Embed Size (px)
Citation preview
Do FTC Privacy Enforcement Actions Matter? Compliance Before and After US-EU Safe Harbor Agreement Actions
by
Florencia Marotta-Wurgler1 and Daniel Svirsky2
Abstract: The Federal Trade Commission (FTC) has played a dominant role in the protection of consumer
information privacy of the past two decades, including the enforcement of the (now defunct) U.S.-E.U. Safe Harbor Agreement (Safe Harbor). Safe Harbor was an agreement negotiated between the United States and member states of the European Union that would allow U.S. firms choosing to adhere to this regime to meet the more stringent requirements of the European Union privacy laws. Because of limited resources, the FTC brought relatively few actions and relied on deterrence to enforce Safe Harbor as well as other information privacy violations. Despite the FTC’s constraints, privacy scholars believe that FTC enforcement actions have effectively induce firms to comply with Safe Harbor and protect consumer private information. Theoretical models of deterrence, as well as empirical analysis of regulation in other fields, however, suggest reason for skepticism. We track the terms in more than 200 privacy policies on a weekly basis to measure the extent to which firms claiming to comply with Safe Harbor increase compliance after the FTC brings an enforcement action against a violating firm. We find no evidence that highly-publicized FTC Safe Harbor actions lead to modifications of firms’ privacy policies. On the other hand, firms have been reducing the number of specific commitments in their privacy policies over time, making it harder for the FTC to bring common types of actions. Our findings have implications for the similar regulatory regime that replaced Safe Harbor, as well as privacy enforcement actions in general.
I.!INTRODUCTION
The collection, transfer, and use of personal information have become pervasive over the
past two decades. A central regulatory goal in the United States has been to ensure adequate
protection of this information without stifling innovation. This has included efforts to ensure that
U.S.-based firms are able to comply with privacy regulations of other countries at relatively low
cost.
The approach to the protection of information privacy in the United States has been
sharply criticized as weak and incomplete, consisting mostly of a handful of area-specific laws
and self-regulation. The United States lacks any comprehensive laws or enforcement required to
1 Professor of Law, NYU School of Law. 2 Harvard University Department of Economics.
meet the more stringent requirements of European Union privacy laws.3 This was resolved in
July 2000, when the Department of Commerce and European authorities negotiated the U.S.-
E.U. Safe Harbor Agreement (Safe Harbor), a mechanism that allowed adhering firms to comply
with the E.U.’s Data Protection Directive by self-certifying with the Department of Commerce
that it complied with seven specific information protection principles. Firms and regulators alike
have praised the Safe Harbor as a low cost way for U.S. firms to do business in European
markets.
At the heart of the regime was the Federal Trade Commission, which would actively
enforce Safe Harbor by ensuring that firms lived up to their self-certifications or bring
enforcement actions if not. The role of the FTC was considering a natural extension of its role of
policing consumer information privacy by bringing enforcement actions against firms engaging
in unfair and deceptive privacy practices. A firm’s violation of a term in its privacy policy could
be deemed a deceptive practice.
Although Safe Harbor was declared invalid in the European Court of Justice’s Schrems
decision in October 2015, a new agreement, the “Privacy Shield,” was approved in July 2016 and
has a similar structure and enforcement role for the FTC.4
Has the FTC's enforcement of Safe Harbor been effective? Regulators and academics
have expressed mixed views on this question. Those praising Safe Harbor argue that it provided
an effective and relatively low cost mechanism for firms to comply with complicated and
stringent requirements of E.U. privacy law, fostering information flows and global commerce.5
3 See, e.g., Joel R. Reidenberg, Privacy Wrongs in Search of Remedies, 54 HASTINGS L.J. 877, 887–88
(2003) (arguing that the FTC is a poor fit to protect privacy interests because of its limited jurisdiction and inadequate tools to canvass a cohesive set of privacy principles); James P. Nehf, Recognizing the Societal Value in Information Privacy, 78 WASH. L. REV. 1, 58 (2003) (examining the incompleteness of the current regulatory approach to information privacy); Ryan Moshell, . . . And Then There Was One: The Outlook for a Self- Regulatory United States Amidst a Global Trend Toward Comprehensive Data Protection, 37 TEX. TECH L. REV. 357, 383 (2005) (criticizing the FTC for its weak privacy protection); Allyson W. Haynes, Online Privacy Policies: Contracting Away Control over Personal Information?, 111 PENN ST. L. REV. 587, 606 (2007) (outlining the shortcomings of the current privacy protection infrastructure); Robert Gellman, A Better Way to Approach Privacy Policy in the United States: Establish a Non-Regulatory Privacy Protection Board, 54 HASTINGS L.J. 1183, 1205 (2003) (proposing an alternative approach to protecting information privacy that does not suffer from the shortcomings of the current system).
4 See Schrems v. Data Prot. Comm’r, 2015, Case C-362/14, E.C.R. __, http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0362&lang1=en&type=TXT&ancre= (finding that U.S. surveillance practices violate the privacy rights of EU citizens). See also The EU-U.S. Privacy Shield, EUROPEAN COMMISSION, http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm (last updated Nov. 24, 2016).
5 See infra Section II.
In their view, the mechanism that leads firms to comply with Safe Harbor is FTC enforcement.6
A minority has expressed skepticism, noting that relatively few firms have registered with Safe
Harbor, and that those that did likely will not comply with its terms given the FTC’s limited
capacity to bring enforcement actions and impose sanctions. In their view, Safe Harbor, and the
regime created by the FTC, are toothless.7 In addition, both the economic theory of deterrence
and existing empirical work on regulatory actions suggest that the FTC's enforcement is likely to
have very little deterrent effect, both because of the paucity of cases and the limited sanctions
available to the FTC. However, neither proponents nor skeptics of Safe Harbor and the FTC
enforcement regime are able to point to much more than anecdotal evidence to support their
position.
Our paper contributes systematic evidence to this debate by addressing a central question:
after the FTC brings a Section 5 action against a given firm for a Safe Harbor violation, do other
firms that comply with Safe Harbor, or claim to comply with it, actually respond to the FTC
action?
We take weekly snapshots of the privacy policy contracts of 230 firms from several
markets where the FTC has been active and where privacy concerns are nontrivial: social
networks, dating sites, cloud computing, message boards, news and reviews, and gaming. Our
snapshots begin in July 2010, end in July 2013, and are supplemented by an additional snapshot
in January 2014 and December of 2015.8 During our sample period the FTC acted against several
violations of Safe Harbor.9 Further, we supplement our privacy policy data with public Safe
Harbor registration records, which allows us to observe directly when firms violate Safe Harbor
by failing to properly register with the Department of Commerce.
We find no detectable response to FTC actions. After a series of FTC actions aimed at
firms with lapsed Safe Harbor registration, the number of firms in our sample who properly
6 See Daniel Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 COLUMB.
L. REV. 583 (2013); Kenneth A. Bamberger & Deirdre K. Mulligan, Privacy on the Books and on the Ground, 63 STAN. L. REV. 247 (2010).
7 See infra Section II. 8 These supplemental snapshots are to test how privacy policies changed after two events: an FTC action
for failure to properly register Safe Harbor status, discussed in Section II, infra, and the Edward Snowden scandal. 9 According to the FTC website, the FTC has brought 45 actions against firms from privacy and security
violations during the sample period and three related to Safe Harbor. We searched for actions brought between July 1, 2010 and July 31, 2013 in the rubric “Privacy and Security.” See Cases and Proceedings, FEDERAL TRADE COMMISSION, https://www.ftc.gov/enforcement/cases-proceedings.
registered improved from 33 of 39 to 35 out of 39 – a real but modest improvement, especially
given that registration is an easy, low-cost step to take.
Similarly, we can measure whether firms comply with Safe Harbor by including several
mandatory terms in their privacy policy. We can therefore test whether, over a long time period
when the FTC enforced Safe Harbor, and after several high-profile cases, firms' privacy policies
saw an increase in compliance with Safe Harbor. We find very low compliance to begin with,
and no detectable improvement. Even when there were extremely simple, low-cost steps to
improve compliance, for example by adding a contact address to the privacy policy, we detect no
change. The pattern was consistent across sectors, across firm size, and across time.
At the same time, we do observe other changes in firms' privacy practices. We find that
websites do change their privacy policies over time, but not in the direction of greater
compliance. We find a statistically significant reduction in the number of specific promises firms
made about data security measures, as well as a statistically significant reduction in specific
promises about government access to data in the year after the Edward Snowden revelations.
These findings are consistent with one of the FTC’s biggest fears, as articulated by at
least one of their Commissioners: firms might be diluting their commitments. This is especially
concerning in the U.S. privacy framework because it relies mostly on disclosure and competition
among firms to ensure proper practices. If firms are simply making fewer information privacy
protection commitments it becomes increasingly difficult for the FTC to bring actions under
deception. If there is indeed a causal connection between the two (something we cannot attest),
then the FTC may want to reconsider bringing actions under deception for privacy policy
violations and put more focus on actions rooted in unfairness, which don’t rest on identifying
violations of promises made by firms, but rather focus on problematic behavior.
The findings cast doubt on the effectiveness of the Safe Harbor Agreement and, to the
extent they are generalizable, to the effectiveness of FTC information privacy enforcement
actions. More importantly, the findings should inform current discussions regarding the ideal
enforcement mechanism in the new Privacy Shield.
The paper proceeds as follows. Section II offers a brief background on the role of the
FTC in the protection of information privacy generally and Safe Harbor (and Privacy Shield)
enforcement specifically. Section III describes our data and methodology. Section IV presents
the results. Section V outlines some implications and concludes.
