Nearly three years ago, the EU-U.S. and Swiss-U.S. Privacy Shield frameworks replaced the U.S.-EU and U.S.-Swiss Safe Harbor programs as a self-certification mechanism to transfer personal data from the European Union and Switzerland, respectively. Although participation is completely voluntary and organizations are free to use other lawful methods to transfer data from the European Union and Switzerland (such as the Standard Contractual Clauses published by the European Commission), the U.S. Federal Trade Commission (“FTC”) can take action under Section 5 of the FTC Act when companies make deceptive claims about their privacy and data security practices, including their participation in international privacy programs, such as the Privacy Shield frameworks. Recently, it appears that the FTC has increased monitoring companies’ claims regarding participation in these regimes and is taking action against those that misrepresent their compliance with such programs.
Recently, the FTC reached a settlement with a background check company, SecurTest, Inc. (“SecurTest”), over allegations that the company violated Section 5 of the FTC Act when it claimed in its privacy notice to consumers that it participated in the EU-U.S. and Swiss-U.S. Privacy Shield frameworks and that it had “certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles.” According to the FTC’s complaint, SecurTest applied to the Department of Commerce to participate in both frameworks but never completed the process, and therefore the claim in its privacy notice of participation in the Privacy Shield frameworks was false. Under the settlement terms, SecurTest must (1) refrain from misrepresenting its participation in either Privacy Shield framework or any other privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization, (2) spread awareness to its stakeholders of the company’s noncompliance and (3) submit to ongoing compliance monitoring and recordkeeping requirements.
The FTC also issued warning letters to more than a dozen unnamed companies for misrepresenting their participation in the U.S.-EU and U.S.-Swiss Safe Harbor frameworks, which were invalidated in October 2015 and any self-certifications under those programs have expired. In addition, the FTC sent warning letters to two companies for falsely claiming to participate in the Asia-Pacific Economy Cooperation Cross-Border Privacy Rules (“APEC CBPR”) system, a voluntary but enforceable framework designed to protect consumer data traveling between APEC-member countries.
The FTC requested that the these companies remove from their websites, privacy policies or public documents any statements claiming participation in either of the Safe Harbor programs, and requested that the two companies either (1) remove from their websites, privacy policies, or other public documents any statements that might be construed as claiming participation or involvement in the APEC CBPR system or (2) prove that they had undergone the requisite review and certification. If the companies fail to take action within 30 days, the FTC warned that it would take appropriate legal action.
Privacy policies claiming compliance with invalidated or updated programs or laws clearly present a red flag to regulators. In this most recent instance, the FTC continued its trend of aggressively policing companies that falsely claim to be Privacy Shield compliant and that misrepresent their participation in other transborder programs. Companies that continue to represent to the public their participation in these programs after failing to complete certification or recertification run the risk of FTC enforcement.
These recent enforcement action and warning letters should serve as a reminder to U.S. companies of the importance of periodically reviewing their privacy policies for accuracy and for any wording that could mislead consumers to avoid potentially costly investigative and enforcement proceedings and to reduce the potential for loss of consumers’ trust. This is especially true when an organization changes direction with respect to how it processes personal information of consumers. Organizations should carefully revise their privacy notices to ensure they are making accurate representations to consumers about the information they collect about them. Similarly, organizations should obtain appropriate consent from consumers prior to collecting new types of information from them or using their information for different purposes that may not have been previously disclosed in the privacy notice. Companies should also avoid making sweeping statements in their privacy notices, such as “we will never share your personal information with any third parties” or “we protect your information in accordance with the highest industry standards,” as these are likely to be misconstrued by consumers and potentially viewed as deceptive by the FTC.