How to Join BBB EU Privacy Shield
To be eligible to participate in Privacy Shield, you must answer “yes” to both of the following questions:
✓ Does your organization fall under the investigatory and enforcement jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation? In general, non-profit organizations are not subject to FTC jurisdiction and are therefore ineligible to join Privacy Shield. (See U.S. Department of Commerce guidance here.) If you are not sure whether your organization is under the jurisdiction of either the FTC or the DoT; we recommend that you contact the Commerce Department’s Privacy Shield team for further guidance.
✓ Does your U.S. organization receive or process personal data, either directly or indirectly, from Switzerland, the EEA (including European Union member states plus Iceland, Norway, and Liechtenstein) or the United Kingdom? NOTE: This may include subsidiaries, affiliates, business partners, or vendors that process such information on behalf of another organization.
- BBB EU Privacy Shield, like other U.S.-based alternative dispute resolution providers, is unable to offer dispute resolution services for issues relating to an organization’s transfer or processing in the United States of its own employees’ human resources data, collected and processed in the context of the employment relationship. However, the transfer and processing of such data does fall under the Privacy Shield Framework. For additional information, please refer to FAQ #7 on the Privacy Shield website.
When completing the application, be sure to have the following contact information available: telephone and email addresses for the company’s primary contact for legal notices and communications, as well as a designated contact for Privacy Shield complaints and a billing contact. You will also need to provide your company’s gross annual sales revenue. Please read our Rules and Participation Agreement before submitting the application online.
On completing the application, you will receive a reference number and an annual fee amount based on our fee schedule for your business’s participation in the program. You will also receive a cover letter containing this information and a completed Participation Agreement to be signed by a corporate officer with signatory authority.
IMPORTANT: When completing the online application, identify your company by its legal name and state of incorporation. Add any D/B/A names and any "covered entities"—U.S.-based subsidiaries or affiliates to be covered—in the appropriate fields. You MUST use the same name to register with BBB EU Privacy Shield that you will use to self-certify with the U.S. Department of Commerce, so that businesses and consumers in Europe can easily find and verify your company status with both entities.
Required application materials include:
✓ signed Participation Agreement, and
✓ a copy of your draft privacy notice (in Microsoft Word format to allow for review).
BBB EU Privacy Shield staff will process and review your application. If any additional information is required, we will contact you. Please note that your privacy notice must meet the minimum requirements set out in Step 3 before
we can finalize your application to our program. Once the review process is complete you will receive an email notification indicating that your business has been accepted into the program along with your countersigned
Participation Agreement and instructions on how to complete your Privacy Shield self-certification.
To be assured of Privacy Shield benefits, please self-certify to the appropriate Privacy Shield Framework(s) with the Department of Commerce within 30 days of our approval of your application. Maintaining a current self-certification with the Department of Commerce is a requirement for ongoing participation in the BBB EU Privacy Shield program. Please review the Department of Commerce’s self-certification guidance and step-by-step instructions for more information. You will also need to complete all steps listed on the Department of Commerce’s How to Join Privacy Shield page.
Once the Department of Commerce has determined that your privacy policy meets the requirements of Privacy Shield and your certification submission is complete, the Privacy Shield team will instruct you to post your updated and approved privacy policy to your live, public-facing website. Once you notify the Privacy Shield team that your Privacy Shield notice is published, the Department of Commerce will list your organization on the Privacy Shield List. Privacy Shield benefits are assured from the date the Department places your organization on the Privacy Shield List.
IMPORTANT: When completing your self-certification application, please be sure to select BBB EU PRIVACY SHIELD in the “Recourse Mechanism” field drop-down.
Transitioning to the Data Privacy Framework
Frequently Asked Questions for Businesses
- March 2022: BBB National Programs’ Statement on EU-U.S. Agreement in Principle on New Framework for Transatlantic Data Flows
- December 2020: Status Update on Transatlantic Data Transfers
- September 2020: Schrems II – What Do Privacy Shield Businesses Need to Know?
