Alternative Compliance


To better support small businesses operating in regulated sectors, we should develop “alternative compliance” mechanisms — parallel regulatory regimes that achieve the goals of existing regulations but take an alternative, data-oriented approach to achieving them.  Such an approach would be especially friendly to the smallest of small businesses, and would take advantage of available connectivity and data, simultaneously achieving the public goals of access to economic opportunity and public safety / consumer protection.

Access to work and jobs

Digital platforms are enabling new ways of working.  It’s easier than ever to start a small business, whether that’s cutting hair, giving rides, running errands, making food, providing professional services, or making products.  Financing platforms like Kickstarter, Indiegogo and CircleUp make it easier to raise capital (when that’s necessary), and marketplace platforms like Lyft, Thumbtack, Upwork, Etsy and Josephine not only make it easier to reach customers, but also provide trust & safety systems necessary to secure commerce.

The result is that it’s never been easier to find, get, or make-your-own, work. Digital platforms make onboarding fast and convenient, and give workers / makers / sellers the ability to get into market and build their reputations & businesses from there.

This is by and large a good thing.  We want access to jobs and work; we want a broad diversity of products and services; we want more competition in the marketplace; we want quality and convenience for customers.  Digital platforms give us all these things.  It is a profoundly pro-small-business and pro-consumer moment in time.

The traditional regulatory model: barriers to entry

But of course, there is a catch.  The process of quickly on-boarding via a digital platform, getting yourself out into the market, and building a reputation over time (tracked by data in a digital platform) is often at odds with our traditional mechanisms for regulating commerce, which have always employed a licensing / permission based model, where the main tool is creating barriers to entry.

Regular readers will recognize this diagram and the following one:

Screen Shot 2016-08-04 at 1.30.48 PM

The traditional approach makes sense in a time when the ability to monitor and track compliance is limited and enforcement is expensive.  For a long time (really, until just the last few years), this has been the case.

However, by its nature, this model is exclusionary — it is hard to get started, because it takes time and money to fulfill typical regulatory requirements.  This has the effect of advantaging larger businesses over smaller ones, incumbents over startups, and companies over individuals.

Further, the overall effectiveness of this style of regulation is limited — once actors are in the market, ensuring for public safety and consumer protection is difficult and expensive, leading to a standard regime of occasional spot checking (think restaurant inspections) and attention only to the most egregious violations.

The web model: fewer barriers to entry, but more accountability

Given the real-time data infrastructure of the web, an alternative model is possible, which focuses on accountability over permission / barriers to entry:

Screen Shot 2016-08-04 at 1.30.55 PM

This is how every web platform works: by increasing the use of data to increase accountability, we are now able to lower the initial barriers to entry.  

The result is a powerful democratizing effect, across every industry (ride sharing, home sharing, manufacturing, cooking, professional services, etc), making it easier for small businesses to get started and reach customers.  Consumers have more choices, and more competition on the supply side makes the market healthier.

It also leads to many (realized and potential) improvements in public safety and consumer protection, as constant performance monitoring leads to an unprecedented level of accountability.  This comes not only in the form of peer review (ratings on eBay, Lyft, etc.) but also in the form of vast volumes of data (coming from apps, phones, sensors, etc.) that give us a granular, real-time view of what’s happening.  This is brand new and very powerful from a regulatory and public policy perspective.  

Conflicts between the traditional model and the web model

And now, in every regulated sector, we are seeing a clash between the traditional, permission + barriers-to-entry model and the web’s data + accountability model.

For one recent example, we can look at the acceleration of the home-cooked food economy, fueled (but not created) by platforms such as Josephine and Homemade.  Sarah Kessler from FastCo details the recent conflicts in The Food-Sharing Economy Is Delicious And Illegal—Will It Survive?

Here, we see the tension between independent food entrepreneurs (people selling prepared food from their home kitchens) and the traditional food safety regulators.  While health departments have always cracked down on DIY food sales, the issue is exacerbated now by the addition of digital platforms further opening these markets, and providing systems to reduce friction from these transactions.

In the article, Sarah quotes me on an idea for “alternative compliance mechanisms” that could help bridge this divide, and that’s what I want to focus on here.

Bridging the gap: alternative compliance for web-enabled small businesses

Alternative compliance is a mechanism for achieving the goals of traditional consumer safety regulations, but using different tools & approaches.  Same goals, alternative techniques.  

I propose that in regulated sectors (housing, transportation, health, food, labor, etc), we seek to design, in parallel to existing regs, alternative compliance regimes that rely on data & accountability rather than up-front barriers to entry; in short: the ability to opt-out of existing regulations by opting-in to a data-sharing agreement.  


