7 reasons the FTC could audit your privacy program
Audits can be expensive, and fines and compensatory actions could mean millions more. Here are the things you should be looking out for.
Computerworld - The Federal Trade Commission's $22.5 million settlement with Google last month over its user-tracking practices woke up enterprise-risk managers around the country. With penalty thresholds hitting this new range of pain, publicly traded companies now have to ask whether data privacy should be included in their Securities and Exchange Commission filings as a key risk.
What would it take, though, for the FTC to open up an investigation of your company? This is the question I tested last week. I reviewed the roughly 100 privacy cases the FTC has settled and interviewed the general counsel of a company that recently went through this process.
What did I find out? A shortlist of seven practices that will put a bull's eye on your company.
1. Secretly tracking people
The FTC has been saying for the past couple of years that it's wary of so-called online-behavioral advertising -- the amassing of large data dossiers on website visitors, usually through cookies, in order to deliver those visitors highly targeted ads. The FTC has reason to believe that users don't fully know what data is being collected about them. It especially doesn't like it when companies collect and use clickstream data in ways that users probably wouldn't consent to if they knew the full story.
This is what happened in the Google case. Apple had designed a setting in its Safari browser that allowed the user to block third-party cookies. But Google found a way around that setting to place its own cookies, seemingly undermining users' privacy expectations.
The FTC has successfully prosecuted others on this same topic. In 2007, it forced DirectRevenue to give up $1.5 million in "ill-gotten gains" for quietly bundling its adware along with affiliates' software that users thought they were downloading all by itself. In 2011, the FTC prosecuted online-ad company Chitika for expiring users' opt-out cookies after only 10 days, allowing the company to then place new ad cookies on users' computers.
The lesson in all of these cases is to manage your cookies transparently and consistently with users' previously expressed choices and browser settings.
2. Not regularly assessing and improving data security
The most likely reason the FTC will prosecute a company is substandard information security. The FTC has been routinely prosecuting cases in this area for years, in part because such cases are relatively easy to process. Usually, a data breach has occurred that causes a company to send out breach-notification letters. These letters and subsequent press reports give details about the company's security flaws. All the FTC then has to do is determine if the company took steps to assess its vulnerability to such a breach and then to follow up with readily available and affordable measures to prevent the breach.
More by Jay Cline
- Jay Cline: U.S. takes the gold in doling out privacy fines
- Jay Cline: Is privacy dead?
- Jay Cline: A growing cultural divide on privacy
- Jay Cline: What will Snowden leak next?
- Global winners and losers post-Snowden
- 7 reasons the FTC could audit your privacy program
- Google and the privacy Richter scale
- Jay Cline: Are medical-data breaches overreported?
- iPhone location-tracking incident boosts stock of 'privacy by design'
- Survey: The best privacy advisers of 2010
- The Business Value of Continuous Delivery Download this whitepaper to learn more about the business value of Continuous Delivery and see why it could be a game changer for...
- Ten Factors Shaping the Future of Application Delivery Download this research report conducted by Enterprise Management Associates (EMA) to learn how those that are seeking to accelerate application delivery are leveraging...
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- Trends Shaping Software Management: 2014 Most IT executives recognize the relationship between mobile computing and worker productivity, and have long issued notebook computers and other mobile devices to...
- Data Protection and Disaster Recovery with iSCSI and VMware Get this on demand webcast now
- On-demand webinar - 7 Keys to Service Catalog Implementation Success Watch this webinar to learn 7 crucial keys to make your service catalog a success! All Privacy White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!