Decoding lessons from the Facebook Consent Decree: Does Sarbanes–Oxley foreshadow the future of privacy regulation?

Document Type


Date of Original Version



This paper examines the utility of the Sarbanes–Oxley Act of 2002 to assist regulators engaged in privacy policy development. By exploring best practices employed by the financial reporting industry, and the specific terms of the Sarbanes–Oxley Act of 2002, the present research offers guidance for the incorporation into privacy regulation. The paper advocates that both the FTC/Facebook Court Order and the Sarbanes–Oxley Act of 2002 should be now be considered de facto minimum standards for American privacy policy, including required CEO certifications of industry obligations, establishment and maintenance of effective internal controls, required CEO, CFO and CPO certification of control compliance, disgorgement of ill-gotten gains by organizations and executives, requirement of independent third-party compliance review as well as independence of audit committees and privacy compliance staff and, finally, the establishment of, and compliance with, a regulatory oversight board similar to the PCAOB.

Publication Title, e.g., Journal

International Journal of Disclosure and Governance