As a reminder that the promises you make on your website must align with your data privacy practices,the FTC announced that it just reached reached a settlement with a background screening company over allegations it falsely claimed to be a participant in the EU-U.S. Privacy Shield program. In separate actions, the FTC also sent warning letters to more than a dozen companies for falsely claiming participation in other international privacy agreements. The FTC’s press release stated:
In its complaint, the FTC alleges that SecurTest, Inc., falsely claimed on its website that it participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which establish processes to allow companies to transfer consumer data from European Union countries and Switzerland to the United States in compliance with EU and Swiss law, respectively. While the company initiated a Privacy Shield application in September 2017 with the U.S. Department of Commerce, SecurTest did not complete the steps necessary to be certified as complying with the frameworks. By failing to complete certification, SecurTest was not a certified participant in the frameworks, despite representations to the contrary on its website. The Department of Commerce administers both frameworks, while the FTC enforces the promises companies make when joining those programs. As part of its proposed settlement with the FTC, SecurTest is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.
FTC Warns Other Companies
The FTC also sent warning letters to 13 companies that falsely claimed they participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively. These Safe Harbor agreements are no longer in force, and the last valid self-certifications for either agreement have expired. The FTC called on the 13 companies to remove from their websites, privacy policies, or any other public documents any statements claiming they participate in either Safe Harbor agreement. If the companies fail to take action within 30 days, the FTC warned it would take appropriate legal action. The FTC also sent warning letters to two companies for claiming in their privacy policies that they are participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system even though they are not certified participants. The APEC CBPR system is a self-regulatory initiative to enhance the protection of consumer data that moves among the APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. To become a certified participant, a designated third party, known as an APEC-recognized Accountability Agent, must review and certify that the company is compliant with the CBPR program requirements. The FTC’s letter instructed the companies to remove from their websites, privacy policies, or any other public documents or statements that might be construed as claiming participation or involvement in the APEC CBPR system unless they prove that they have undergone the requisite review and certification. The FTC warned it would take appropriate legal action if the companies fail to provide a timely and satisfactory response.