A Reminder from the FTC: Making False Statements about Privacy Shield has Consequences

May 20, 2020, 09:00 AM by Cobun Keegan

The U.S. Federal Trade Commission has always taken very seriously any company’s statement about certification, membership, or participation in recognized privacy and security programs. For example, the Commission has cracked down on numerous companies over the years for making incorrect statements about their participation in APEC-CBPR and the Safe Harbor Frameworks. Privacy Shield is no different. Whether you have yet to complete the full self-certification process, are awaiting renewal after a lapse, or have withdrawn from Shield, you must be careful not to make false statements about your participation in the Frameworks. This week, four more companies found this out to their detriment.

The company IDmission now finds itself subject to an FTC consent order because it failed to complete the self-certification process with the U.S. Department of Commerce, but still included statements on its privacy policy that it “complies with the EU-U.S. Privacy Shield Framework” and that it had “certified to the Department of Commerce that it adheres to the Privacy Shield Principles.”

Meanwhile, mResource allowed its Privacy Shield participation to lapse and failed to complete the necessary steps to renew with the Department of Commerce, but continued to claim that it was self-certified. Both SmartStart Employment Screening and VenPath also lapsed and held themselves out as self-certified. Even more seriously, these two companies failed to complete the mandatory withdrawal questionnaire, leaving previously collected personal data in legal limbo.

What should you do as a Privacy Shield participant to avoid FTC action?

During Application

Never post or state in your privacy policy that you are self-certified under the Privacy Shield Frameworks, that you comply with the Frameworks, or that you adhere to the Privacy Shield Principles until you are authorized to do so by the Department of Commerce.

During Recertification

How do you avoid accidentally falling out of compliance with Privacy Shield?

  • Make sure that you update both the Department of Commerce and BBB EUPS (or your IRM) about any changes to your designated contact for purposes of Privacy Shield complaints and renewals.
  • Renew your annual Privacy Shield self-certification on time. As a participant in BBB EUPS, we will remind you in a timely fashion, but we can’t ensure your timely renewal without your active participation in the process.
  • If you are a BBB EUPS participant and you run into difficulties with the recertification process, please let us know. We’re here to help!

After Withdrawal

If you choose to withdraw from Privacy Shield—whether because you no longer transfer personal data from the EU to the U.S. or because your company is involved in a merger or acquisition—it is critical that you follow proper procedures.

First of all, it is vital that you remove statements about the Privacy Shield frameworks from your privacy policy. If your privacy policy is posted in multiple places, make sure all copies are up-to-date.

In addition, you must return the mandatory withdrawal questionnaire to the Department of Commerce, affirming your ongoing commitment to handle data previously transferred under the Privacy Shield mechanism in a manner consistent with the Privacy Shield Principles.

Other Blog Articles


Champions for Truth in Advertising

Today, the National Advertising Division (NAD) continues to carry the torch for truth-in-advertising. As the advertising landscape has evolved over the last 50 years, NAD has continued to adapt to new products, new industries, and new advertising media. Laura Brett, Vice President of NAD, and New York Office Lead for BBB National Programs discusses truth-in-advertising trends, hot topics, and issues that lie ahead.
Read more

Status Update on Transatlantic Data Transfers: Building Bridges Takes Time

As 2020 draws to a close it is a good time to reflect on learnings about the future of authorized transatlantic data transfer mechanisms. In light of Brexit and continuing developments surrounding Schrems II, we discuss what the structure of the current Privacy Shield Framework can teach us much about what future commercial transfer mechanisms are likely to look like, as well as what businesses can do to shore up their compliance efforts.
Read more

Operation Income Illusion: A Positive Step by the FTC to Curb Deceptive Income Claims

The Federal Trade Commission (FTC)’s December 14 Operation Income Illusion initiative is a crackdown by the FTC and 19 federal, state, and local law enforcement partners against those that purport to offer significant income opportunities but that end up costing consumers thousands of dollars. This effort is consistent with an ongoing effort in the direct selling industry to ensure income claims are communicated truthfully and accurately.
Read more

CFBAI and CCAI 2019 Report on Compliance and Progress Published

BBB National Programs has published the Children's Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) Report on Compliance and Progress During 2019. The report finds excellent compliance by all companies participating in the programs from January 2019 – December 2019. The report also notes the CFBAI participants’ implementation of stricter Uniform Nutrition Criteria in 2020.
Read more