Bob Gellman has responded to NAI’s 2011 Annual Compliance Report with his own analysis: Lacking in Facts, Independence, and Credibility: The 2011 NAI Annual Compliance Report. From his summary:
The NAI report provides carefully selected and edited information about its members, the audit process, the qualification of its auditors, and the independence of its auditors. The NAI report fails to provide enough context for the few facts that it does provide, uses weasel worded statements that obscure the degree of compliance or non-compliance by NAI members, and claims credit for compliance with laws that are independent of NAI standards.
Any audit of privacy standards applicable to multiple organizations inevitably will find some examples of non-compliance with those standards. Perfection is not expected by anyone. A fair measure of self-regulation is regular reporting, independently conducted audits, and credibly reported results. Applying this standard, the NAI satisfies only the first element. It is difficult for a careful reader of the 2011 NAI report to determine how the NAI conducted its audits, to understand what facts the audit produced (as distinguished from broad and unsupported generalizations), or to give much credibility to the report’s broad and overstated conclusions.
Read his full analysis here.