Skip to main content

A proposed FTC settlement with California-based employee training company ReadyTech Corporation reminds businesses that if you make claims about EU-U.S. Privacy Shield participation, you have an obligation to live up to those promises. The case also serves as further confirmation of the FTC’s commitment to the framework.

Privacy Shield gives companies a way to transfer personal data from the EU to the United States, consistent with EU data protection requirements. To participate in Privacy Shield (or the corresponding Swiss-U.S. Framework), companies must apply to the U.S. Department of Commerce and follow the program’s self-certification requirements. Participation is voluntary, but a company’s representations about Privacy Shield compliance must be true.

Here’s what ReadyTech said in its Privacy Policy:

ReadyTech is in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.

But according to the FTC, although ReadyTech began the Privacy Shield application process in October 2016, it didn’t follow through with the necessary steps. Thus, the FTC alleged that ReadyTech’s statement in its Privacy Policy was false or misleading.

To settle the case, the company has agreed not to misrepresent its participation in or compliance with any privacy or security program sponsored by a government, a self-regulatory group, or a standard-setting organization. The FTC is accepting comments about the proposed settlement until August 1, 2018.

What does the case mean for your company?

Deceptive claims about Privacy Shield participation are actionable under the FTC Act. Like any other objective representation, companies must have a reasonable basis to support what they say about Privacy Shield. If a business says it complies with the framework, that must be true. If it says it’s “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield framework,” it must be actively taking the steps necessary to complete the process. Your company doesn’t have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.

Be the in-house Privacy Shield hero. If your company claims to participate in Privacy Shield, but you haven’t finished the process or your certification has lapsed, you have two choices: 1) complete the process; or 2) remove the false statement. To earn Privacy Shield props from your company, implement a simple system to keep your Privacy Shield self-certification current. The Commerce Department’s list of active Privacy Shield participants includes the date by which you must submit your annual self-certification. Mark it on your calendar so you can recertify on time.

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Eric Hicks
July 02, 2018
I believe that privacy shield is a great tool to use and is very efficient for the people who use it because it gives the consumers the ability to control their data. With all that being said I do believe it would be beneficial to all parties who participate in these issues to be compensated some kind of reward for their efforts. And for those who go above and beyond to be recognized for their contributions to privacy shield.
Carlos Garcia Ruiz
July 04, 2018

In reply to by Eric Hicks

I think the benefit you claim is to get European customers. And make business with them
Veronika Tonry
November 16, 2018
Privacy Shield could be a great tool, but I am disappointed to see that applications are just stalling for half a year or more with no response to emails or phone calls.

Get Business Blog updates