Phileas Fogg was famous for going around the world in 80 days, but when it comes to global commerce, consumers can manage the same feat with just one click. Recent FTC actions touch on the international implications of consumer protection.
SecurTest is a Florida-based background screening company that claimed to participate in the EU-U.S. and Swiss-U.S. Privacy Shield programs. Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries and Switzerland to the United States in compliance with EU and Swiss law. To participate, companies must complete a self-certification process with the Department of Commerce and then recertify annually. Privacy Shield participation is voluntary, but the FTC can take action if companies make deceptive representations about their status.
According to the complaint, SecurTest started its Privacy Shield application in September 2017. Shortly after that, the company added language at the bottom of its webpage to say its application was pending. However, months passed and SecurTest didn’t complete the application. And yet until July 2018 – when the FTC raised the issue – the company said in its Privacy Policy that it “complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework” and that it “has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.”
The complaint alleges that SecurTest’s claim of Framework participation was false. To settle the case, the company has agreed not to misrepresent its participation in any privacy or security program sponsored by a government agency, self-regulatory group, or standard setting organization. The FTC is accepting public comments about the proposed settlement.
In a related development, FTC staff sent warning letters to 13 companies that falsely claimed they participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor Frameworks. How can we be so sure their claims are false? Because Privacy Shield replaced the Safe Harbor Frameworks in 2016. The Safe Harbor agreements are no longer in effect and the last valid self-certifications have long expired. The letters asked the companies to remove from their sites, privacy policies, or other public documents any mention of Safe Harbor participation. The companies have since taken their Safe Harbor claims down. If they hadn’t acted within 30 days – well, there’s a reason they’re called warning letters.
FTC staff also sent warning letters to two companies that falsely claimed in their privacy policies that they participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. APEC’s CBPR system is an initiative to enhance the protection of consumer data that moves among APEC member economies. To become a certified participant, a designated third party – they’re called APEC-recognized Accountability Agents – must review and certify that the company complies with the program’s requirements.
Like the other warning letters, the letters sent a “We’ll be back” message and outlined the companies’ options: 1) Immediately remove any claim stating or implying CBPR participation; 2) Apply to become a certified participant, but remove any references to their involvement unless and until they’re certified; or 3) Do nothing, but with the clear understanding that the FTC reserves the right to take appropriate legal action to protect the integrity of the APEC CBPR system. These companies, too, have taken down their false CBPR claims.
The proposed settlement and warning letters offer three takeaways for other companies.
- Avoid a false start. So your company has started its application to voluntarily participate in an initiative like the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, or APEC’s CBPR system. Good for you, but don’t tout your participation just yet. Until your application has been finalized and approved, it’s deceptive to suggest to consumers – through words, logos, or any other means – that your company is a participant.
- Privacy Shield participation requires ongoing compliance. Privacy Shield participation isn’t a one-and-done box to check. A key component is the annual self-certification process, which requires you to take a current look at your company’s practices. Letting your certification lapse renders your participation claims false. The wiser practice is to add an annual reminder on your calendar to recertify with the Department of Commerce before the expiration date of your company’s current certification.
- Don’t try to dock in the Safe Harbor. Check your website and other documentation to make sure your company doesn’t tout its participation in the now-defunct U.S.-EU or U.S.-Swiss Safe Harbor Frameworks.