II.!BACKGROUND
A.!The Safe Harbor Agreement and the Shield Proposal
The Safe Harbor Agreement was created in response to the 1996 E.U. Data Directive,
which prohibited E.U. member states from transferring personal data to countries that lacked
“adequate” levels of protection. In 2000, the U.S. Department of Commerce negotiated the terms
of the agreement with E.U. regulators to allow for the smooth transfer of personal data from the
citizens of E.U. member states to U.S. companies adhering to their terms.
Participation is voluntary, and U.S. firms that adhere to Safe Harbor must register with
the Department of Commerce and certify annually that they comply with seven information
privacy principles. The principles are as follows: notice (by including in their privacy policy
details regarding the type of information collected, the purpose for its use, and the entities with
whom data is shared), choice (by giving users the option to disclose personal information to third
parties or to use it for purposes that are different from those when the data was originally
collected), onward transfer (by abiding with the principles of notice and choice before disclosing
information to third parties), access (by giving users the opportunity to access and correct their
own information), security (by taking reasonable precautions in the protection of personal
information), data integrity (by collecting data relevant for the purposes used), and enforcement
(by offering sufficiently rigorous dispute resolution procedures and a mechanism for consumers
to contact the firm). Firms must also indicate in their privacy policies that they adhere to the Safe
Harbor principles.
In October 2015, two years after Edward Snowden’s revelations that the U.S.’s PRISM
program allowed the government to access and intercept the communication of EU citizens, the
European Court of Justice declared the Safe Harbor Agreement invalid in Schrems v. Data
Protection Commissioner.10 Both the U.S. and E.U. regulators have been working ever since to
reach another agreement capable of offering protections that would meet E.U. standards. The
result has been the Privacy Shield Agreement, which was approved in July 2016. It largely
mimics Safe Harbor, save for increased protections to European citizens when data is gathered
by U.S. intelligence services, and the ability of European citizens to bring actions against U.S.
10 See Schrems, supra note 4.
firms. Importantly, the Privacy Shield envisions the same self-certification mechanism and
enforcement role by the FTC. As with Safe Harbor, FTC enforcement is considered critical for
the proper functioning of the Privacy Shield.
B.!FTC’s Enforcement Authority and the Safe Harbor Agreement What gives the Safe Harbor Agreement teeth is enforcement by the FTC. The FTC
derives its enforcement powers from Section 5 of the FTC Act, which gives it jurisdiction to
police “unfair and deceptive” practices. The FTC’s enforcement actions under Section 5 are
designed to correct unlawful behavior, but also to deter it and ensure that companies adopt
adequate information practices and abide by terms in their privacy policies.11
Though the FTC has ample jurisdictional power to enforce Safe Harbor, it faces resource
constraints that limit its ability to bring many cases. The FTC has brought 39 actions under the
deception prong of Section 5 against firms that failed to comply with Safe Harbor requirements
despite claiming to do so in their privacy policies.12 This is a small number, given the scope of
internet commerce, but also relative to how other types of privacy regulation are enforced. For
example, the Department of Health and Human Services, which polices health privacy, brings
around 1,500 actions per year. As a result, the FTC relies on deterrence to police privacy. A
former FTC regulator stated that consent decrees resulting from such actions are engineered to
“have a huge impact on other businesses in the same industry or that use similar practices” and
that the FTC “must be strategic in bringing its cases, since it doesn’t have the resources to pursue
more than a relatively small fraction of law violators.”13 The FTC echoes this goal in its public
press releases. After entering a consent order with Facebook Section 5 violations in 2011, the
FTC published an article on its blog explaining that “[t]he terms of the FTC’s proposed
11 For example, Joel Winston, former Associate Director of the FTC’s Division of Privacy and Identity
Protection, has stated that “FTC cases and closing letters are designed to send a message to other members of the same industry – or companies in other industries engaged in similar practices – about what the Commission considers to be unlawful conduct.” See Interview by Daniel Solove and Woodrow Hartzog with Joel Winston, Former Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission [hereinafter Winston Interview], referenced in Solove & Hartzog, supra note 6, on file with the Columbia Law Review and with the authors. See also Email from Chris Wolf, Dir., Privacy & Info. Mgmt. Grp., Hogan Lovells, to Daniel Solove and Woodrow Hartzog (Mar. 31, 2013, 11:21 AM) (stating that companies pay attention to FTC consent decrees and adjust their practices to avoid being investigated).
12 The first action brought against a firm for claiming to participate in the Safe Harbor when in fact it did not was brought in August, 2009. See In re Best Priced Brands, LLC, et al., File No. 092 3081, https://www.ftc.gov/enforcement/cases-proceedings/092-3081/best-priced-brands-llc-et-al.
13 See Winston Interview, supra note 14.
settlement apply only to Facebook. But to paraphrase noted legal scholar Bob Dylan, companies
that want to stay off the law enforcement radar don’t need a weatherman to know which way the
wind blows.”14
Most actions, including those enforcing Safe Harbor, target “deceptive” practices and
typically involve firms who commit explicit violations of their own privacy policies.15 Since
2009, the FTC has brought Safe Harbor actions against dozens of firms, including giants like
MySpace, Facebook, and Google. These FTC actions allege that the firms failed to keep their
own promises, for example by making personal information public without consent.16 More
recently, the FTC has gone beyond policing the terms in firms’ privacy policies and has brought
claims against firms engaged in “unfair” information practices. Under the Act, an unfair trade
practice is one that “causes or is likely to cause substantial injury to consumers which is not
reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to
consumers or to competition.”17 Its jurisdiction to challenge unfair practices gives the FTC a
much broader reach than under deception. If a firm promises little in its privacy policy, then the
FTC would have little to enforce under deception. However, a firm can still be found to violate
Section 5 if it engages in a practice found to be unfair under the Act. Despite this advantage, the
FTC has brought only a handful of actions under unfairness, perhaps because it needs to show
substantial injury to consumers as opposed to materiality.
All Section 5 actions follow a pattern. The FTC starts with an investigation. If, upon
conclusion of the investigation, the FTC determines that a firm broke a promise to consumers or
engaged in an unfair practice, the FTC will issue a complaint outlining the nature of the action
and describing the alleged violation. The FTC keeps its investigations confidential until it writes
the complaint. Only then does it publish the details of the action in an official press release. The
14 Lesley Fair, Lessons from the Facebook settlement (even if you’re not Facebook), FEDERAL TRADE
COMMISSION BUSINESS BLOG (Dec. 2, 2011, 1:16 PM), https://www.ftc.gov/news-events/blogs/business-blog/2011/12/lessons-facebook-settlement-even-if-youre-not-facebook.
15 The FTC defines a deceptive practice as a “misrepresentation, omission or other practice, that misleads the consumer acting reasonably in the circumstances, to the consumer’s detriment.” See Letter from James C. Miller III, Chairman, FTC, to Hon. John D. Dingell, Chairman, House Comm. on Energy & Commerce (Oct. 14, 1983), reprinted in In re Cliffdale Assocs., Inc., 103 F.T.C. 110 app. at 175-84 (1984). The FTC needs to establish (1) an act (representation or omission), (2) the likelihood that a reasonable consumer was deceived, and (3) materiality.
16 A minority of deception cases focuses on behavior outside firms’ policies, such as when firms fraudulently or deceptively induce consumers to reveal or share personal information, or when they fail to give sufficient notice of particular practices.
17 15 U.S.C §45(n).
respondent can then choose to settle the charges or to challenge them in front of an
administrative or federal judge.
Nearly all of the information privacy actions have resulted in settlement agreements and
consent orders, which usually subject respondents to lengthy biennial auditing procedures for
periods of up to 20 years. Consent orders may also require firms to take corrective actions or to
improve disclosures in privacy policies, or to adopt comprehensive programs, such as data
security programs. The FTC lacks the authority to issue civil penalties and any fines associated
with actions have been low.18
Of the 39 Safe Harbor actions brought by the FTC, we focus on measuring the deterrent
effect of one set of 12 actions. We then use secondary analyses that provide indirect, but
nonetheless suggestive evidence, of how firms' privacy policies have changed over time. The
secondary analyses first focus on a set of three additional FTC actions against MySpace, Google,
and Facebook. All actions are described in detail in Table 1.
The main set of FTC actions we focus on in our analysis is a series of twelve complaints
filed on January 21, 2014 against American Apparel, Inc. and eleven other firms. The FTC
alleged that each firm failed to register with the U.S. Department of Commerce—a necessary
condition of the Safe Harbor agreement.19 The complaints stated that “[r]espondent has set forth
on its website…privacy policies and statements about its practices, including statements related
to its participation in the Safe Harbor privacy framework.”20 Even though Safe Harbor requires
firms to register with the Department of Commerce, “respondent did not renew its self-
certification” but continued to claim that it “complies with the U.S. EU Safe Harbor
framework.”21 The FTC issued twelve nearly identical complaints. The targeted firms ranged
18 The largest fine to date was levied against Google in 2012, which had to pay $22.5 million for bypassing
privacy settings on Apple Safari browser. See Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser, FEDERAL TRADE COMMISSION (Aug. 9, 2012), https://www.ftc.gov/news-events/press-releases/2012/08/google-will-pay-225-million-settle-ftc-charges-it-misrepresented.
19 SAFE HARBOR WORKBOOK, EXPORT.GOV, http://2016.export.gov/safeharbor/eg_main_018238.asp (last updated Feb. 11, 2016) (“Organizations that decide to participate in the Safe Harbor program must comply with one or both of the Safe Harbor Frameworks and publicly declare that they do so...An organization interested in participating in the Safe Harbor program must complete the self-certification application.”).
