Participation is voluntary, but live up to what you promise

Share This Page

To facilitate the transfer of data, many U.S. companies that do business internationally participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (CBPR) system. It’s voluntary, of course, but if companies say they participate, that representation – like other objective claims – must be truthful. That’s the lesson of three proposed settlements just announced by the FTC.

APEC’s CBPR system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. To participate, a company must undergo a review by an APEC-recognized accountability agent, which certifies that the company meets the standards.

Three companies – messaging app developer SpyChatter, cybersecurity software company Vir2us, and endpoint protection software provider Sentinel Labs – claimed on their websites that they participated in the APEC CBPR system. For example, SpyChatter said that it “abides by the APEC CBPR system, which provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.”

But according to the FTC, the companies weren’t certified to participate and never had been.

The complaint against Sentinel Labs (consumers may know them as SentinelOne) includes an additional count of interest to businesses. Referring to TRUSTe, a third-party privacy certification company, here’s what SentinelOne claimed on its website:

SentinelOne has received TRUSTe’s Privacy Seal which means that this Privacy Policy and our practices have been reviewed by TRUSTe for compliance with its requirements regarding transparency, accountability and choice regarding the collection and use of your personal information. The TRUSTEe certification . . . covers information collected on our site, www.SentinelOne.com, and SentinelOne mobile applications.

Except that according to the complaint, TRUSTe had never reviewed SentinelOne’s privacy policy and privacy practices and had not verified that SentinelOne complies with its requirements about the privacy of personal information.

Under the terms of the settlements, the three companies are prohibited from misrepresenting their participation, membership, or certification in any privacy or security program sponsored by a government or by a self-regulatory or standard-setting organization. The FTC is accepting public comments about the proposed settlements until March 23, 2017.

What are the takeaway tips for other companies?

  • Live up to your promises about participation in certification or self-regulatory programs. For companies that need to transfer data between countries, mechanisms like APEC’s Cross-Border Privacy Rules system can streamline compliance responsibilities and foster economic growth. Participation is voluntary, but if you say you participate, mean what you say.
  • Review your privacy promises with fresh eyes. Once a company has a privacy policy in place, it’s tempting to review just the new provisions. But every so often, read it through anew, asking yourself questions like “Do we still do that?” or “What’s our basis for that promise?” Make sure it reflects your company’s current practices. Remove any inaccurate statements that may be the vestige of a long-ago template.

     

Comments

Corporations/companies which has access to our personal, business, and health information should be regulated by a mandatory commission before they are able in manipulate or disimulate our data. Self regulation is not acceptable for it creates a system which perpetuates these types of situations. Compliance and reviews are as conducted as deemed necessary for the benefit of the company and not the general business community.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.