This new white paper, entitled “Understanding and Improving Privacy ‘Audits’ under FTC Orders,” carefully parses the third-party audits that Google and Facebook are required to conduct under their 2012 Federal Trade Commission consent orders. Using only publicly available documents, the article contrasts the FTC’s high expectations for the audits with what the FTC actually received (as released to the public in redacted form).
These audits, as a practical matter, are often the only “tooth” in FTC orders to protect consumer privacy. They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security.
The paper shows how the audits are not actually audits as commonly understood. Instead, because the FTC order language only requires third-party “assessments,” the companies submit reports that are termed “attestations.” Attestations fundamentally rely on a few vague privacy program aspects that are self-selected by the companies themselves. While the FTC could reject attestation-type assessments, the agency could also insist the companies bolster certain characteristics of the attestation assessments to make them more effective and replicate audit attributes. For example, the FTC could require a broader and deeper scope for the assessments. The agency could also require that assessors evaluate Fair Information Practices, data flows, notice/consent effectiveness, all company privacy assurances, and known order violations.
With an entirely new set of FTC commissioners scheduled to take the helm by May, the agency could also pursue a more dramatic course correction. For example, the commission could release unredacted assessments, have assessors directly report to the agency (instead of the company being assessed), more concretely encourage those reporting violations, create incentives for companies to self-report violations, impose Board of Director responsibility for assessments, clarify that a third-party assessment is not a safe harbor, and build an internal task force to fully evaluate privacy order provisions, especially of course the third-party assessment.
Simply “staying the course” puts consumers – and potentially democracy writ large – in an untenable situation, with real-world consequences. It’s time to dive deeply into understanding these third-party privacy assessments and consider meaningful proposals for their improvement. The FTC is an extraordinary agency, and it is more than capable of rising to this challenge.