20 Complaint at ¶ 4, In re Atlanta Falcons Football Club, F.T.C. No. 142 3018 (F.T.C. June 19, 2014). 21 Id. at ¶ 6, 10, 11.
from American Apparel to Reynolds (of aluminum foil fame) to the Denver Broncos.22 The FTC
reached consent decrees with each firm requiring it to properly register (or stop claiming Safe
Harbor), provide any documents related to compliance with the order for five years, and notify
the FTC of any changes to its corporate structure affecting compliance with the order. The order
lasts 20 years.
In our secondary analysis, we focus on another set of actions, all of which were
noteworthy cases involving major websites: Google Buzz, Facebook, and MySpace. In all these
cases, the FTC alleged the companies engaged in deceptive practices. The Google Buzz case was
announced in March of 2011. The FTC alleged that Google collected information from users for
reasons that were “incompatible with the purpose for which” the data “was originally
collected.”23 Further, Google automatically registered Gmail users for the new Google Buzz
service without giving a choice to opt out. In November 2011, the FTC brought an action against
Facebook for retroactively making changes to its privacy practices without consumer consent.
Finally, in May 2012, the FTC brought an action against MySpace for sharing user data with
advertisers without obtaining consent from users.
All three actions received ample media attention,24 and all three cases implicate the Safe
Harbor agreement. Though each complaint targets a different privacy violation, in each case, the
FTC argued that the privacy violation also violated the firm’s promise to abide by the Safe
Harbor agreement. Thus, each case involves two layers of deception, as defined under Section 5.
First, firms deceived their consumers by misusing data. Second, the firms deceived their
consumers because the firms had promised to abide by Safe Harbor but violated it because of the
same data misuse. We test whether, in the wake of these complaints, the firms in our dataset
modified their privacy policies to come into compliance with the requirements of Safe Harbor.
Though the FTC actions described focused on distinct privacy violations, and did not focus on
improper privacy policies per se, this secondary analysis can provide suggestive evidence. If
22 The complete list also includes Apperian, Inc.; Atlanta Falcons Football Club; Baker Tilly Virchow
Krause, LLP; BitTorrent, Inc.; Charles River Laboratories International, Inc.; DataMotion, Inc.; Fantage, Inc.; Level 3 Communications, LLC; Receivables Management Services Corporation; Tennessee Football, Inc.
23 Complaint at ¶ 25, In re Google Inc., FTC File No. 102 3136, C-4336 (F.T.C. Oct. 24, 2011), https://www.ftc.gov/sites/default/files/documents/cases/2011/10/111024googlebuzzcmpt.pdf.
24 See Claire Cain Miller & Tanzina Vega, Google Introduces New Social Tool and Settles Privacy Charge, N.Y. TIMES, Mar. 31, 2011, at B3; Claire Cain Miller, F.T.C. Said to Be Near Facebook Privacy Deal, N.Y. TIMES, Nov. 10, 2011, at B3; Edward Wyatt, F.T.C. Charges Myspace With Breaking U.S. Law in Sharing Users’ Personal Information, N.Y. TIMES, May 8, 2012, at B3.
FTC enforcement had a significant deterrent effect, one would expect to see firms improve their
compliance, especially if improvement requires a low-cost solution, like adding contact
information to a privacy policy.
Finally, in additional secondary analyses, we analyze whether privacy policies have
changed in ways not directly related to Safe Harbor. First, we see whether firms have dropped or
added specific security promises in their privacy policies – promises which, if violated, can serve
as the basis for FTC jurisdiction in an enforcement action for deception. Second, we see whether,
in the wake of the Edward Snowden scandal, firms have dropped or added specific promises
related to sharing data with government investigators.
C.!Existing Literature
Have FTC actions kept firms compliant? Even though settlement agreements have no
precedential value and the number of actions in the past two decades has been relatively small,
some regulators and privacy academics affirm that the FTC has succeeded in enforcing the Safe
Harbor agreement (as well as effectively regulating information practices more generally)
because companies will increase compliance to avoid facing enforcement actions.25
Former FTC Commissioner Julie Brill has stated that Safe Harbor has been employed by
over 4,500 firms and that FTC enforcement has been “deeply effective,” as Section 5 gives the
agency the flexibility necessary to identify problem areas that need improvement.26 Indeed, the
FTC’s Safe Harbor actions have been identified as a driver of good information privacy
practices. A 2010 survey of a small number of chief privacy officers in leading firms by
Bamberger and Mulligan (2010) reported that enforcement actions have led firms to improve
information privacy , such as by hiring privacy-dedicated employees to comply with the terms of
the Safe Harbor.27 In addition, respondents revealed that industry participants pay close attention
to Safe Harbor (and other privacy-related) enforcement actions and that registering and
complying with the terms of the Safe Harbor agreement generates competitive advantages. They
also note that Safe Harbor offers a more cost effective manner to ensure compliance, relative to
25 See Solove & Hartzog, supra note 6 at 600 (stating that “many privacy lawyers and companies view the
FTC as a formidable enforcement power, and they closely scrutinize FTC actions in order to guide their decisions.”). 26 See Jedidiah Bracy, “How Julie Brill Is Cultivating a Defense of the U.S. Privacy Framework,” PRIVACY
PERSPECTIVES (Feb. 24, 2015), https://www.ftc.gov/system/files/documents/public_statements/630801/150224juliebrillcultivatingprivacy.pdf.
27 See Bamberger and Mulligan, supra note 6 at 252. The survey also revealed that in addition to being concerned about FTC enforcement, firms identified state data breach notification laws and fear of reputational harm due to bad media coverage as influential in their development of substantive information practices.
other alternatives, such as ad hoc contracts.28 Solove and Hartzog (2014) find similar responses
from some privacy lawyers with whom they consult, who claim that, while settlements
agreements have no precedential value and the number of actions involving Safe Harbor has
been relatively small, the reputational sanctions of enforcement actions could be devastating.”29
In their view, FTC enforcement actions have “filled a great void, and without the FTC, the U.S.
approach to privacy regulation would lose nearly all its legitimacy. The FTC has essentially
turned a mostly self-regulatory regime into one with some oversight and enforcement.”30
Others claim that Safe Harbor and the FTC’s Section 5 information privacy regime is
toothless. First, the agency is small and only a small number of staff is dedicated to bringing
privacy actions.31 This means that, but for the few largest firms, who are already subject to
reputational constraints, the probability of an FTC action is small. Second, the FTC has limited
jurisdiction and cannot reach a number of private sector firms, further reducing the perceived
“threat.”32 Third, critics note that the FTC lacks the authority to impose civil penalties and that,
as such, the monetary damages involved in settlement agreements have been negligible. And
28 Id. at 265 (“A respondent in the business-to-business sector explained that participation in the
Department of Commerce-negotiated ‘Safe Harbor’ […] plays a similar signaling function for business partners. Discussing their firm's choice between Safe Harbor participation and enforcing privacy safeguards through contracts with outsourcers, that CPO described that the decision in the direction of the Safe Harbor was ‘driven to a large extent by customers who started asking us, ‘Are you members of the Safe Harbor?’ This customer push arose, then, because Safe Harbor certification worked as a ‘checkbox’ indicating that a company met privacy adequacy standards and was much easier to manage than contract terms.”). See also Michael D. Birnhack, The EU Data Protection Directive: An Engine of a GlobalRegime, 24 COMPUTER L. & SECURITY REP. 508, 517-18 (2008) (arguing that the E.U. privacy laws and the Safe Harbor have effectively spread the more stringent E.U. privacy framework in the United States and worldwide).
29 Solove & Hartzog, supra note 6 at 607. See also Allison Grande, “Friskier FTC Makes US-EU Data Transfers More Perilous,” LAW360 (June 10, 2014), http://www.law360.com/articles/540369/friskier-ftc-makes-us-eu-data-transfers-more-perilous (citing Christopher Wolf, Privacy and Information Management, Hogan Lovells, who states: "Companies spend considerable time monitoring and modifying their practices to meet the requirements of the Safe Harbor agreement....Threats of FTC enforcement and damage to a company’s reputation are significant drivers in ensuring diligent safe harbor compliance.").
30 Id at 604. See also Steven Hetcher, The FTC as Internet Privacy Norm Entrepreneur, 53 VAND. L. REV. 2041, 2045-46 (2000) (arguing that firms pay attention to FTC reports); Tal Z. Zarsky, The Privacy-Innovation Conundrum, 19 LEWIS & CLARK L. REV. 115 (2015) (proposing additional regulatory measures to increase innovation and compliance by limiting uncertainty); Natalie Kim, Three's A Crowd: Towards Contextual Integrity in Third-Party Data Sharing, 28 HARV. J.L. & TECH. 325, 338 (2014) (“The FTC's settlement orders and enforcement actions have established a robust ‘common law’ that has de facto precedential power”); Derek E. Bambauer, Schrodinger's Cybersecurity, 48 U.C. DAVIS L. REV. 791, 835 (2015) (arguing in favor of a FTC common-law style approach to determining levels of accuracy required for cybersecurity and that consent decrees create a set of guiding principles that inform information practices).
31 See Solove & Hartzog, supra note 6 at 601 (explaining that the FTC has forty-six staff members dedicated to privacy actions).
