Privacy Assessments Lack Common Standards, McGuireWoods’ Peyton Tells FTC Watch

September 2, 2022

Twitter is joining the ranks of social media companies that have been ordered by the FTC to retain independent assessors to review their data privacy and information security programs, but the rapidly growing privacy assessment industry has yet to settle on a single standard for either assessments or assessors, McGuireWoods partner Janet Peyton told FTC Watch in an Aug. 8 story.

The story in FTC Watch, the nation’s leading independent newsletter focused exclusively on antitrust, consumer protection and privacy enforcement developments, reports on a deal struck in May by Twitter and the Federal Trade Commission, resolving the FTC’s complaint against Twitter for alleged violations of the FTC’s 2011 Administrative Order and of Section 5 of the FTC Act. The FTC alleged that Twitter had deceived users about how their personal information was being used. Twitter agreed to pay a civil penalty in the amount of $150 million dollars and, among other things, to implement a Privacy and Information Security Program mandated by the FTC. To ensure compliance with the new program, the FTC also mandated that Twitter engage a “qualified, objective, independent” assessor, who will use “procedures and standards generally accepted in the profession.”

Peyton explained to FTC Watch that there is “no single standard for privacy assessments or for assessors.” Instead, companies typically select from a variety of standards, such as a National Institute of Standards and Technology (NIST) standard or a System and Organization Control (SOC) standard, and then identify an assessor with experience with that standard. It is also common in larger organizations to go through a formal request-for-proposal process for selecting a privacy assessor, and counsel then works in parallel to evaluate compliance with privacy laws, Peyton said.

Peyton has a complex intellectual property and privacy practice, focused on the strategic protection and management of iconic brands and proprietary data. She counsels clients through large-scale data breach incidents and cross-border data privacy compliance, advises lawmakers and industry groups on privacy legislation at the state and federal level, and serves as the firm’s U.S. liaison on EU-U.S. cross-border data transfer matters.