- September 2020: September 2020: Now What? Cross-Border Data Transfers After Schrems II
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were created as a mechanism for transferring personal data from the European Union and Switzerland to the United States. Designed by the U.S. Department of Commerce to support transatlantic commerce in coordination with the European Commission, in 2016, and Swiss Administration, in 2017, the Privacy Shield Frameworks replaced the former US-EU Safe Harbor Framework. The Privacy Shield promotes greater transparency around international data processing and enables U.S. businesses to demonstrate that their privacy practices meet data protection standards such as GDPR, including enhanced protections for consumers.
Update, July 2020: please see our guidance on the Schrems II decision for up-to-date information about the status of the Privacy Shield Frameworks.
Privacy Shield helps U.S. businesses to receive and process personal data from the EAA countries, the United Kingdom, and Switzerland after self-certifying their adherence to the protections set out in the Privacy Shield Principles. Your public self-certification to Privacy Shield with the U.S. Department of Commerce will ensure that European organizations and consumers know your business provides enhanced privacy protection when:
- You are expanding your operations into Europe and collecting EU, U.K., or Swiss customer data;
- You are processing EU, U.K., or Swiss data in the U.S. for a business partner using Privacy Shield; or
- In other situations where your business is using personal data of EU, U.K., or Swiss individuals.
For your business:
Demonstrated expertise in data privacy for more than 20 years
Practical assistance to businesses of all sizes in navigating Privacy Shield requirements and the self-certification and recertification processes
- Ensures prompt responses to privacy inquiries and complaints
For your consumers:
BBB is the most trusted name in consumer dispute resolution
Online complaints process provides accessible, transparent dispute resolution
Services always provided free of charge to individual consumers
- Speedy, impartial resolution through our staff conciliation process or independent Data Privacy Review
The General Data Protection Regulation (EU Regulation 2016/679) became effective May 25, 2018. This EU law regulates the data processing activities of organizations established in EU member states and applies to certain organizations established entirely outside the EU.
The GDPR permits personal data transfers to countries outside the EU subject to compliance with set conditions, including conditions for onward transfer. Specifically, the GDPR allows for data transfers to businesses in countries with legal regimes that have been deemed by the European Commission to provide an “adequate” level of privacy protection, or under a transfer mechanism, such as Privacy Shield, that offers adequate protection.
While Privacy Shield meets one of the key requirements of GDPR for companies transferring data to the U.S.—that they use an “adequate” data transfer mechanism—there are numerous other elements of GDPR that U.S. companies should know about. Successfully self-certifying to the Privacy Shield does not mean that your company is fully compliant with GDPR. Many U.S. companies are complying with both in tandem.
BBB EU Privacy Shield does not provide specific GDPR guidance or compliance services, but we receive many questions about aligning GDPR and Privacy Shield compliance.
Visit the Department of Commerce Privacy Shield website for additional information about self-certifying to the Privacy Shield.
Other legal entities (subsidiaries or affiliates) may be covered under the parent organization’s Participation Agreement with BBB EU Privacy Shield in some limited circumstances. At a minimum, the parent and the subsidiary must (1) be covered by a common website Privacy Shield notice that is posted on all subsidiary websites and that links to BBB EU Privacy Shield’s complaint handling page, (2) share a single point of contact for privacy complaints, and (3) be able to designate a corporate officer to sign the Agreement who is authorized to bind both the parent and the subsidiary. Where all these conditions cannot be met, a separate application and Agreement must be submitted for each subsidiary.
Where several entities are covered under a single Agreement, the annual fee will be based on the aggregated gross annual revenues of the parent and all covered entities.
If you would like your subsidiaries to be covered by the Program, please contact us to check on their eligibility. If we determine that subsidiaries may be covered under your Agreement, we will list all covered subsidiaries on your Participation Agreement. The list of subsidiaries covered by your Participation Agreement with BBB EU Privacy Shield must match the list of covered entities on your official Privacy Shield listing.