The FTC has announced a proposed Privacy Shield-related settlement, alleging that a company falsely stated that it was in the process of being certified under the EU-U.S. Privacy Shield framework because it “did not complete the steps necessary to participate in the … framework.”
In its complaint, the FTC claimed that the company’s website discussed its participation in the Privacy Shield framework, including statements such as “ReadyTech is in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” The FTC acknowledged that the company had initiated an application to the Department of Commerce (“DOC”) in October 2016. However, because the company did not complete the steps necessary to participate in the Privacy Shield framework, the FTC has alleged the website claims were false and in violation of the FTC Act’s prohibition against deceptive acts or practices.
The FTC’s announcement does not indicate whether, or for how long, the ball was in ReadyTech’s court during the Privacy Shield application process at the time the FTC began its enforcement action. However, because the FTC alleges that ReadyTech impliedly misrepresented that it was actively in the process of certification, the FTC may have found that ReadyTech failed to respond to a DOC follow-up request. For example, during Privacy Shield registration, the DOC may ask an applicant for payment of fees, proof of registration with a dispute resolution provider, modification to a privacy policy, or provision of additional information. In rare cases (such as where the company is ineligible for Privacy Shield participation), the DOC may reject the application outright.
Under the FTC’s decision and order, if the settlement agreement is finalized, the company will have to, among other things, refrain from misrepresenting the extent to which it complies with the Privacy Shield frameworks and maintain records of compliance for 20 years.
This settlement is consistent with a shift we have seen in the DOC’s practices regarding when to make information about Privacy Shield participation available. Previously, under the Privacy Shield framework, and its predecessor (the Safe Harbor framework), the DOC requested that prior to submitting a certification, companies should update their privacy notices to include language mandated by the relevant framework. More recently, the DOC has expressed a preference for providing the relevant language in draft form to the DOC as part of its Privacy Shield application and only posting it publicly when directed by the DOC. However, there is no prohibition on publishing an accurate, non-deceptive statement of a company’s actual status in its quest to obtain Privacy Shield certification.
This settlement is a reminder that companies whose applications for Privacy Shield certification have not yet been approved by the DOC should refrain from creating a false impression that they are Privacy Shield certified, especially in their public privacy notices or statements.