For the next 20 years—or until Mark Zuckerberg turns 48 and Larry Page is nearly 60—Facebook, Google, and MySpace must open their doors to auditors looking for privacy missteps. What kind of data are the companies collecting about their users? Are they living up to their privacy policies? The stakes aren’t low: Significant failures could mean fines, further scrutiny, and public embarrassment.
The audits are the product of settlements with the Federal Trade Commission over accusations the companies violated user privacy. As part of their settlements, Google, Facebook, MySpace, and Path all committed to creating “comprehensive” privacy programs, which includes putting employees in charge of privacy, identifying risks, and establishing safeguards against violations. To prove they are keeping their promises, the companies must hire independent auditors to examine their efforts. Biennial reports on the auditors’ findings—including whether the programs met or fell short of expectations—must be made available to the FTC for the next two decades.
Companies that fail risk further penalties of $16,000 per violation per day. None of the four companies ordered to hire auditors have had to pay such a fine, and all have either declined to comment or did not respond to messages.
In the past two years, privacy audits have emerged as an important tool for the FTC to keep companies in check. The latest to submit is Path, which last month settled accusations that its social networking app collected personal information from user address books without consent. It also paid $800,000 to the FTC to settle charges that it tracked children online without parental approval.
Compelling companies to implement rigorous privacy practices isn’t a punishment, says Maneesha Mithal, the associate director of the FTC’s division of privacy and identity protection. All businesses should adopt what she calls privacy by design, taking privacy into account when developing new products or adopting new technology, not after the fact or, in some cases, never.
“This is a best practice,” Mithal says.
Privacy groups criticize the audits as largely toothless exercises in paper shuffling. They do little to prevent future privacy violations, they say, or take into account the ways technology and data collection could change in coming years. “The real question is, will these companies stay out of the privacy hot water in the future,” says Kurt Opsahl, senior staff attorney for the Electronic Frontier Foundation, a digital rights organization. “I’m not really sure these audits are going to solve that problem.”
Companies subject to audits usually hire a consulting firm, such as KPMG or PricewaterhouseCoopers, which sends in a team of privacy specialists to interview employees about their training, review procedures, and check settings on security systems. The auditors also try to verify which partners have access to user data, a particularly tough job that sometimes requires checking financial transactions over the previous year, says Carolyn Holcomb, a partner in PwC’s privacy practice.
“It’s one thing to write the policies,” she says. “It’s another to follow them every day.”
Holcomb says that audits show that most companies aren’t perfect. Many fail to update their privacy policies when they tweak their products. Others neglect to block employees from logging into corporate computer systems after they resign or transfer to a new job. Companies such as online ad publishers, which work with other sites, often get access to far more user data than they actually need, or they leave the door open to hackers.
FTC settlements typically require an initial audit after six months or a year. Follow-up audits are supposed to take place every two years thereafter for 20 years. The cost depends largely on a company’s size. Auditing a small business can cost tens of thousands of dollars, while a large global company with multiple computer systems and products can run into the millions.
Few businesses put themselves under this kind of microscope voluntarily, although Holcomb hopes that will change. Voluntary audits can help companies learn whether their privacy programs meet acceptable standards—and help them avoid future problems with regulators or civil suits.
“A breach or bad decision can’t be prevented,” Holcomb says, “But it’s less likely for companies that are audited.”