Skip to main content

Phileas Fogg was famous for going around the world in 80 days, but when it comes to global commerce, consumers can manage the same feat with just one click. Recent FTC actions touch on the international implications of consumer protection.

SecurTest is a Florida-based background screening company that claimed to participate in the EU-U.S. and Swiss-U.S. Privacy Shield programs. Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries and Switzerland to the United States in compliance with EU and Swiss law. To participate, companies must complete a self-certification process with the Department of Commerce and then recertify annually. Privacy Shield participation is voluntary, but the FTC can take action if companies make deceptive representations about their status.

According to the complaint, SecurTest started its Privacy Shield application in September 2017. Shortly after that, the company added language at the bottom of its webpage to say its application was pending. However, months passed and SecurTest didn’t complete the application. And yet until July 2018 – when the FTC raised the issue – the company said in its Privacy Policy that it “complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework” and that it “has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.”

The complaint alleges that SecurTest’s claim of Framework participation was false. To settle the case, the company has agreed not to misrepresent its participation in any privacy or security program sponsored by a government agency, self-regulatory group, or standard setting organization. The FTC is accepting public comments about the proposed settlement.

In a related development, FTC staff sent warning letters to 13 companies that falsely claimed they participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor Frameworks. How can we be so sure their claims are false? Because Privacy Shield replaced the Safe Harbor Frameworks in 2016. The Safe Harbor agreements are no longer in effect and the last valid self-certifications have long expired. The letters asked the companies to remove from their sites, privacy policies, or other public documents any mention of Safe Harbor participation. The companies have since taken their Safe Harbor claims down. If they hadn’t acted within 30 days – well, there’s a reason they’re called warning letters.

FTC staff also sent warning letters to two companies that falsely claimed in their privacy policies that they participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. APEC’s CBPR system is an initiative to enhance the protection of consumer data that moves among APEC member economies. To become a certified participant, a designated third party – they’re called APEC-recognized Accountability Agents – must review and certify that the company complies with the program’s requirements.

Like the other warning letters, the letters sent a “We’ll be back” message and outlined the companies’ options: 1) Immediately remove any claim stating or implying CBPR participation; 2) Apply to become a certified participant, but remove any references to their involvement unless and until they’re certified; or 3) Do nothing, but with the clear understanding that the FTC reserves the right to take appropriate legal action to protect the integrity of the APEC CBPR system. These companies, too, have taken down their false CBPR claims.

The proposed settlement and warning letters offer three takeaways for other companies.

  • Avoid a false start. So your company has started its application to voluntarily participate in an initiative like the EU-U.S. Privacy Shield, the Swiss-U.S. Privacy Shield, or APEC’s CBPR system. Good for you, but don’t tout your participation just yet. Until your application has been finalized and approved, it’s deceptive to suggest to consumers – through words, logos, or any other means – that your company is a participant.
  • Privacy Shield participation requires ongoing compliance. Privacy Shield participation isn’t a one-and-done box to check. A key component is the annual self-certification process, which requires you to take a current look at your company’s practices. Letting your certification lapse renders your participation claims false. The wiser practice is to add an annual reminder on your calendar to recertify with the Department of Commerce before the expiration date of your company’s current certification.
  • Don’t try to dock in the Safe Harbor. Check your website and other documentation to make sure your company doesn’t tout its participation in the now-defunct U.S.-EU or U.S.-Swiss Safe Harbor Frameworks.
     
     

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Erwin Susila, S.E.
July 07, 2019
Thank you
Guest
December 09, 2019
The United States has always been a pioneer in providing innovative, efficient solutions for leading economic partnerships , which means using a programIn the background make a certificate or qualification such as a security filter to allow or disallow a company It can be effective in a behavioral requirement

More from the Business Blog

Get Business Blog updates

 
Return to top