32 See Paul Schwartz, Internet Privacy and the State, 32 CONN. L. REV. 833 (2000); Jerry Kang, Information Privacy in Cyberspace Transactions, 50 STAN. L. REV. 1193 (1998).
fourth, they dispute that settlement agreements follow a predictable and common law-like
evolutionary path. In a 2004 study commissioned by the European Commission, Reidenberg et
al. measured the compliance rates of 41 firms claiming to adhere to Safe Harbor and found low
levels of compliance.33
In sum, the scholars and policy-makers who study internet privacy are split on the FTC's
effectiveness in enforcing Safe Harbor. Our empirical approach is therefore an important
contribution to this debate, which has so far relied mostly on anecdotal or theoretical arguments.
While privacy scholars are split on the FTC's effectiveness, the economic theory of
deterrence makes a sharp prediction: the FTC's enforcement actions are too rare, and the cost of
punishment too low, to have a deterrent effect.
The conventional economic model of deterrence starts with an agent deciding whether to
violate a law. She chooses to violate the law if and only if the probability of detection, p, times
the fine she pays, f, if caught, is lower than the benefit, b, of violating the law:
Violate(Law(↔(, ∙ . < 0
This formulation traces back to Gary Becker, and has been elaborated and explored in a deep
literature since then.34 If we assume that enforcement is costly – an assumption especially
relevant for an agency with a limited budget, like the FTC – then the optimal design of
enforcement is to impose a high fine at a low probability of detection. This conclusion can be
complicated with more developed models that take into account risk aversion,35 marginal
deterrence36, uncertainty about the law,37 or other factors.38 Even taking into account these
modifications to the model, the basic point holds.
33 See JAN DHONT ET AL., SAFE HARBOUR DECISION IMPLEMENTATION STUDY (2004),
http://ec.europa.eu/justice/policies/privacy/docs/studies/safe-harbour-2004_en.pdf. 34 See Gary Becker, Crime and Punishment: An Economic Approach, 76 J. POL. ECON. 169 (1968). See also
HANDBOOK OF LAW AND ECONOMICS 403 (A. Mitchell Polinsky and Steven Shavell eds., 1st ed. 2006). 35 See A. Mitchel Polinsky and Steven Shavell, The Optimal Tradeoff between the Probability and
Magnitude of Fines, 69 AM. ECON. REV. 880 (1979). 36 See, e.g., James Andreoni, Reasonable Doubt and the Optimal Magnitude of Fines: Should the Penalty
Fit the Crime?, 22 RAND J. ECON. 385 (1991); Louis Kaplow and Lucian Bebchuk, Optimal Sanctions When Individuals Are Imperfectly Informed About the Probability of Apprehension, 21 J. LEGAL STUD. 365 (1992); Louis Kaplow and Lucian Bebchuk, Optimal Sanctions and Differences in Individuals’ Likelihood of Avoiding Sanctions, 13 INT’L REV. L. & ECON. 217 (1993); Arun S. Malik, Avoidance, screening, and optimum enforcement, 21 J. RAND J. ECON. 341 (1990); A. Mitchel Polinsky and Steven Shavell, A Note on Optimal Fines When Wealth Varies Among Individuals, 81 AM. ECON. REV. 618 (1991); A. Mitchel Polinsky and Steven Shavell, The Fairness of Sanctions: Some Implications for Optimal Enforcement Policy, 2 AM. L. & ECON. REV. 223 (2000b).
37 See Kaplow & Bebchuk, supra note 39. 38 For discussion of other such considerations, see sources cited supra note 39.
Given that, the FTC's enforcement is unlikely to have much deterrence effect. The FTC's
limited budget means that it has only brought a small number of Safe Harbor cases relative to the
entire universe of websites that claim to adhere to agreement. Moreover, the cost of punishment f
is low. In most Safe Harbor cases, the monetary punishment is non-existent or negligible. For the
American Apparel series of cases, discussed above, the punishment had no monetary component.
The firms that had been found to violate Safe Harbor needed to keep a set of records related to
consumer privacy, notify the FTC of any future changes that affect compliance obligations, and
file a report detailing the how it would comply in the future. In the other cases we study, the
punishments were once again non-monetary but were more costly to follow, and included
biennial audits. But the Safe Harbor violation itself did not lead to any additional punishment.
Other scholars have expanded on the Becker model by considering a dynamic
framework. This is especially suited to our empirical approach, since we measure compliance
longitudinally. These models, too, however, suggest that FTC enforcement will have little
deterrent effect. Sah (1991) endogenizes the perceived probability of detection, p, concluding
that the classic model overstates the effects of increasing enforcement. Put another way, after
years of very low enforcement of Safe Harbor, the perceived probability of detection will be low
among internet companies, and this perception changes slowly. This matches one intuition from
Bar-Gill et al. (2001), which notes that not only will expected sanctions affect the amount of
crime: the amount of crime will affect the expected sanctions. In a world where violations of
Safe Harbor are commonplace (which matches our data below), the probability of detection for
any single actor is lower. Again, increasing enforcement alone will have muted effects in such an
equilibrium. Ben-Shahar (1997) explores a dynamic model in which individuals are imperfectly
informed about the law. In this model, too, a low probability of detection not only lowers the
level of crime, but has ripple effects in future time periods as individuals who are not caught
never learn that their behavior violates a law. This formulation has special relevance in the
domain of internet commerce, where privacy standards change significantly over time. These
extensions of the Becker model, as well as ones that look at settlement agreements specifically,39
call into further question the FTC's effectiveness.
39 See A. Mitchell Polinsky & Steven Shavell, The Economic Theory of Public Enforcement of Law, 38 J.
ECON. LIT. 45, 78 (2000). For an examination of deterrent effects of settlements in the context of joint and several liability, see Lewis A. Kornhauser and Richard L. Revesz, Settlements under Joint and Several Liability, 68 NYU L. REV. 427 (1993). See also Omri Ben-Shahar, Playing Without a Rulebook: Optimal Enforcement When Individuals
In sum, the economic theory of deterrence suggests cause for skepticism that the FTC's
enforcement will maintain high, or increasing compliance with Safe Harbor. With a low
probability of detection, and low fines for violating the agreement, firms are unlikely to invest
many resources in complying with Safe Harbor. And in a multi-period setting, this shortcoming
is likely to get worse.
Finally, there is a small empirical literature assessing regulatory actions, which also
suggests skepticism that the FTC's actions will have much deterrent effect. Two papers have
studied the FTC specifically, though they focus on other areas of the FTC's jurisdiction: antitrust
and deceptive advertisement. Seldeslachts et al. (2009) conclude that settlement agreements do
not have a deterrent impact, as opposed to more stringent enforcement like actually blocking a
merger.40 In the domain of Safe Harbor and internet privacy, the FTC has relied almost
exclusively on settlement agreements, suggesting that our paper might not find a strong deterrent
effect. Peltzman (1981) looks at FTC actions against companies for deceptive advertisements. He
finds that such actions have a measurable impact on the stock price of targeted firms. Hence, this
research suggests some reason for optimism, since FTC actions do have some measurable effect.
It leaves open whether FTC actions will have deterrent power beyond the targeted firm itself.41
A handful of other empirical analyses of regulatory deterrence yield more reasons for
skepticism. Law (2006) looks at the enforcement strategy of the Food and Drug Administration
("FDA").42 His analysis is relevant to the FTC because, like the FTC, the FDA had limited
resources and could not bring many cases.43 Using a model of deterrence and some empirical
data, he concludes that the FDA had very limited power to deter, so it had to rely on using
positive incentives to promote better behavior, rather than on ex post enforcement actions aimed
Learn the Penalty Only by Committing the Crime, 17 INT’L REV. L. & ECON. 409 (1997) (noting that individuals may be unaware of a law, and enforcement actions may teach them what the law says); Michael J. Graetz et al., The Tax Compliance Game: Toward an Interactive Theory of Law Enforcement, 2 J. L. ECON. & ORG’N 1 (1986) (arguing that compliance is a two-sided game between regulator and regulated); Ezra Friedman and Abraham L. Wickelgren, No Free Lunch: How Settlement Can Reduce the Legal System's Ability to Induce Efficient Behavior, 61 S.M.U. L. REV. 1355 (2008) (explaining that settlement agreements might reduce deterrence in fundamental ways that are hard to address).
40 See Jo Seldeslachts et al., Settle for Now but Block for Tomorrow: The Deterrence Effects of Merger Policy Tools, 52 J. L. & ECON. 607 (2009).
41 Sam Peltzman, The Effects of FTC Advertising Regulation, 24 J. L. & ECON. 403 (1981). See also Stephen J. Choi et al., Scandal Enforcement at the SEC: The Arc of the Option Backdating Investigations, 15 AM. L. & ECON. REV. 542 (2013) (finding that the SEC seems to respond to media attention or scandals in deciding who to target, even at the expense of targeting cases with larger harms).
42 See Marc T. Law, How Do Regulators Regulate, 22 J. L. ECON. & ORG. 459 (2006). 43 Id. at 460–61.
at bad behavior.44 A recent analysis of shareholder class actions and SEC investigations found
evidence suggesting that class actions were better targeted than the SEC's.45 This reflects a key
point from deterrence theory, which is that in cases where private actors have better information,
a public regulator will be at a disadvantage in enforcing against harm.46 This is relevant to
internet privacy. There is no reason why the FTC would be better placed to police Safe Harbor
than the consumers whose data is shared. Indeed, some FTC actions have only been brought after
private citizens detected a website's security lapses.47 Finally, Innes and Sam (2008) assess a
voluntary regulatory regime to reduce pollution, concluding that voluntary regimes may work by
a quid pro quo in which corporations that volunteer get looser regulatory oversight.48 This
framework could apply to the FTC and Safe Harbor, but it suggests a limited deterrent effect of
the Safe Harbor program itself.
