On November 13, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth issued a discussion paper on “Organizational Accountability in Light of FTC Consent Orders” (the “Discussion Paper”). The Discussion Paper examines the recent $5 billion FTC settlement with Facebook, which resulted from Facebook’s alleged violation of a prior 2012 FTC consent order, and the recent $575 million FTC settlement with Equifax, related to its 2017 data breach.
The Discussion Paper outlines in detail how the requirements of the settlements are consistent with the essential elements of accountability, and it maps the settlement requirements to each specific accountability element (i.e., leadership and oversight, risk assessment, policies and procedures, transparency, training and awareness, monitoring and verification, and response and enforcement). With respect to the Facebook settlement, the Discussion Paper also compares the obligations imposed on the company by the FTC with the requirements imposed by the EU General Data Protection Regulation (“GDPR”).
The Discussion Paper further examines the practical implications of the recent FTC settlements and provides a compliance checklist of best practices that can be drawn from both settlements.
Key takeaways from the paper include:
- Privacy management and compliance programs must be considered in light of FTC consent orders.
- Recent FTC settlements with Facebook and Equifax reaffirm and provide further information regarding the FTC’s expectations of what such privacy programs need to include.
- The privacy program requirements outlined in the recent FTC settlements address all elements of organizational accountability (i.e., leadership and oversight, risk assessment, policies and procedures, transparency, training and awareness, monitoring and verification, and response and enforcement).
- Every company is responsible for identifying relevant measures to effectuate these elements through privacy management and compliance programs based on the nature of their business, the size of their company, the extent of their data processing, etc.
- FTC consent orders have precedential value for future investigations and are instructive to all organizations, but it is important to remember that some granular requirements may be specific only to the company that is the subject of the order.
To read more about the points above and see how the requirements of both settlements map to the elements of organizational accountability, please see the full paper.