Executive Accountability Is the Way Forward for Privacy Regulations

Ask any preteen what the hottest app is and they’ll likely tell you TikTok. The app lets kids (and a few adults) lip-sync to prerecorded songs and dialogue clips to make short videos. The app has been downloaded more than 200 million times since its release in 2014 (when it was called Music.ly).

But TikTok’s popularity with kids recently landed the company in some hot water. Last month ByteDance, the company that owns TikTok, forked over $5.7 million to settle Federal Trade Commission allegations that it had violated the Children’s Online Privacy Protection Act by collecting and sharing data about children under 13 without parental consent.

It was the FTC’s steepest civil settlement ever for a COPPA violation — signaling to tech entrepreneurs everywhere that the agency is serious about protecting children’s data.

But the real game-changer was buried in the second paragraph of a statement issued jointly by two newly appointed FTC commissioners. Rohit Chopra and Rebecca Kelly Slaughter bemoaned that the FTC has rarely brought individual executives to task for privacy breaches, stating, “Executives of big companies who call the shots as companies break the law should be held accountable.”

With this one sentence, the commissioners were nodding to an increasingly popular idea in privacy protection known as the accountability model, where executives are required to certify their company’s privacy practices and face stiff fines if those policies are violated, or even criminal charges for lying about compliance.

Right now, there’s no shortage of privacy regulations. In Europe, the General Data Protection Regulation, which went into effect last spring, set strict standards for how companies need to handle consumer data, including provisions that allow consumers to see how their data is being used and grant them the “right to be forgotten.” The California Consumer Privacy Act, which state legislators enacted last summer, will likely set similar standards once it comes into effect in January.

But these approaches are fundamentally flawed. They ultimately put the onus of policing privacy on the consumer. Fines, when they are levied, are applied to the entire company, not individual executives, thus penalizing shareholders at public companies.

Evidence abounds that punishing corporations for executives’ missteps does not work.

In 2010, LifeLock Inc. paid a $12 million settlement for making false claims about its identity theft program and failing to protect consumer data, only to return to court five years later for violating the FTC’s original orders. Facebook is allegedly facing FTC scrutiny for brazenly violating its 2011 consent decree to keep consumer data private. The sanction on the corporation for making the same mistake twice is likely another large fine and a requirement that the company not make the same mistake a third time. If it didn’t work once to change the corporation’s behavior it probably won’t a second or third time. Nor does a public scolding from Congress members, many of whom are tech-challenged, make much impact. The result of such scolding is just another day of bad press that doesn’t force needed change in the executive decision-making process. So every day we are treated to revelations of new instances where tech behemoths have recklessly let private data leak to third parties — and then they do it again.

In a 2016 Thomson Reuters survey of more than 1,100 professionals, 63 percent agreed that “winning new business is a priority” and that, as a consequence, they might breach regulations. A jaw-dropping 79 percent of U.S. respondents felt the same way. Facebook just announced its largest quarterly revenue in history of $16.91 billion, so even a multibillion-dollar fine, as is rumored to be under consideration by the FTC, is a drop in the bucket for a company that size and unlikely to change its behavior.

Compare this to how an accountability model has affected Wall Street. In the aftermath of the Enron scandal, Congress passed the Sarbanes-Oxley Act, which, among other things, requires top management to personally certify the accuracy of all financial statements. Since then, restatements of financial reporting — a tell-tale sign of sloppy accounting practices — have dropped to a 17-year low. An exhaustive 2014 study by Harvard University’s business and law schools showed that that SOX’s overall impact has been beneficial.

A similar arrangement could help to plug data leaks. The possibility of a personal fine would force corporate executives to look deeply into their company’s practices for encrypting data and curb access from third parties. Other privacy heavyweights agree with this approach, including David Hoffman, head of privacy at Intel, who went so far as to draft a U.S. bill in which executives who lie about compliance would face criminal charges. Hoffman told Reuters that possible imprisonment was “the best privacy protection you can get.”

The truth is that when it comes to privacy, we may need smarter regulations. Holding executives accountable for their company’s practices would go a long way toward making users feel more confident that their data is being protected because executives themselves would be at risk. And, with consumer trust of tech companies falling every day, that trust is going to be crucial for economic growth in the sector. If it stopped new Enron scandals, perhaps accountability can clean up our corporate privacy messes as well.

Mike Montgomery is executive director of CALinnovates, a nonpartisan coalition of tech companies and nonprofits.