Sign Up for Alerts
Sign up to receive receive industry-specific emails from our legal team.
Sign Up for Alerts
We provide tailored, industry-specific legal updates to our clients and other friends of the firm.
Areas of Interest
April 29th, 2015
FTC Pursues Companies for Privacy Certification Misrepresentations
The FTC recently filed complaints alleging two US businesses that claimed to be in compliance with the US-EU Safe Harbor Framework were, in fact, no longer compliant. The two cases, which settled, serve as a reminder to all companies making representations about the security of their data: if you're going to participate in a government or self-regulatory data security program, you have to renew your certifications and otherwise comply.
Background. The US-EU Safe Harbor Framework is a voluntary international privacy program administered by the Department of Commerce that lets companies transfer data from the EU to the USin compliance with EU law. To participate in the Safe Harbor Framework, a company must annually certify that it abides by seven principles: notice, choice, onward transfer, security, data integrity, access, and enforcement. Saying you have a valid Safe Harbor certification - but failing to self-certify once a year - is a deceptive practice in violation of the FTC Act
The complaints. The FTC's complaints against TES Franchising, LLC, a business coaching service, and American International Mailing, Inc., a mail and freight shipping company, alleged that both companies' websites indicated they were currently certified under the US-EU Safe Harbor Framework and US-Swiss Safe Harbor Framework, when in fact their certifications had lapsed years earlier. In addition, the complaint against TES alleged that TES told consumers that Safe Harbor-related disputes would be settled by an arbitration agency in Connecticut and costs would be split between the consumer and TES. However, the FTC alleged that in TES's Safe Harbor certification filing, TES said it would process Safe Harbor-related disputes through the EU data protection authorities (which do not require in-person attendance), at no cost to consumers. The FTC also alleged that TES deceptively claimed to be a licensee of the TRUSTe Privacy program, when it was not.
The settlements. Under the proposed settlement agreements, the companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The settlement with TES further prohibits the company from misrepresenting participation in, or the terms of, any alternative dispute resolution process or service.
Thus far, the FTC has brought 26 law enforcement actions to make sure companies honor their obligations under privacy and data security self-certification programs. If your company claims to be certified or wishes to be certified under the US-EU Safe Harbor Framework, the US-Swiss Safe Harbor Framework, TRUSTe, or any other voluntary privacy program, you should confirm your company is up to date on its certifications. For more information on the US-EU and US-Swiss Safe Harbor Frameworks, consult the Department of Commerce website here, and the FTC website here. For more detailed and company-specific guidance, please contact S. Gregory Boyd, Esq., CIPP/US at (212) 826-5581 or gboyd@fkks.com, Jeremy Goldman, Esq., CIPP/US at (212) 705 4843 or jgoldman@fkks.com, Jessica Smith, Esq., at (212) 705-4876 or jsmith@fkks.com, or any other member of Frankfurt Kurnit's Privacy & Data Security Group.
Other Privacy & Data Security Law Alerts
iOS 15 Brings New Privacy Controls That Will Impact Advertising Initiatives
After months in beta, Apple is releasing iOS 15 to the public. Building upon the Privacy Nutrition Labels and App Tracking Transparency (ATT) framework introduced in iOS 14.5, iOS 15 introduces new privacy controls that will impact brand marketing initiatives and the ad tech ecosystem. Although these controls are not an iOS 14.5-caliber seismic event, they are yet another example of how platform providers have become de facto regulators of privacy. Read more.
September 20 2021
New York City Restricts Collection of Biometric Identifiers
Major US municipalities are lining up to regulate business use of technologies to collect biometric identifiers and information. For example, Portland, Oregon, banned the use of face recognition technologies earlier this year. Now, New York City businesses must comply with a new law too: Effective July 9, 2021, any commercial establishment in New York City that collects, retains, converts, stores or shares biometric identifier information of customers must disclose such activity using clear and conspicuous signage near all customer entrances. Read more.
July 7 2021
Business Takeaways from the FTC $5 Billion Settlement with Facebook
On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. Read more.
July 26 2019