Thus, while the FTC has arguably become the “de facto privacy regulator” in the United
States, and the primary enforcer of Safe Harbor, there is reason to doubt its ability to regulate
privacy practices by bringing relatively few actions and relying on deterrence. The result is a
split among privacy scholars, some who champion the FTC and some who doubt its
effectiveness. However, the empirical evidence needed to settle this debate is almost non-
existent. The remainder of this paper is aimed at filling this gap.
III.!PRIVACY POLICY DATA
In this section we describe the sample of firms in our data, how we coded the privacy
policies, and our empirical strategy for assessing compliance with the Safe Harbor agreement.
A.!Sample Construction
Our dataset tracks the privacy policies used by 230 websites from six different markets
between July 2010 and July 2013. We supplement this dataset with public data from the 44 Id. 45 Stephen J. Choi & A.C. Pritchard, SEC Investigations and Securities Class Actions: An Empirical
Comparison, 13 J. EMPIRICAL L. STUD. 27 (2016). 46 See Polinsky & Shavell, supra note 42. 47 See, e.g., Grant Gross, FTC Reaches Privacy Settlement With Upromise College Savings Site,
PCWORLD (Apr. 3, 2012), http://www.pcworld.com/article/253110/ftc_reaches_privacy_settlement_with_upromise_college_savings_site.html.
48 See Robert Innes & Abdoul G. Sam, Voluntary Pollution Reductions and the Enforcement of Environmental Law: An Empirical Study of the 33/50 Program, 51 J. L. & ECON. 271 (2008).
Department of Commerce, which tracks the list of firms that registered for Safe Harbor. We
chose markets where information sharing and information privacy are likely to be salient and
important. These are dating websites, social networks, message boards, cloud computing, news
and reviews, and gaming markets. Our reasoning is that if deterrent effects are important, they
should show up in these industries.
The firms are a subsample of the sample used in Marotta-Wurgler (2016), which
describes the sample gathering process in detail.49 The sample firms do business in the United
States, although many also have overseas operations. They include giants like Facebook,
Amazon, and Google, as well as many smaller firms. The firms were obtained from a number of
public sources list in 2009, 2010, and 2011. To investigate the representativeness of the resulting
sample, we compared the firms in five of our markets against market share reports generated by
IBISWorld, an industry research firm. The reports confirmed that the sample includes the top
firms and that it reflects over 80% of each market. We used Alexa rankings, a service operated
by Amazon.com, that ranks websites based on traffic from a large panel of representative users,
to further ensure that the sample firms created a representative sample.50
Table 2 reports the summary statistics for each market as well as some firm
characteristics. The first row reports the average number of changes the privacy policies
experienced in total and for each market. During the sample period, contracts changed almost
four times on average, with a median of three times. This varies across markets, with reviews
sites averaging 5.11 changes while message boards sites changed only 3.10 times on average.
We also note whether the service is free or has a paid component, as this might affect the
terms of the privacy policy and the “stickiness” of particular terms. On average, 52% of the sites
were paid, but this varied by market. 100% of dating sites required or had the option of a paid
subscription, whereas only 31% of social networks did.
For each site, we collect the Alexa ranking as a proxy for size. The wide range in Alexa
ranking in our sample demonstrates that it includes both very large and small firms. We wanted a
49 Florencia Marotta-Wurgler, Understanding Privacy Polices: Content, Self-Regulation, and Markets
(NYU Law and Economics Research Paper Series, Working Paper No. 16-18, 2016). 50 The original sample includes 251 firms. Of these, 21 went out of business during the data collection,
leaving the 230 in our sample. We excluded firms that went out of business in order to keep interpretation of our results simple. Including firms that exit obfuscates the findings because it is unclear whether changes in privacy practices are driven by firm exit or by changes by existing firms. Rather than tease these two effects apart, we focus on firms who are present throughout our sample. None of our results are affected by this decision. The final sample consists of 230 firms across six markets.
high variance in size in order to examine the possibility that bigger firms with more resources
(that are likely to have a legal department) may be more sensitive to FTC actions.
We also track whether the firm is publicly traded. About 41% of our sample is. This
number is likely driven by the fact that larger, public firms, like Amazon.com, own many small
companies, such as news and reviews sites.
Because we are interested in how privacy practices change over time, we collected each
version of a firm’s privacy policy between July of 2010 and June of 2013, for a total of 891
privacy policies. We used a web-scraping code developed by Robert Taylor to store the text of
each website’s privacy policy on a weekly basis. In its raw form, the dataset consists of roughly
200,000 pages of privacy policies. To capture weekly changes in the policies, we ran a program
comparing each contract with its version from the week prior. Any time a privacy policy
changed, we stored the new version.
B.!Contract Grading Methodology and Contract Characteristics
We use the methodology described in Marotta-Wurgler (2016) to code the contents of
privacy policy contracts in an exhaustive manner. The goal was to capture everything of
substance in the written agreement between website and consumer, and to transform it into
categorical variables that allow for statistical analysis.
Each privacy policy was graded along 69 dimensions, covering terms commonly found in
privacy policies, terms referenced in FTC reports, and a number of Fair Information Practice
Principle guidelines.51 For example, one of the 69 terms is whether the privacy policy has contact
information for the website. If a privacy policy has a physical address, email address, or
telephone number, a grader would grade this term as a “Yes.” Another term measures whether
51 These include FTC principles outlined in its report to Congress in the year 2000, the principles outlined
by the FTC in its most recent report to Congress in 2012, the White House’s “Consumer Privacy Bill of Rights,” and the original 1973 Fair Information Practice Principles, among others. See FTC, PRIVACY ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE: A REPORT TO CONGRESS (2000), https://www.ftc.gov/sites/default/files/documents/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission-report/privacy2000text.pdf; FTC, REPORT TO CONGRESS UNDER SECTION 319 OF THE FAIR AND ACCURATE CREDIT TRANSACTIONS ACT OF 2003 (2012), https://www.ftc.gov/sites/default/files/documents/reports/section-319-fair-and-accurate-credit-transactions-act-2003-fifth-interim-federal-trade-commission/130211factareport.pdf; White House, CONSUMER DATA PRIVACY IN A NETWORKED WORLD (2012), https://www.whitehouse.gov/sites/default/files/privacy-final.pdf; U.S. Dep’t of Health, Education and Welfare, Secretary’s Advisory Committee on Automated Personal Data Systems, DHEW PUBLICATION NO. (OS) 73-94, RECORDS, COMPUTERS, AND THE RIGHTS OF CITIZENS (1973). See also Marotta-Wurgler, supra note 52, for a detailed description of the sample and the methodology used in tracking and grading terms. See also SAFE HARBOR WORKBOOK, supra note 24.
the privacy policy has a Change of Terms clause. A table outlining the terms, how they were
coded, and where they came from, is available in Marotta-Wurgler (2016).
Of the 69 terms we track, 19 terms closely fit requirements of the Safe Harbor agreement,
and we focus on these terms to measure compliance. As discussed above, the Safe Harbor
program has seven guiding principles: notice, choice, onward transfer, security, data integrity,
access, and enforcement. For example, under the “choice” principle, firms must give users a
chance to opt out before any information is shared with a third party.52 Similarly, the “notice”
principle requires that firms describe the third parties who receive any shared data.53 Two of our
69 terms match these requirements neatly: we track whether a firm describes third parties who
receive data in their privacy policy, and we also track whether a firm’s privacy policy requires
the firm to obtain consent before sharing data. Thus, the terms described in Appendix A are
nineteen examples where we happened to track a term that matches something required under
Safe Harbor. In section III.C.1, infra, we discuss in detail how we use these terms to measure
compliance with Safe Harbor.
Pairwise groups of research assistants graded each version of the firms’ privacy policies
along the 69 dimensions we track. In addition, if the privacy policy changes in a way that our
terms do not capture, the research assistant noted this as well, with a brief description of the
change. Because our terms were relatively exhaustive, such changes were rare. Out of the 431
privacy policy changes we observe, only in 46 instances was the change something not covered
by our terms.54 In the vast majority of cases, we could classify the change within our rubric.
During the sample period, 73% of the contracts changed in at least one material
dimension. Every single term we track was changed by at least one firm (unreported). On
average, a specific term was changed by roughly 5% of the firms in our sample, though this
measure omits cases where a firm changed a term multiple times (unreported). This makes for a
fairly dynamic set of contracts.
52 See SAFE HARBOR WORKBOOK, supra note 24 at 4 (“An organization must offer individuals the
opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.”).
53 See SAFE HARBOR WORKBOOK, supra note 24 at 4 (“An organization must inform individuals about…the types of third parties to which it discloses the information.”).
54 The most common example is when a privacy policy specified that data would be shared with third-party developers.
Because we use pairs of coders to grade contracts, we can get a sense of how subjective
the coding process is. We use Cohen’s Kappa to measure coder agreement.55 Within a pair of
coders, κ = .64 for the first week the coders work together, but rises to .88 after six weeks. The
level of agreement is relatively strong, given that privacy policies can be vague and even self-
contradictory. This suggests that our results are not likely to be driven by the identity of the
coder. In any case, whenever a pair of graders had a disagreement, we discussed the
disagreement in a group meeting with all of the graders involved in the project, and then resolved
the disagreement as a group. We also kept a log file of each of these meetings so that coding
going forward would reflect how the disagreement was resolved.