Given any sector where such an alternative compliance mechanism exists, businesses could choose whether to be regulated under the traditional regime, or instead opt-into the alternative compliance regime.  Doing so would relieve them of the traditional regulatory requirements, but would introduce new, data-oriented requirements.  Note: this applies to existing businesses as well — so this is not just special treatment for small businesses or web companies, but rather an alternative regulatory paradigm that any company can opt-in to if they so choose.

For example, to build on the food safety example, here’s what traditional food safety regulation often looks like (emphasis mine):

“If you want to sell food in California, your kitchen needs to have a sink—at least 18 by 18 inches in length and width and 12 inches deep—exclusively for washing and preparing food. It needs another sink with at least three compartments (“with two integral metal drain boards”) for washing, rinsing, and sanitizing dishes. Countertops must be “nonabsorbent,” typically stainless steel, and the lightbulbs above where you prepare food should be “shielded, coated, or otherwise shatter-resistant.” Your can opener must have a “piercing part” that can be removed and cleaned. “It’s about a $50,000 effort,” says Peter Ruddock, the coordinator of the California Food Policy Council. “It would be a significant investment to turn your kitchen into something that you wouldn’t want [in your home].”

An alternative regime might look something like this:

  • Chefs must register with an online platform (Josephine, Homemade, or any other that complies with some basic standards — including possibly one run by a regulator) and create a profile.
  • All transactions must include a verified user review / rating.
  • Platforms must be transparent in disclosing data about cooks (level of experience, details of ratings, etc) to end customers.
  • Aggregate performance data must be shared by the platform with the health department.  Specific inquiries can be facilitated based on evidence of specific harms.  In return for providing this data, platforms receive immunity from intermediary liability.  (Getting this right will be hard, but it is critical.)
  • Individual cooks must have access to their own data in downloadable/API form, thus limiting potential market power of any one online platform.
  • On an ongoing basis, adjustments to related policies can be made based on evidence gained from the data.

In addition to these general ideas, you could also include industry- or function-specific requirements, such as:

  • Require low-cost sensors (of some kind) in any active kitchens (for home cooked food)
  • Link OBD port for acceleration & other driving data (for on-demand drivers)
  • etc.

In alternate compliance mode, getting started as a home chef costs $100, vs $50,000 to build a traditional commercial kitchen.  This is just a sketch, but it gets at the main point, which is that it’s possible to design a parallel system to support data-driven regulation where that’s possible.

In considering such an idea, we’d want to keep the following ideas in mind:

As good or better

Importantly, when we talk about “alternative” compliance, we should stress that doesn’t mean “worse” or “not at all”.  In fact, the level of effectiveness that we should be shooting for is as good or better than existing regulations.

Exactly how “as good or better” is achieved depends on the context of the specific sector, but would be driven by the data (aggregate and individual, summary and real-time) collected by the various platforms and interpreted over time for policy development and enforcement.

Real-time response

One way in which data-driven regulatory systems can improve on traditional systems is the speed in which responses can be handled.  When data is coming from many sources in real-time or near-real-time, responses (such as enforcement or policy adjustments) can happen much more quickly.  In addition, trends can be noticed sooner, based on early signals from widespread data, giving regulators a chance to get further ahead of growing problematic situations.

Lower cost of operations & enforcement

Given the low marginal cost of additional data, alternative, data-driven regulatory regimes can be operated at a lower cost than traditional licensing-and-enforcement regimes.  While there is significant up-front cost in designing and building such infrastructure (as is the case with building any web platform), the ongoing costs are exceedingly low.  In the case of alternative compliance via partnership (with existing tech platforms) regulators can theoretically piggyback on platform investments made by companies already in market.

Further, certain accountability functions can be crowdsourced.  For example, imagine visitors at airbnb venues reporting on the existence of smoke detectors & fire extinguishers, much the same way that users of Foursquare crowd-source data about restaurants (what are the hours, do they accept credit cards, etc).  By building infrastructure for end-users to report data, the centralized burden on monitoring and enforcement can be further reduced.

Either / or, not both

It’s important that such a system would need to be “either / or” — meaning, businesses (chefs, drivers, etc) would be regulated either by the old system or by the new one — not both.  This is important, because the whole point of reducing barriers to entry is to allow market participants who wouldn’t have made it before under the permission/licensing based system.  So, if we were to use an alternative compliance mechanism, but the newly available data to simply enforce the all of existing rules, then we’re missing the whole point.

For example, if we allow home-cooked food sales if it’s tracked by an online platform, but then use the data in the platforms to enforce existing home-cooked food laws and put the chefs out of business, all we are doing is creating a better enforcement system for existing laws, not broadening the scope of what’s possible and safe in the world, and really opening up markets to new entrants.

The big opportunity here is to give ourselves the space to explore new ways of doing things, to innovate, to experiment, while still reserving the right to make adjustments if the situation warrants it.  

