Since the Federal Trade Commission (FTC) began bringing cases focusing on information privacy in 1999, the vast majority of the FTC’s Section 5 cases and complaints alleging violations of COPPA, GLBA, and the U.S.-EU Safe Harbor/Privacy Shield arrangements have ended via settlements wherein the company is placed under an FTC consent decree. Major technology companies, including Facebook, Google, Snapchat, Twitter, and Uber, are under such 20-year decrees.
To compensate for the FTC’s lack of enforcement authority to extract monetary penalties, these consent decrees attempt to impose lengthy terms of FTC oversight, to require companies to implement privacy and security programs, and, finally, to undergo regular independent assessments of the company’s privacy and security practices. The FTC has regularly held up its consent order as an essential pillar of its privacy enforcement activities and their terms have been interpreted by the privacy profession writ large as creating a sort of privacy “common law.”
While the terms of FTC consent orders can appear quite detailed and privacy-protective, there is considerable evidence that consent orders “lack teeth,” permitting companies tremendous flexibility to satisfy the terms of the consent order without improving privacy and security practices internally. When the FTC has enforced the terms of its consent decree, the resulting penalties can be so miniscule as to ensure the penalties are simply the cost of doing business. For instance, when Google agreed to pay a $22.5 million penalty for violating the terms of its consent order, this amounted to less than half a single day’s revenue.
Moving forward, CDT recommends that the FTC begin to strengthen the terms of its privacy and security-related consent decrees. Our following recommendations are based on three key principles: (1) more rigorous enforcement; (2) more public transparency, and (3) more significant penalties for violations.
- Stronger Auditing Requirements: FTC consent orders almost universally require companies to undergo periodic independent privacy “assessments.” However, these assessments are not as rigorous as a formal audit. The independent assessor is, in effect, benchmarking the company’s privacy and security practices against their own terms, and not any sort of external standard or even requirements set forth by the FTC. To maintain the integrity and impartiality of the audit, the FTC should have limited oversight over independent auditors. In addition, specific auditors should be required to personally sign each assessment done in accordance with an FTC consent decree. FTC consent decrees should provide additional detail into how companies can be assessed based on external standards or, as detailed below, how privacy by design concepts are incorporated into their business practices. The agency should also have limited oversight of auditors to ensure the integrity of the audit.
- Assessments Must Focus on Business Practices: Another problem is that the scope of assessments mandated by FTC consent decrees is generally limited to specific components of a company’s privacy compliance program. For example, assessors can be instructed to review the state of the company’s “privacy controls” or existing administrative, technical, and physical safeguards. The challenge is that this sort of narrow review may not capture material changes in business practices that implicate consumers’ privacy interests. Narrow reviews also fail to capture relevant privacy concerns highlighted by external stakeholders, including privacy advocates, vendors, and even business competitors. Because of the periodic nature of the assessments, companies can also “game the system” by altering their practices and procedures prior to undergoing the independent review. To discourage such activity, assessments should also require that the FTC perform technical testing of systems compliance by outside experts. FTC consent orders should require that corporate management details all material changes to their systems or business practices that have been made prior to an assessment, and the agency should follow up assessments with technical testing of systems compliance.
- Incorporate Privacy By Design Requirements: The FTC has long espoused the notion that companies should consider privacy when designing products, services, and applications that rely on personal data. Consent decrees incorporate “privacy impact assessments” that consider “design, development, and research,” but even for enforcement actions that acknowledge that deceptive or obstructionist default settings or design of privacy controls, the end result of these compliance exercises are additional disclosures to consumers. So long as companies view their privacy and security programs as compliance exercises, the end result will be technologies that place significant burdens on consumers to understand how data can be collected, used, or abused. FTC consent orders must consider how engineers and development teams can be brought into formalized privacy programs.
- Control Third-Party Sharing: Existing FTC consent decrees require that service providers be required, by contract, to implement and maintain reasonable privacy and security protections. Any sharing with third parties, both service providers and independent parties, should be governed by clear contracts, auditing commitments, and where appropriate, technical controls. When data is transferred to independent third parties, FTC consent decrees should prohibit any transfer absent express, affirmative consent and mandatory data security measures.
- Assessments Should Be Made Public By Default: Privacy advocates and public interest groups have had to go to great lengths to get access to company’s privacy assessments, engaging in lengthy FOIA requests only to receive heavily redacted documents. While companies have an interest in protecting proprietary information, excessive redaction deprives the public of any meaningful ability to evaluate either the company’s or the FTC’s response. Additional transparency into the assessment process would help the public police corporate privacy and security practices through law, policy, and the court of public opinion. FTC consent decrees should be made public and business redactions should be subject to independent review, subject to careful review by FTC staff.
- Companies Should Provide Public Responses to Consent Decrees and Privacy Assessments: A common criticism of the FTC consent decree is that company’s admit no wrongdoing. Frequently, companies issue public statements that explain that, in agreeing to settlements with the FTC, that they have already addressed the initial concerns that gave rise to the action. So long as much of the FTC’s enforcement authority is based on deceptive public statements, a consent decree should require companies to publicly disclose exactly how they are responding to the settlement and what changes they intend to enact in respect. These statements could be updated as biennial assessments are conducted. FTC consent decrees should provide that companies detail publicly how they are complying with the terms of the settlement.
- Consent Decrees Should Reserve Full Rights to Exact Monetary Penalties: After a company agrees to an FTC consent decree, the FTC can pursue monetary penalties in court. This presents challenges of its own in terms of due process and agency manpower. However, resulting fines have rarely been high enough to discourage bad behavior, though violations of FTC consent decrees can be assessed at $40,000 per violation. Consent decrees should greater detail how the FTC will assess penalties for violations, and appropriate mechanisms should be put in place to ensure companies do not take violations of consent decrees lightly. To ensure better oversight over the tech industry, in particular, the FTC should have the authority to impose civil fines for violations of consent decrees even absent a Trade Regulation Rule violation, nonrespondent liability, or statute that provides for such damages. FTC consent decrees must provide a fining structure that sufficiently incentivizes compliance.