C.!Empirical Strategy
1.!Measuring Safe Harbor Compliance
To comply with Safe Harbor, a firm needs to follow three steps: 1) register with the
Department of Commerce; 2) post a privacy policy on its website with several mandatory terms;
and 3) follow the privacy practices detailed in the Safe Harbor documentation.56
Step 1 of compliance – registration – is the simplest to track. To measure step 1, we
simply query the Department of Commerce website to see if the firms that claim to follow Safe
Harbor actually kept their registration current.57
Step 2 of compliance – posting a privacy policy that meets Safe Harbor standards – is
also easy to track, given our data. Because we track each firm’s privacy policy, we can directly
55 Cohen’s Kappa measures the amount of agreement between two coders, but discounts for the probability
that coders agree by random chance. For a detailed description of Cohen’s Kappa, see Khaled El Emam, Benchmarking Kappa: Interrater Agreement in Software Process Assessments, 4 EMPIRICAL SOFTWARE ENGINEERING 113, 118–21 (1999).
56 See SAFE HARBOR WORKBOOK, supra note 24. 57 To assess the effect of the American Apparel action, we had to collect additional data. Our data tracks
every instance in which a privacy policy claims Safe Harbor certification, but our data collection window only ran until June of 2013. Hence, we compiled a list of all firms in our dataset that claimed to comply with Safe Harbor at the time our data collection ended. We then collected versions of their privacy policies in effect one year after the FTC event to see which firms continued to claim Safe Harbor compliance. We used two sources to compile these policies. First, we went to the website itself to see if their most recent privacy policy was in effect when the FTC event window ended. If so, we used this policy. If the policy in effect at the time the event window ended was not available on the website, we used the Internet Archive. See The Wayback Machine, INTERNET ARCHIVE, https://archive.org/web/. We supplemented this with data from the Department of Commerce. Its website shows which firms have registered for Safe Harbor, as well as the date of their initial registration, and the list includes firms who registered for Safe Harbor in the past but let their certification lapse. While the list does not show whether firms re-registered after letting their certification lapse, private correspondence with the Department of Commerce (on file with the authors) yielded this information.
observe whether a firm’s privacy policy meets the Safe Harbor requirements. These requirements
for privacy policies are as follows: a privacy policy must be prominent and readable;58 the
privacy policy must be shown to a consumer as soon as a consumer is asked to share data;59 the
policy must include the firm’s contact information;60 the privacy policy must describe the types
of firms with whom data is shared,61 as well as the consent mechanism used before data is shared
with a third party.62 Finally, the policy must include a description of the security used to protect
data.63
Of these seven requirements, we track four in our data, as they can be easily and
objectively measured: whether the privacy policy includes contact information for the firm,
whether the policy describes the third parties who receive data (if any), whether the policy
describes security measures for protecting data, and whether the policy describes the consent
mechanism for sharing data. Thus, we construct a simple measure of how many of these four
requirements a firm’s privacy policy meets.
Given these two measures of compliance – proper registration and a complete privacy
policy – our empirical strategy is straightforward. We look at firms that claim to follow Safe
Harbor, then measure their compliance both before and after FTC Safe Harbor actions. If the
FTC actions have a measurable deterrent effect, then we predict that compliance will increase
after the FTC's enforcement.
To measure the deterrent effect of the FTC's Safe Harbor enforcement, we focus on one
set of FTC actions, described in greater detail in section II.B, supra and in Table 1, then do
secondary analyses that focus on a second set of noteworthy FTC Safe Harbor actions.
The first set of actions, which is the focus of our primary analysis,was brought in January of
2014. These were a series of 14 identical complaints filed against companies that claimed to
follow Safe Harbor but who failed to register with the Department of Commerce – step one of
58 See SAFE HARBOR WORKBOOK, supra note 24 at 4 (“This notice must be provided in clear and
conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable.”).
59 Id. 60 See id. (“An organization must inform individuals…how to contact the organization with any inquiries or
complaints.”). 61 See id. (“An organization must inform individuals about…the types of third parties to which it discloses
the information.”). 62 See SAFE HARBOR WORKBOOK, supra note 24 (“An organization must inform individuals about…the
choices and means the organization offers individuals for limiting its use and disclosure.”). 63 See id. (“An organization must inform individuals…how [the information] is secured.”).
compliance, described above. To assess the deterrent effect of this line of actions, we look at
how many Safe Harbor firms properly registered with the Department of Commerce, and
whether this number increased after the FTC's action.
In a secondary analysis, we look at a second set of actions involving Google, Facebook,
and MySpace. These are likely the most famous enforcement actions the FTC has brought in the
area of internet privacy, with all three receiving significant media attention. For purposes of
assessing how Safe Harbor compliance changed over time, we group all three FTC actions into
one “event” window involving the FTC’s interest in ensuring that firms that claim to comply
with the Safe Harbor requirements actually do comply. To be conservative, we define the event
date as the date of the Google action (two weeks prior, to be precise), the earliest of the three,
and then take a snapshot of privacy policies a year after the MySpace event, the last of the three.
Firms in our sample therefore had more than two years to respond to the Google action, and
received two reminders to boot. For these actions, we test step 2 of compliance: posting a
complete privacy policy. That is, we test whether firms' privacy policies met the Safe Harbor
standard, comparing compliance one year after the final action to compliance two weeks before
the first action was announced.
Finally, though our focus is on whether firms comply with Safe Harbor, before and after
FTC actions that enforce the agreement, we also look at broader trends in privacy policies. For
example, over the same time period that we study, the FTC brought actions against firms for
violating specific promises made in the firm's privacy policy related to data security. Similarly,
near the end of our data collection window, the Edward Snowden revelations made data sharing
practices more salient, and we measure how many firms promised not to share data with
government agencies or investigators. We test whether firms increased or reduced the number of
specific promises made over time. This analysis has important implications, because any
reduction in specific promises makes FTC enforcement based on deception more difficult.
IV.!RESULTS
During a period when the FTC actively enforced Safe Harbor, we find little improvement
in compliance over time, and by some measures, very low compliance to begin with. To the
extent we do see a change in privacy practices, it is generally in the direction of removing
specific promises to the consumer. This trend is problematic because the FTC’s jurisdiction is
often based on deception, which normally means a firm violated a specific promise made in its
privacy policy. By dropping promises from their privacy policies, firms may be dodging FTC
enforcement.
A.!Safe Harbor Compliance Over Time: Registration The FTC actions we focus on is an action against American Apparel, Inc. and thirteen
other firms that claimed to follow Safe Harbor but failed to register with the U.S. Department of
Commerce—a necessary condition of the Safe Harbor agreement.64 How many firms violated
Safe Harbor by letting their registration lapse? And did compliance improve after the FTC
action? Table 3 reports results.
There is no meaningful evidence of a deterrence effect, but also little to suggest that
improper registration was a widespread problem. Prior to the FTC event, six out of thirty-nine
firms who claimed to abide by Safe Harbor were not properly registered. One year later, only
two of the six firms fixed their registration, and one firm stopped claiming to follow Safe Harbor.
We find no statistically significant movement in the direction of higher compliance, though in
this case, the relatively low level of non-compliance means there is little room for improvement.
B.!Secondary Analyses: Do Privacy Policies Improve Compliance Over Time
Our data lets us track whether a firm’s privacy policy meets the Safe Harbor requirements
for what a valid privacy policy must contain. We track – among firms that claimed to follow Safe
Harbor – how many actually contained the four required Safe Harbor terms that are in our
dataset, and whether this number increased after the FTC’s enforcement actions against Google,
Facebook, and MySpace. These three enforcement actions focused on disparate privacy
violations, but in all cases, the FTC cited violations of Safe Harbor as part of its complaint. If the
FTC's actions have a strong deterrent effect, then one would expect to see firms' improve their
privacy policies over time to include the terms mandated by Safe Harbor, especially given how
much media attention these three cases received.
64 SAFE HARBOR WORKBOOK, supra note 24 (“Organizations that decide to participate in the Safe Harbor
program must comply with one or both of the Safe Harbor Frameworks and publicly declare that they do so.....An organization interested in participating in the Safe Harbor program must complete the self-certification application”).
Table 3. Safe Harbor Registration Failure. Pre- and post-event comparison of the number of firms who
claim compliance with the Safe Harbor agreement but fail to register with the Department of Commerce, a
requirement of the agreement. The FTC action against American Apparel, Inc., et al. was announced on January 21,
2014. We compare the registration rate two weeks before versus one year after this announcement. The sample
includes firms that have been in our sample throughout the entire data collection window, yielding a sample of 230
firms, only 39 of which claimed to abide by Safe Harbor at some point during our data collection window..
Before Action
One Year After
Registered for ESH
33 35
Not Registered for ESH
6 3
Stops claiming ESH
. 1
Chi-squared χ2 = 1.15 (p = 0.28)
Table 4 shows how many firms' privacy policies contained all four of the terms required to
be in a privacy policy. We find widespread non-compliance with Safe Harbor and little change
after the FTC actions. Before the FTC events, only 1 out of 20 firms who claimed Safe Harbor
included all four of the required terms in their privacy policy. After the FTC events, this number
was unchanged. This low level of compliance is remarkable. All a website needs to do to comply
is add a handful of sentences to their privacy policy, yet 19 out of 20 failed to do so.
We also find that 19 firms began claiming Safe Harbor compliance after the first FTC
action. There is, clearly, a great deal of inertia and persistence in privacy policy terms, so
perhaps these newcomers, at the time of adding the claim of compliance, were more likely to
ensure that they actually did comply, given prominent recent actions against Google and
Facebook. We find that they were not any more compliant: only 3 out of the 19 newcomers
included all four of the required terms in their policy. Again, the level of compliance is baffling,
given the low cost.65
C.!Safe Harbor Compliance and Improvement Among Firms That Do Not Claim Safe Harbor
One way to get a sense of the effectiveness of Safe Harbor and FTC enforcement is to
analyze Safe Harbor compliance among firms that do not claim to abide by the agreement.
