual. Plus, people use VPNs, and otherwise spoof where they are from, and even who they are, all the time.
So we are doing a lot of legal compliance consulting for U.S. businesses that are scrambling to comply with GDPR.
Is it hard to comply with the GDPR?
That really depends. I would estimate that at least 75% of the companies that we are working with are already a good part of the way to being GDPR compliant just by virtue of already having good data handling practices in place. But even 75% isn’t good enough to defend against a lawsuit, plus there are a lot of things in GDPR that are not intuitive.
And that is compounded by the fact that GDPR also provides a private right of action, meaning that in addition to businesses and agencies being able to bring an action against you under GDPR, any individual who believes that their rights have been violated under GDPR can bring an action against the company that they believe mishandled their data.
So if a company needs more information about this GDPR stuff, are you a good resource for them?
Well, not to sound too braggy, but I’d say that we are one of the best resources, especially for U.S.-based companies looking for information and assistance, as we are one of the few companies in the space with the legal background as well, and I’m one of the only attorneys in the U.S. to have this expertise.
We’ve heard of companies being told by their in-house attorneys, or general counsels, or outside business attorneys that they don’t need to comply with GDPR, and that’s just plain wrong. It is true that some of this is going to end up being sorted out in court – our job is to make sure that our clients don’t become a test case.
In fact, your readers can read an article that we wrote as a quick overview of GDPR compliance here:
Looking back, what would you say are some of the highlights of your career so far?
Definitely being asked by Senator McCain’s office to author the section of CAN-SPAM (the Federal anti-spam law) that became known as the McCain amendment. I’m very proud of that.
Also, being invited to join the faculty at Lincoln Law School; I was a law professor there for many years, until I moved out of the Bay area.
One other thing that is a definite highlight is my work in fathers’ rights, before I became an Internet law and policy attorney. I helped mould California family law to be fairer to fathers and their children. And we had a television talk show, filmed in Mountain View, devoted to family law issues for fathers; you can still find most of the episodes of that show on YouTube, it’s called Fathers are Parents Too.
Anne P. Mitchell is the founder and CEO of the Institute for Social Internet Public Policy (ISIPP)
A graduate of Stanford Law School, she was one of the first Internet Law and Policy attorneys in the U.S.. You can reach her at http://www.isipp.com