The Federal Trade Commission (“FTC”) is continuing its trend of aggressively policing companies that falsely claim to be Privacy Shield compliant while also hinting that it may expand its ire towards those who misrepresent participation in any international transfer program.
Late last week the FTC announced that it reached a settlement with a background check company, SecurTest, Inc., for misrepresenting its participation in the EU-US Privacy Shield and Swiss-US Privacy Shield programs. These programs are self-certification frameworks that allow companies to transfer a consumer’s personal data from the European Union (“EU”) or Switzerland to the United States.
Like other companies that the FTC has reached similar settlements with, SecurTest began the self-certification process, but posted that it participated in Privacy Shield without ever finishing the process and thereby earning its certification to make such a representation. The FTC continues to aggressively police companies that make such a representation without ever finishing their self-certification application or failing to renew it after their certification lapses.
The FTC’s stance, further delineated now more clearly than ever, is that falsely posting participation in any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization is a misrepresentation that deceives consumers in violation of Section 5 of the Federal Trade Commission Act. In fact, the FTC also sent warning letters to 13 companies that represent on their websites that they participate in the US-EU and US-Swiss Safe Harbor frameworks—the predecessors to Privacy Shield that are no longer in effect after being deemed invalid by the European Court of Justice in 2015. All valid certifications made pursuant to those frameworks expired by October 2017. The FTC also sent warning letters in 2 companies that misrepresented participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) program, a framework that attempts to establish protections for the free flow of consumer data among APEC member economies. The FTC’s warning letters instructed companies to remove the representations regarding participation in these programs from any public documents or statements, cautioning that it would take legal action if these companies failed to comply or prove their representations are true.
The bottom line is companies should finish any certification applications before representing to consumers that a company is a participant in a program. Companies should also have a mechanism in place to ensure that the company is renewing these certifications before they lapse—at least so long as a public representation is made as to participation. This is clearly something that the FTC will continue to keep its eye on and should be considered high risk.
"If we do not receive a timely and satisfactory response . . . we reserve the right to take appropriate legal action." - Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, Federal Trade Commission