Though we find low compliance with Safe Harbor (and zero improvement), context matters. If
Safe Harbor firms are staying put while non-Safe Harbor firms are getting worse, then this is at
least consistent with the Safe Harbor agreement (and FTC enforcement) maintaining a status quo
in a worsening general picture. Similarly, if Safe Harbor firms have higher levels of compliance,
then this gives some indication, if not causal evidence, that the agreement has achieved
something.
Table 5Error! Reference source not found. presents results. For our measure of
compliance that tracks whether the privacy policy contains each of the four terms required by
Safe Harbor that we track – we find higher compliance among firms that do not claim Safe
Harbor. Surprisingly, firms that do not claim to follow the agreement are actually more likely to
65 We do note that the sample size of firms claiming Safe Harbor is relatively small. This limits our
statistical power. If the FTC actions had a real, but small effect, we would likely not detect it.
25
include the terms required by the agreement in their privacy policies. The level of compliance is
roughly constant over time.
These results give some context to our main findings. Relative to firms that did not claim
Safe Harbor, the Safe Harbor firms were not consistently more compliant, nor was the trend in
compliance among Safe Harbor firms more positive than among non-Safe Harbor firms.
D.!Overall Direction of Changes: Firms Drop Specific, Actionable Promises
We now turn to a broader question: if Safe Harbor compliance does not improve over
time, do privacy policy contracts change in other ways? What we find here suggests reason for
concern.
We do see some evidence indicating that firms drop promises related to data security.
Again, we cannot assess a direct link with specific enforcement actions and other events, but
before and during our sample period, the FTC brought numerous actions based on firms making
a specific promise about technical security but then failing to live up to the promise.66 For
example, in an action against Compete, Inc., the FTC charged the firm with violating three terms
in its privacy policy: collecting more data than the privacy policy claimed, failing to dispose of
data safely, and claiming to take certain managerial and technical precautions to safeguard the
data.67 We examine whether firms dropped specific promises by one year after this action.. Table
6 shows a statistically significant drop in the number of security promises offered in firms’
privacy policies. This is consistent with firms removing specific promises in order to avoid
deception actions, though we cannot draw clean causal inferences.
We can also look at how privacy policies changed after major media events, like the
Edward Snowden leaks. Though not the primary focus of our paper, such events are informative
as a way to put the changes we do (or do not) see into context.
Unlike in the Safe Harbor/FTC context, we find that firms’ policies did change in the
time after the Edward Snowden revelations. We track how many firms explicitly promise not to
share personal data with law enforcement agencies. Table 7 shows that such promises were
somewhat rare before the media event: roughly 10% of firms made such promises. Two years
later, the number was cut in half. Only 5% of firms continued to promise that data would not be 66 See, e.g., Complaint, In re Compete, Inc., File No. 102 3155, C-4284 (F.T.C. Feb. 25, 2013),
https://www.ftc.gov/enforcement/cases-proceedings/102-3155/compete-inc. 67 See id.
26
shared with law enforcement, a change that was marginally statistically significant (p = .06). As
in all our data, we do not know if the movement we see was caused by the Snowden revelations.
The fact that we do see some change, however, puts the lack of change in Safe Harbor
compliance into relief. And just as in the Compete case, the direction of the change is towards
vagueness, not compliance.
V.!CONCLUSION
The protection of consumer information in the United States has followed a fractured
path, with large sectors lacking any clear guidance or enforcement. Some believe that the FTC
has effectively filled this gap, using its actions under Section 5 of the FTC Act to produce clear,
predictable, guidelines for information privacy practices. Under this view, the FTC operated as
an effective enforcer of the U.S.-E.U. Safe Harbor agreement, thus giving this important regime
legitimacy. Others are skeptical of this view and point to the agency’s limitations, including
limited jurisdiction, lack of rule-making power, and an inability to impose meaningful monetary
penalties for violations of the law.
We explore the relationship between FTC enforcement actions and behavior by focusing
on its enforcement actions related to the Safe Harbor Agreement and examining whether firms
revise their privacy policy contracts to increase compliance. Our data are detailed and the data
collection period lasted long enough to notice a change. Yet we found no meaningful changes in
compliance with Safe Harbor, as evidenced in the firms’ privacy policies. When we did find a
change, it was in a direction opposite than the FTC would have desired – privacy policies
became, if anything, less specific. When it comes to enforcing Safe Harbor, FTC enforcement
actions appear to be no panacea.
Of course, we cannot rule out the possibility that dozens of our sample firms have
changed their behavior in response to the actions, but simply did not update their privacy policies
to reflect this change in behavior. The problem is that not changing the privacy policy in the
context of the Safe Harbor still constitutes a violation. This is especially relevant now that the
newly approved Privacy Shield envisions a similar enforcement role by the FTC. More
generally, if policies don’t correlate with behavior, especially on these important dimensions,
then the value of the policies themselves is unclear. We think the most reasonable interpretation
27
of our results is that FTC enforcement actions involving privacy policies simply do not have the
wide-reaching effects that some have asserted.
Table 1. FTC Enforcement Actions. The date of the initial press release about the FTC event is (PR). The date the FTC proposes a consent order is (CO). The date a settlement is reached is (S).
Action Dates Allegation in FTC Complaint (pincite) Terms of interest
American Apparel, Inc. FTC No. 142-3036, et al.
Jan. 21, 2014 (PR) May 9, 2014 (CO) June 25, 2014 (S)
American Apparel “did not renew its self-certification to the Safe Harbor Frameworks” but “certified that it abides by the Safe Harbor privacy principles.” (11-12).
Does firm claim EU Safe Harbor certification? Is it in fact registered?
Google, Inc., FTC No. 102-3136
Mar. 30, 2011 (PR) Oct. 13, 2012 (CO) Oct. 21, 2012 (S)
Google’s privacy policy claimed to “‘adhere[] to the US Safe Harbor Privacy Principles.’” (7). In fact, because Google shared personal information without notice, the claims regarding EU Safe Harbor “were, and are, false or misleading.” (8).
If firm claims EU Safe Harbor compliance, does the privacy policy comply with EU Safe Harbor requirements for privacy policies?
MySpace, LLC., FTC No. 102-3058
May 8, 2012 (PR) August 30, 2012 (CO) September 11, 2012 (S)
Myspace claimed that it “‘complies with the U.S.-EU Safe Harbor Framework.’” (7), but in fact shared customers’ personal information with advertisers (3) without notice or consent (4).
If firm claims EU Safe Harbor compliance, does the privacy policy comply with EU Safe Harbor requirements for privacy policies?
Facebook, Inc., FTC No. 092-3184
Nov. 29, 2011 (PR) Aug. 10, 2012 (S)
“Facebook retroactively applied…changes to personal information that it had previously collected from users, without their informed consent” (9).
If firm claims EU Safe Harbor compliance, does the privacy policy comply with EU Safe Harbor requirements for privacy policies?
Table 2. Summary Statistics. Privacy policies and firm and product data for 891 policies from 230 firms from January 1, 2009 through June 15, 2013. For each policy, we track the number of policies per firm across the sample (e.g., three policies mean the policy changed twice after the initial policy was captured), the number of words per policy, and whether Safe Harbor certification is claimed. For each firm, we track whether its service is free or paid, whether its service’s nature is discreet, what its website’s Alexa popularity rank is and whether it is publicly traded as of the end of the sample.
Sample (No. of firms)
All (N = 230)
Dating (N = 37)
Social Network (N = 81)
Message Boards (N = 47)
Reviews (N = 17)
Cloud Computing (N = 28)
Gaming (N = 20)
Number of policies
Mean Median SD
3.87 3 2.82
3.13 3 2.55
4.32 3 2.39
3.10 3 1.98
5.11 4 4.04
4.25 4 2.12
3.65 3 1.87
Number of Words
Mean Median SD
2,570 2,334.5 1,456
2,463 2,407.5 1,206
2,698 2,304.5 1,641
1,970 2,047.5 961
2,723 2,517 1,038
2,573 2,253 1,301
3,137 2,755 1,928
Certification Claimed (0 – 1)
Mean Median SD
.36 0 .48
.28 0 .45
.3 0 .46
.28 0 .45
.41 0 .5
.66 1 .48
.41 0 .5
Paid Service (0 – 1)
Mean Median SD
.52 0 .69
1 1 .41
.31 0 .68
.43 0 .68
.41 0 .8
.67 1 .62
.65
.5
.75
Discreet Service (0 – 1)
Mean Median SD
.02 0 .15
.11 0 .31
0 0 0
.02 0 .15
0 0 0
0 0 0
0 0 0
Alexa Rank Mean Median SD
1,720,491 6,031 14,072,350
697,070 42,482 1804637
834,188 9,236 4103527
5,660,736 7,187.5 30885894
1,644,043 4435 5,075,711
172,692 591.5 819,833
508,326 3,935 1,849,263
Public Company (0 – 1)
Mean Median SD
.41 0 .49
.31 0 .47
.37 0 .49
.24 0 .44
.55 1 .52
.74 1 .45
.58 1 .51
Table 3. Safe Harbor Registration Failure. Pre- and post-event comparison of the number of firms who claim compliance with the Safe Harbor agreement but fail to register with the Department of Commerce, a requirement of the agreement. The FTC action against American Apparel, Inc., et al. was announced on January 21, 2014. We compare the registration rate two weeks before versus one year after this announcement. The sample includes firms that have been in our sample throughout the entire data collection window, yielding a sample of 230 firms, only 39 of which claimed to abide by Safe Harbor at some point during our data collection window..
