The company name may be American Apparel, but commerce is global, especially in the fashion industry. If a business says it abides by the U.S.-EU Safe Harbor for transferring consumer data, companies have an obligation to live up to that promise. American Apparel, the popular clothing retailer, is the latest company to be the subject of FTC law enforcement for claiming it was in compliance with the framework, but failing to conduct the required annual self-certification.
Administered by the Department of Commerce, the Safe Harbor program is a voluntary international privacy framework that lets U.S. companies transfer consumer data from the European Union to the United States in compliance with EU Law. To participate, a company must self-certify every year that it complies with the seven privacy principles required to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Many companies highlight their compliance by mentioning it on their websites.
Like a dozen similar cases announced in January and another one in February, the settlement with American Apparel requires the company to tell the truth about its participation in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting group.
Getting an uneasy feeling about whether your certification is up to date? It's easy to check. Mark your calendar to make sure your company follows through with the required annual self-certification – and do your clients a favor by reminding them, too.
File a comment about the proposed settlement by June 9, 2014. Bookmark the FTC's U.S.-EU Safe Harbor Framework page for more resources.