We need to give ourselves room to change our norms, policies and laws, over time, as we become comfortable with new technologies and new ways of doing things.  This is what innovation is — and this is why it’s so important to not simply enforce the current laws to their maximum extent, but rather to give ourselves the space to explore new ways of doing things, while closely tracking the outcomes so we can manage for trust & safety.

Thus, participating in a digitally-enabled alternative compliance scheme should give market participants the chance to prove themselves outside of the existing rules — it must give them immunity from the existing rules, and the chance to prove that their businesses can be operated safely and in a trusted way, and monitored through data access.

Put another way, an alternative, data-driven compliance regime says “we’ll let you do this, so we can learn from it”.

For regulation that learns, data is an asset.

The trick, then, is to enable regulation that learns; regulation that’s dynamic, not static, that evolves and improves over time.

Critical to that goal is the mindset that data is an asset.  The more open we are to new kinds of business operating, the more we have the opportunity to see data that comes from activities, the more we can learn from the data, and then iterate on policy. Thinking about policy and regulation this way therefore biases us towards encouraging activity to happen, rather than stopping it from happening.

Building on existing regulations

One approach might be to build on top of an existing regulatory but hack to make it more useful.   For instance, perhaps within the context of, say, taxi licensing, one could construct an alternative approach to a single part of the process (perhaps vehicle inspection, or background checks — using a tool like Checkr).  Taking a partial or incremental approach can have the dual benefits of a smaller scope, and building off of systems that are already understood and trusted).

Possible approaches to implementation

An alternative compliance regime could be executed a number of different ways, for example:

  • By partnering with commercial platforms/marketplaces (as in the above example) — let any online platform become a compliance partner by meeting some basic, open standards.
  • By regulators building their own online infrastructure to manage registrations, transactions, and data (more difficult, but not impossible)
  • By using third-party platforms that broker data and transactions between commercial actors and regulators (such as Airmap for drones)
  • By establishing open standards for data reporting (similar to existing reporting requirements)

The point being, that what’s necessary to implement such an alternative compliance mechanism is a data platform.  In some cases that can be an existing platform, but it could be also be a new platform developed by the government.

Identifying suitable sandboxes

Bringing this high level idea down to earth, it makes sense to try and identify targeted areas where it would be possible to construct such an alternative regulatory environment.

An ideal sandbox would be a relatively narrow sector, with relatively low stakes in terms of public safety & consumer protection, in a jurisdiction where there’s sufficient local control and autonomy to try something new without having to do lots of coordination and negotiation across city/county/state/federal jurisdictions.

3 comments on “Alternative Compliance”

Thanks for sharing – this is a really interestig proposal.

Your idea of finding innovative ways to use leverage data transparency to improve internal control effectiveness and tighten alignment between risks and controls is fantastic.

After reading your piece, I am picturing an ideal regulator with an online survey for a startup in a regulated industry where the startup completes a survey to disclose their risks for compliance issues (for example making a customer sick with food poisoning) and the regulations are scaled to the startup size and business model. Of course this only works if the startup re-does the risk / control survey as it grows and scales.

Totally agree that the barriers to entry in many regulated industries are not aligned with the risks with the side effect of driving away innovation.

Also agree that regulatory schemes could benefit from an “effectiveness” recalibration – to force legislators and regulators to define the regulatory goals and encourage more public input to re-think the best approach to achieve those goals, keeping in mind the availability of transparent data to map the regulatory goals to the startup process.

I have been thinking about a similar idea lately – finding a way to scale regulatory compliance requirements to map to the regulations to the risks associated with the company’s business and maturity / growth stage.

Your open data proposal makes a lot of sense, but I can see regulators raising the question as to how to monitor the reliability of the startup’s data? I am left wondering what the solution for that would be. One issue for regulators is likely to be that a business may still be high risk even if it is a small business – for example, a home kitchen that cuts chicken on a wood block and cross-contaminates to vegetables is the same high risk to my stomach whether it is a startup or not.

Looking forward to reading more from you on this.

The question you raise about risk thresholds is important here – true that one person could get sick from a home kitchen but unlikely that 1,000,000 would

This approach only works if the data collected is uniquely valuable in its own right – so much that it contributes to overall safety and offsets the risks of allowing the activity in the first place, in order to collect the data

My guess is that third party platforms that can manage the real time data exchange between regulators and businesses is how this will work, at least initially – rather than regulators developing their own systems or businesses filling out forms

I agree – I doubt regulators would have the bandwidth or expertise to do this. But the third party develoment is a great idea – I wonder if a third party platform could get funding to do the front-end work to develop a proposed scaling regulatory compliance data driven platform to map company risk markers to risk-based regulatory requirements, to create a truly bespoke risk-based approach to regulation (which is what regulators say they want). That could be hard for regulators to turn down.

Comments are closed.