Skip to main content

Want to be your company’s Privacy Shield hero? Four proposed FTC settlements suggest actions you can take to keep your business Privacy Shield-compliant.

The EU-U.S. Privacy Shield framework enables companies to lawfully transfer consumer data from European Union countries to the United States. (There also is a Swiss-U.S. framework.) The Department of Commerce administers both frameworks, while the FTC challenges false or deceptive representations companies make about their participation or compliance.

In separate complaints, the FTC alleges that four companies – Click Labs, Inc., a Seattle-based website and app services provider; Incentive Services, a Minnesota developer of employee award programs; Global Data Vault, a data storage and recovery business in Dallas; and North Carolina IT services company TDARX – made misleading Privacy Shield claims.

The FTC says Click Labs and Incentive Services submitted self-certification applications to the Department of Commerce for both the EU-U.S. and Swiss-U.S. frameworks, but failed to finalize them. Despite that, both companies claimed on their websites to be in compliance.

According to the cases against Global Data Vault and TDARX, although those companies were once EU-U.S. Privacy Shield participants, they allowed their certifications to lapse – meaning that the claims they made in their privacy policies about their status were false. Furthermore, the complaints allege that while they were participants, they failed to perform either the annual self-assessment or outside compliance review verification required of all Privacy Shield participants. What about the data they received during the time they participated? The framework gives former participants three options: Affirm ongoing compliance with Privacy Shield principles for that information, return it, or delete it. The FTC says Global Data Vault and TDARX failed to do any of the three.

The proposed settlements prohibit the companies from misrepresenting their participation in or compliance with the EU-U.S. Privacy Shield framework or any other privacy or data security program sponsored by a government, self-regulatory group, or standard-setting organization. In addition, Global Data Vault and TDARX must either apply the Privacy Shield protections to personal information they collected while participating in the program, return the information, or delete it. Once the settlements appear in the Federal Register, you’ll have 30 days to file a public comment.

How can you help your company avoid a framework failure? Consider these three steps:

  1. Framework participation is voluntary, but don’t tout participation until your company’s application has been accepted.
  2. Set a reminder on your calendar to complete the required recertification process annually, as well as your annual verification.
  3. If your business chooses to withdraw from participation, remove Privacy Shield references from your website, including your privacy policy. Furthermore, think through how your company will appropriately protect – or securely return or delete – information collected while you were a participant.

Visit the FTC’s Privacy Shield page for more resources.


It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates