The FTC recently announced settlements with twelve U.S. companies regarding alleged false claims of compliance with the U.S.-EU Safe Harbor and the Swiss Safe Harbor (collectively the “Safe Harbors”). The Safe Harbors are agreements that allow certified organizations to transfer personal data between the EU or Switzerland and the U.S. in compliance with European data protection and privacy laws. The companies involved include a broad range of industries – from internet service providers to National Football League teams.
The FTC alleged that the companies deceptively claimed to hold current certifications under the U.S.-EU Safe Harbor framework through statements in their privacy policies and by displaying the Safe Harbor mark on their websites. Three companies also claimed to be active participants in the U.S.-Swiss Safe Harbor framework. According to the complaints, although some organizations were Safe Harbor certified in the past, many of the companies had not held active Safe Harbor certifications in over five years. The Department of Commerce, who maintains a public website showing Safe Harbor certifications, recently changed the companies’ statuses from “current” to “not current.” The FTC alleged that the companies’ conduct constituted a deceptive practice in violation of Section 5 of the FTC Act. Under the consent orders, the companies are prohibited from misrepresenting their participation in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization.
There are two main lessons here:
- First, when it comes to privacy policies, make sure that they accurately represent the company’s practices. Importantly, the FTC does not allege that these companies failed to comply with EU law or that personal data was compromised. Rather, the FTC alleges that these companies represented in their privacy policies that they were Safe Harbor certified when, in fact, they were not.
- Second, the FTC always cares about representations regarding certifications. Whether it’s “certified Safe Harbor compliant” or “certified biodegradable,” consumers are more likely to rely on what they understand to be a verified process. Companies making representations that anything they do or sell is “certified” should be sure that that certification is valid and up to date.