Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
April 29th, 2015
FTC Pursues Companies for Privacy Certification Misrepresentations
The FTC recently filed complaints alleging two US businesses that claimed to be in compliance with the US-EU Safe Harbor Framework were, in fact, no longer compliant. The two cases, which settled, serve as a reminder to all companies making representations about the security of their data: if you're going to participate in a government or self-regulatory data security program, you have to renew your certifications and otherwise comply.
Background. The US-EU Safe Harbor Framework is a voluntary international privacy program administered by the Department of Commerce that lets companies transfer data from the EU to the USin compliance with EU law. To participate in the Safe Harbor Framework, a company must annually certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Saying you have a valid Safe Harbor certification - but failing to self-certify once a year - is a deceptive practice in violation of the FTC Act
The complaints. The FTC's complaints against TES Franchising, LLC, a business coaching service, and American International Mailing, Inc., a mail and freight shipping company, alleged that both companies' websites indicated they were currently certified under the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier. In addition, the complaint against TES alleged that TES told consumers that Safe Harbor-related disputes would be settled by an arbitration agency in Connecticut and costs would be split between the consumer and TES. However, the FTC alleged that in TES's Safe Harbor certification filing, TES said it would process Safe Harbor-related disputes through the EU data protection authorities (which do not require in-person attendance), at no cost to consumers. The FTC also alleged that TES deceptively claimed to be a licensee of the TRUSTe Privacy program, when it was not.
The settlements. Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement with TES further prohibits the company from misrepresenting participation in, or the terms of, any alternative dispute resolution process or service.
Thus far, the FTC has brought 26 law enforcement actions to make sure companies honor their obligations under privacy and data security self-certification programs. If your company claims to be certified or wishes to be certified under the US-EU Safe Harbor Framework, the US-Swiss Safe Harbor Framework, TRUSTe, or any other voluntary privacy program, you should confirm your company is up to date on its certifications. For more information on the US-EU and US-Swiss Safe Harbor Frameworks, consult the Department of Commerce website here, and the FTC website here. For more detailed and company-specific guidance, please contact S. Gregory Boyd, Esq., CIPP/US at (212) 826-5581 or gboyd@fkks.com, Jeremy Goldman, Esq., CIPP/US at (212) 705 4843 or jgoldman@fkks.com, Jessica Smith, Esq., at (212) 705-4876 or jsmith@fkks.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
Six Steps to Help Your Team Comply with the New SEC Public Company Cybersecurity Rules
On July 26, 2023, the Securities Exchange Commission (“SEC”) approved final Rules entitled Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (the “Rules”). The Rules require certain cybersecurity incident disclosures on Form 8-K, generally within 4 business days after the determination that a cybersecurity incident is material. Read more.
August 1 2023
Five Action Items to Help You Prepare for the Wave of Privacy Enforcement Starting July 2023
Mark your calendars - July 2023 is an important month for US privacy enforcement. Read more.
June 21 2023
Washington “My Health My Data” Act Dramatically Alters Health Data Compliance Landscape
Washington State’s My Health My Data Act (“the Act”) introduces a sweeping set of obligations for nearly all entities that do business in the state and that handle “consumer health data,” a broad new class of health-related data separate from that regulated by the federal Health Insurance Portability and Accountability Act (“HIPAA”). Read more.
April 24 2023