Assessing the Federal Trade Commission's Privacy Assessments
Chris Jay Hoofnagle, Assessing the Federal Trade Commission’s Privacy Assessments, 14(2) IEEE Security & Privacy 58–64 (Mar/Apr. 2016)
Consumer Protection regulators worldwide share basic problems: the companies that regulators police are so powerful and rich that fines do not matter. Consider the French with their €150,000 fine against Google in 2014. Efficacious fines against dominant platforms would have to rise to nine-figure levels to cause change, but consumer protection agencies generally lack the authority and political will to levy such fines.
As a result, consumer protection officials ensure compliance by monitoring defendant companies. However, even this is a challenge. Although consumer protection agencies such as the US Federal Trade Commission (FTC) have decades of experience in evaluating misleading advertising, information security and privacy oversight challenges differ from advertising matters.
Because information security and privacy issues are difficult to observe and, even if detected, difficult to understand, the FTC and other enforcement agencies rely on outside “assessments” by accounting and security consultants. These assessments evaluate the veracity of defendant company managers’ claims about privacy and security protection of consumer information. Accounting and security firms now have a lucrative and growing business in performing assessments required by the FTC and state attorneys general. In a real sense, consumer privacy worldwide depends on these assessments, as international regulators rely on the FTC’s oversight of companies serving consumers in other countries.
Unfortunately, assessments are misunderstood by many in the policy realm, who mistakenly see them as rigorous as a formal audit. The lack of knowledge of the differences between assessments and audits allows the FTC and respondent companies to tout assessments as an effective tool to improve practices.
In this article, I discuss efforts to oversee companies’ privacy and security programs through the lens of two assessment reports on TRENDnet and Google and offer five suggestions to increase accountability in the assessment process.