Assessing the Federal Trade Commission’s Privacy Assessments

Why read this article?

This short article points out the big differences between an “audit,” and an “assessment,” the latter of which is the tool used by the Federal Trade Commission to oversee companies that are subject to consent decrees. “Assessment” is a term of art in accounting wherein a client defines the basis for the evaluation, and an accounting firm certifies compliance with the client-defined standard. An audit, on the other hand, is an evaluation against a defined, externally developed standard, such as an International Organization for Standardization (ISO) standard’s requirements.

This article offers five approaches to improve the assessment process:

  • Require Systems Compliance Tests
  • Use Audit-Like Standards
  • Interview Stakeholders outside the Company
  • Require Disclosure of System Changes
  • Make Assessments More Public

Cite as: Chris Jay Hoofnagle, Assessing the Federal Trade Commission’s Privacy Assessments, 14 IEEE Security and Privacy 58–64 (2016).[Published version] [WorldCat] [Author Preprint]

Consumer protection regulators worldwide share basic problems: the companies that regulators police are so powerful and rich that fines do not matter. Consider the French with their €150,000 fine against Google in 2014. Efficacious fines against dominant platforms would have to rise to nine-figure levels to cause change, but consumer protection agencies generally lack the authority and political will to levy such fines. As a result, consumer protection officials ensure compliance by monitoring defendant companies. However, even this is a challenge. Although consumer protection agencies such as the US Federal Trade Commission (FTC) have decades of experience in evaluating misleading advertising, information security and privacy oversight challenges differ from advertising matters. Because information security and privacy issues are difficult to observe and, even if detected, difficult to understand, the FTC and other enforcement agencies rely on outside “assessments” by accounting and security consultants.  These assessments evaluate the veracity of defendant company managers’ claims about privacy and security protection of consumer information. Accounting and security firms now have a lucrative and growing business in performing assessments required by the FTC and state attorneys general. In a real sense, consumer privacy worldwide depends on these assessments, as international regulators rely on the FTC’s oversight of companies serving consumers in other countries. Unfortunately, assessments are misunderstood by many in the policy realm, who mistakenly believe them to be as rigorous as a formal audit. The lack of knowledge of the differences between assessments and audits allows the FTC and respondent companies to tout assessments as an effective tool to improve practices. In this article, I discuss efforts to oversee companies’ privacy and security programs through the lens of two assessment reports on TRENDnet and Google and offer five suggestions to increase accountability in the assessment process.

@article{hoofnagle2016assessing,
title={Assessing the Federal Trade Commission’s Privacy Assessments},
author={Hoofnagle, Chris Jay},
journal={IEEE Security & Privacy},
volume={14},
number={2},
pages={58–64},
year={2016},
publisher={IEEE}
}