Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
April 29th, 2015
FTC Pursues Companies for Privacy Certification Misrepresentations
The FTC recently filed complaints alleging two US businesses that claimed to be in compliance with the US-EU Safe Harbor Framework were, in fact, no longer compliant. The two cases, which settled, serve as a reminder to all companies making representations about the security of their data: if you're going to participate in a government or self-regulatory data security program, you have to renew your certifications and otherwise comply.
Background. The US-EU Safe Harbor Framework is a voluntary international privacy program administered by the Department of Commerce that lets companies transfer data from the EU to the USin compliance with EU law. To participate in the Safe Harbor Framework, a company must annually certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Saying you have a valid Safe Harbor certification - but failing to self-certify once a year - is a deceptive practice in violation of the FTC Act
The complaints. The FTC's complaints against TES Franchising, LLC, a business coaching service, and American International Mailing, Inc., a mail and freight shipping company, alleged that both companies' websites indicated they were currently certified under the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier. In addition, the complaint against TES alleged that TES told consumers that Safe Harbor-related disputes would be settled by an arbitration agency in Connecticut and costs would be split between the consumer and TES. However, the FTC alleged that in TES's Safe Harbor certification filing, TES said it would process Safe Harbor-related disputes through the EU data protection authorities (which do not require in-person attendance), at no cost to consumers. The FTC also alleged that TES deceptively claimed to be a licensee of the TRUSTe Privacy program, when it was not.
The settlements. Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement with TES further prohibits the company from misrepresenting participation in, or the terms of, any alternative dispute resolution process or service.
Thus far, the FTC has brought 26 law enforcement actions to make sure companies honor their obligations under privacy and data security self-certification programs. If your company claims to be certified or wishes to be certified under the US-EU Safe Harbor Framework, the US-Swiss Safe Harbor Framework, TRUSTe, or any other voluntary privacy program, you should confirm your company is up to date on its certifications. For more information on the US-EU and US-Swiss Safe Harbor Frameworks, consult the Department of Commerce website here, and the FTC website here. For more detailed and company-specific guidance, please contact S. Gregory Boyd, Esq., CIPP/US at (212) 826-5581 or gboyd@fkks.com, Jeremy Goldman, Esq., CIPP/US at (212) 705 4843 or jgoldman@fkks.com, Jessica Smith, Esq., at (212) 705-4876 or jsmith@fkks.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Are You Ready for the New York Cybersecurity Regulations’ September 3rd Deadline?
Financial institutions and insurance companies operating in New York have until September 3, 2018 to comply with the next phase of New York's Cybersecurity Regulations. Here's what you need to know to avoid regulatory scrutiny.
August 10 2018
New California Privacy Law Calls for Significant Changes
On the heels of the European General Data Protection Regulation (GDPR), California has now passed a digital privacy law that gives consumers more control over their personal information online.
June 29 2018
Privacy Shield: Year One Updates You Need To Know
This month we're celebrating Privacy Shield's first birthday with an update on everything Privacy Shield. There have been a number of developments on the Privacy Shield-front that companies certified or seeking self-certification under Privacy Shield need to know.
October 17 2017