Before Action
One Year After
Registered for ESH
33 35
Not Registered for ESH
6 3
Stops claiming ESH
. 1
Chi-squared χ2 = 1.15 (p = 0.28)
Table 4. Safe Harbor Compliance: Complete Privacy Policies. Pre- and post-event comparison of the number of firms who claim compliance with the Safe Harbor agreement but whose policies fail to comply with guidelines. Similar FTC actions were announced against Google on March 30, 2011; Facebook on November 29, 2011; and MySpace on May 8, 2012. We compare compliance two weeks before the Google action announcement versus one year after the MySpace announcement. Here, we measure compliance as whether the privacy policy merely contains four of the terms required to be present under Safe Harbor: a way to contact the site; a description of technological safeguards to protect data; a description of the parties that the firm shares data with, if any; and a description of its periodic compliance reviews. Each chi-squared test compares the number of firms compliant with ESH after the last event to the number of firms compliant with ESH before the first FTC action. The sample only includes 230 firms that have been in our sample throughout the entire data collection window, only some of which claimed to abide by Safe Harbor.
Firms Claiming Compliance Before Safe Harbor Actions
Firms Adding Claim Between Actions
Before Actions
One Year After One Year After
Not fully compliant
19 19 16
Fully compliant
1 1 3
Stopped claiming ESH
0
Chi-squared χ2 = . (no change)
Chi-squared χ2 = 1.28 (p = 0.26)
Table 5. Safe Harbor Compliance Among Firms Not Claiming Safe Harbor Seal: Technical Compliance. Pre- and post-event comparison of compliance with Safe Harbor among firms that do not claim to abide by the Safe Harbor agreement. Similar FTC actions were announced against Google on March 30, 2011; Facebook on November 29, 2011; and MySpace on May 8, 2012. We compare compliance two weeks before the Google action announcement versus one year after the MySpace announcement. The sample includes only firms that do not claim the Safe Harbor seal throughout the event window. Here, we measure compliance as whether the privacy policy merely contains four of the terms required to be present under ESH: a way to contact the site; a description of technological safeguards to protect data; a description of the parties that the firm shares data with, if any; and a description of its periodic compliance reviews. Each chi-squared test compares the number of firms compliant with ESH after the last event to the number of firms compliant with ESH before the first FTC action. The sample only includes 230 firms that have been in our sample throughout the entire data collection window, only 173 of which never claimed Safe Harbor at any point during the data collection window
Before Actions
One Year After
Not fully compliant
157 157
Fully compliant
16 16
Chi-squared χ2 = . (no change)
33
Table 6. Data Security Practice Descriptions. Pre- and post-event comparison of number of specific descriptions of data security methods in the privacy policy. FTC action against Compete was announced on October 22, 2012. We compare policies two weeks before the action announcement versus eight months after it (when data collection ended). We track the presence of three types of specific descriptions: technological security, managerial safeguards (like limiting the number of employees with access to data), and data disposal techniques. The sample includes 230 firms that were part of the sample throughout the event window. The chi-squared test compares the frequency of specific descriptions of security methods before and after.
Before Action
Eight Months After
No specific security descriptions
73 72
One description
72 100
Two descriptions
82 57
Three descriptions
3 1
Chi-squared χ2 = 9.76 (p = .02).
34
Table 7. Snowden Revelations. Pre- and post-event comparison of number of firms who promise not to disclose user data in order to comply with a government request or prevent a crime. The first Snowden article was published on June 5, 2013 in The Guardian. The sample includes all firms in our sample that still had a privacy policy publicly available on December 31, 2015, which leaves 184 firms.
June 15, 2013
December 31, 2015
Will not disclose data to comply with government request or prevent crime
21 11
Will disclose data to comply with government request or prevent crime
163 172
Chi-squared χ2 = 3.43 (p = .06).
35
Appendix. EU Safe Harbor Requirements. List of 19 terms used to establish firms’ stated compliance with EU Safe Harbor. Content of terms by categories: Notice, Sharing, User Control, Security, Data Practices, Enforcement, and Privacy by Design. Possible responses listed in right-most column; EU SH requirement is in bold.
Notice
Recipients of shared or sold data are identified68 Yes, No
Words such as "affiliates" or "third parties" are defined, if used69 Yes, No, N/A User must explicitly assent to material changes70 Yes, No, N/A
Sharing Affiliates and subsidiaries are bound by the same privacy policy71 Yes, No, N/A
Contractors are bound by the same privacy policy72 Yes, No, N/A
Third parties are bound by the same privacy policy73 Yes, No, N/A
Company has contract with third parties establishing how disclosed data can be used74 Yes, No, N/A
Consent mechanism for sharing/selling PII or sensitive information (except for typical internal business purposes)75
Opt-in, Opt-out, Mandatory, N/A
User Control User allowed to access and correct personal data collected76 Can access and 68 See SAFE HARBOR WORKBOOK, supra note 24 at 4 (“An organization must inform individuals about…the
types of third parties to which it discloses the information.”). 69 See id. 70 See id. (“An organization must offer individuals the opportunity to choose (opt out) whether their
personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.”).
71 See JOEL R. REIDENBERG & PRIVACY LAWS & BUSINESS, THE FUNCTIONING OF THE US-EU SAFE HARBOUR PRIVACY PRINCIPLES (Independent Consultant Study Report) (Sept. 21, 2001) (available from the European Commission) (“SH requires that an organization may transfer personal data to third-party processors only if the third-party subscribes to the Principles … or enters into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant Principles. This element identifies whether the corporate policies indicate that any third-party processors have made commitments either to SH or to a contract with at least the same level of protection.”) (internal quotations omitted).
72 See id. 73 See id. 74 See id. 75 See SAFE HARBOR WORKBOOK, supra note 24 at 4 (“For ‘sensitive information’ (i.e. personal
information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), individuals must be given an affirmative or explicit (opt in) choice if the information is to be disclosed to a third party or used for a purpose other than those for which it was originally collected or subsequently authorized by the individual through the exercise of opt in choice.” See also id. (“An organization must offer individuals the opportunity to choose (opt out) whether their personal information is (a) to be disclosed to a third party or (b) to be used for a purpose that is incompatible with the purpose(s) for which it was originally collected or subsequently authorized by the individual. Individuals must be provided with clear and conspicuous, readily available, and affordable mechanisms to exercise choice.”).
76 Id. at 5 (“Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of
36
correct, Can access, No
Security Guarantees data accuracy77 Yes, No Company adopts reasonable procedures to ensure accuracy78 Yes, No Describes managerial safeguards (e.g., limiting number of employees with access to data)79 Yes, No
Identifies means of technological security (e.g., encryption)80 Yes, No
Data Practices
Has a procedure for safely disposing of unused data81 Yes, No
Enforcement
Provides contact information for privacy concerns or complaints82 Yes, No
Provides link to FTC's Consumer Complaint Form and/or its telephone number83 Yes, No
Claims privacy seal, certification, or consistency with an industry oversight organization's practice84 Yes, No
Privacy By Design Requires periodic compliance review of structural, technological sec’y 85 Yes, No
providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated.”).
77 See id. (“An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current.”).
78 See id. 79 See id. (“Organizations creating, maintaining, using or disseminating personal information must take
reasonable precautions to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. This principle applies to how your organization stores, processes, maintains, and protects customer information. Organizations should take steps to secure personally identifiable information. It does little good to have a strict privacy policy if personal data is available to any employee or if your organization’s computer systems and paper files are not secured.”).
80 See id. 81 See id. 82 See id. at 4 (“An organization must inform individuals about…how to contact the organization with any
inquiries or complaints”); see Dep’t of Commerce, U.S.-E.U. SAFE HARBOR FRAMEWORK DOCUMENTS, FREQUENTLY ASKED QUESTION 6, EXPORT.GOV, http://2016.export.gov/safeharbor/eu/eg_main_018493.asp (last updated Feb. 8, 2013) [hereinafter Dep’t of Commerce FAQs].
83 See Dep’t of Commerce FAQs 6, 11. 84 See SAFE HARBOR WORKBOOK, supra note 24 at 4 (“A privacy policy should state that the organization
in question complies with one or both of the Safe Harbor Frameworks and must state that the organization adheres to the Safe Harbor Privacy Principles.”).
85 See id. at 5 (“Under the self-assessment approach, verification would indicate that an organization's published Safe Harbor privacy policy is accurate, comprehensive, prominently displayed, completely implemented, accessible, and conforms to the Safe Harbor Privacy Principles. It would also need to indicate that appropriate employee training, as well as internal procedures for periodic, objective reviews of compliance are in place. A statement verifying the self-assessment should be signed by a corporate officer or other authorized representative of the organization at least once a year. Where the organization has chosen outside compliance review, verification
37
Contains self-reporting measures in case of privacy violation (to a privacy seal organization, third-party consultant)86 Yes, No
would indicate that an organization's published Safe Harbor privacy policy is accurate, comprehensive, prominently displayed, completely implemented, accessible, and conforms to the Safe Harbor Privacy Principles. The methods of review may include without limitation auditing, random reviews, use of ‘decoys’ or use of technology tools as appropriate. A statement verifying that an outside compliance review has been successfully completed should be signed either by the reviewer or by the corporate officer or other authorized representative of the organization at least once a year.”).
86 See id.
