- Published Articles
- In the Press
- Press Releases
Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
April 29th, 2015
FTC Pursues Companies for Privacy Certification Misrepresentations
The FTC recently filed complaints alleging two US businesses that claimed to be in compliance with the US-EU Safe Harbor Framework were, in fact, no longer compliant. The two cases, which settled, serve as a reminder to all companies making representations about the security of their data: if you're going to participate in a government or self-regulatory data security program, you have to renew your certifications and otherwise comply.
Background. The US-EU Safe Harbor Framework is a voluntary international privacy program administered by the Department of Commerce that lets companies transfer data from the EU to the USin compliance with EU law. To participate in the Safe Harbor Framework, a company must annually certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Saying you have a valid Safe Harbor certification - but failing to self-certify once a year - is a deceptive practice in violation of the FTC Act
The complaints. The FTC's complaints against TES Franchising, LLC, a business coaching service, and American International Mailing, Inc., a mail and freight shipping company, alleged that both companies' websites indicated they were currently certified under the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier. In addition, the complaint against TES alleged that TES told consumers that Safe Harbor-related disputes would be settled by an arbitration agency in Connecticut and costs would be split between the consumer and TES. However, the FTC alleged that in TES's Safe Harbor certification filing, TES said it would process Safe Harbor-related disputes through the EU data protection authorities (which do not require in-person attendance), at no cost to consumers. The FTC also alleged that TES deceptively claimed to be a licensee of the TRUSTe Privacy program, when it was not.
The settlements. Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement with TES further prohibits the company from misrepresenting participation in, or the terms of, any alternative dispute resolution process or service.
Thus far, the FTC has brought 26 law enforcement actions to make sure companies honor their obligations under privacy and data security self-certification programs. If your company claims to be certified or wishes to be certified under the US-EU Safe Harbor Framework, the US-Swiss Safe Harbor Framework, TRUSTe, or any other voluntary privacy program, you should confirm your company is up to date on its certifications. For more information on the US-EU and US-Swiss Safe Harbor Frameworks, consult the Department of Commerce website here, and the FTC website here. For more detailed and company-specific guidance, please contact S. Gregory Boyd, Esq., CIPP/US at (212) 826-5581 or email@example.com, Jeremy Goldman, Esq., CIPP/US at (212) 705 4843 or firstname.lastname@example.org, Jessica Smith, Esq., at (212) 705-4876 or email@example.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Privacy Shield: Year One Updates You Need To Know
This month we're celebrating Privacy Shield's first birthday with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know.
October 17 2017
Class Action Lawsuits Over Alleged COPPA Violations Reinforce Importance of Compliance
Earlier this month, three class action lawsuits were filed against companies for alleged violations of the Children's Online Privacy Protection Act ("COPPA").
August 22 2017
Third State Adopts Biometric Privacy Law
On June 1, 2017, Washington State joined Illinois and Texas as the third state to pass a biometric privacy law. The law, H.B. 1493, which goes into effect July 23, 2017, covers any business entity that collects biometric identifiers for commercial purposes.
July 11 2017