
Get Started with DPF Services
To be eligible to participate in the U.S. Department of Commerce Data Privacy Framework Program, you must answer “yes” to both of the following questions:
✓ Does your organization fall under the investigatory and enforcement jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation? In general, non-profit organizations are not subject to FTC jurisdiction and are therefore ineligible to join the Data Privacy Framework Program. ( See U.S. Department of Commerce guidance here.) If you are not sure whether your organization is under the jurisdiction of either the FTC or the DoT, we recommend that you contact the Department of Commerce for further guidance.
✓ Does your U.S. organization receive or process personal data, either directly or indirectly, from the European Union, the United Kingdom (and Gibraltar), Switzerland, or other participating countries? NOTE: This may include subsidiaries, affiliates, business partners, or vendors that process such information on behalf of another organization.
- BBB National Programs, like other U.S.-based alternative dispute resolution providers, is unable to offer dispute resolution services for issues relating to an organization’s transfer or processing in the United States of its own employees’ human resources data, collected and processed in the context of the employment relationship. However, the transfer and processing of such data does fall under the Data Privacy Framework Program.
When completing the application, be sure to have the following contact information available: telephone and email addresses for the company’s primary contact for legal notices and communications, as well as a designated contact for complaints and a billing contact. You will also need to provide your company’s gross annual sales revenue. Please read our Rules and Participation Agreement before submitting the application online.
On completing the application, you will receive a reference number and an annual fee amount based on our fee schedule for your business’s participation in the program. You will also receive a cover letter containing this information and a completed Participation Agreement to be signed by a corporate officer with signatory authority.
IMPORTANT: When completing the online application, identify your company by its legal name and state of incorporation. Add any D/B/A names and any "covered entities"—U.S.-based subsidiaries or affiliates to be covered—in the appropriate fields. You MUST use the same name to register with BBB National Programs that you will use to self-certify with the U.S. Department of Commerce, so that businesses and consumers in Europe can easily find and verify your company status with both entities.
Please note that you should not post this draft privacy notice on your live website until you receive approval from both BBB National Programs and the U.S. Department of Commerce. Your draft privacy notice must specifically reference your organization’s compliance with the Principles and must be made accessible to all visitors to your public website. You must state if you will participate in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF, or all of the above with BBB National Programs, and provide our program contact information for complaints.
Please refer to our Privacy Policy Requirements page for further detail on the required disclosures.
Required application materials include:
✓ signed Participation Agreement, and
✓ a copy of your draft privacy notice (in Microsoft Word format to allow for review).
BBB National Programs staff will process and review your application. If any additional information is required, we will contact you. Please note that your privacy notice must meet the minimum requirements set out in Step 3 before
we can finalize your application to our program. Once the review process is complete you will receive an email notification indicating that your business has been accepted into the program along with your countersigned
Participation Agreement and instructions on how to complete your self-certification.
Please self-certify with the Department of Commerce within 30 days of our approval of your application. Maintaining a current self-certification with the Department of Commerce is a requirement for ongoing participation. You will also need to complete all steps listed on the Department of Commerce’s website.
Once the Department of Commerce has determined that your privacy policy meets the requirements of the program and your certification submission is complete, they will instruct you to post your updated and approved privacy policy to your live, public-facing website. Once you notify the Department of Commerce that your notice is published, they will list your organization on the Data Privacy Framework List. Program benefits are assured from the date the Department of Commerce places your organization on the List.
IMPORTANT: When completing your self-certification application, please be sure to select BBB National Programs in the “Recourse Mechanism” field drop-down.
Transitioning to the Data Privacy Framework Program
If you have already self-certified your compliance with the U.S. Department of Commerce under Privacy Shield, you do not need to recertify under the Data Privacy Framework Program until your renewal date. All participants who wish to remain active must make the necessary changes to their privacy policy by October 10, 2023. For more information on the required privacy policy updates, contact us.
If your business is not yet a participant, or has left the program and is looking to return, please contact us. To get on the mailing list for updates as information is available, subscribe to the Privacy Initiatives newsletter.
Frequently Asked Questions for Businesses
- July 2020: The Schrems II decision invalidated Privacy Shield.
- Between Schrems II and the launch of the Data Privacy Framework Program, as negotiations took place between the U.S. and the EU, BBB National Programs and the U.S. Department of Commerce continued to deliver services under Privacy Shield. See the full timeline of activity from then until today on our timeline.
- July 2023: The Data Privacy Framework Program officially replaces Privacy Shield. IRMs like BBB National Programs will ensure businesses experience a seamless transition to the new program.
Privacy Shield has been officially replaced by the Data Privacy Framework Program, a mechanism for transferring personal data from the European Union, UK, and Switzerland to the United States. Designed by the U.S. Department of Commerce to support transatlantic commerce in coordination with the European Commission, the Data Privacy Framework Program promotes greater transparency around international data processing and enables U.S. businesses to demonstrate that their privacy practices meet data protection standards such as GDPR, including enhanced protections for consumers.
The Data Privacy Framework Program helps U.S. businesses receive and process personal data from the European Union, the United Kingdom (and Gibraltar), Switzerland, or other participating countries after self-certifying their adherence to the protections set out in the program Principles. Your public self-certification with the U.S. Department of Commerce will ensure that European organizations and consumers know your business provides enhanced privacy protection when:
- You are expanding your operations into Europe and collecting EU, U.K., or Swiss customer data;
- You are processing EU, U.K., or Swiss data in the U.S. for a business partner; or
- In other situations where your business is using personal data of EU, U.K., or Swiss individuals.
For your business:
Demonstrated expertise in data privacy for more than 20 years
Practical assistance to businesses of all sizes in navigating Data Privacy Framework Program requirements and the self-certification and recertification processes
- Prompt responses to privacy inquiries and complaints
For your consumers:
We are the most trusted name in consumer dispute resolution
Online complaints process provides accessible, transparent dispute resolution
Services always provided free of charge to individual consumers
- Speedy, impartial resolution through our staff conciliation process or independent Data Privacy Review
The General Data Protection Regulation (EU Regulation 2016/679) became effective May 25, 2018. This EU law regulates the data processing activities of organizations established in EU member states and applies to certain organizations established entirely outside the EU.
The GDPR permits personal data transfers to countries outside the EU subject to compliance with set conditions, including conditions for onward transfer. Specifically, the GDPR allows for data transfers to businesses in countries with legal regimes that have been deemed by the European Commission to provide an “adequate” level of privacy protection, or under a transfer mechanism that offers adequate protection.
While the Data Privacy Framework Program meets one of the key requirements of GDPR for companies transferring data to the U.S.—that they use an “adequate” data transfer mechanism—there are numerous other elements of GDPR that U.S. companies should know about.
BBB National Programs does not provide specific GDPR guidance or compliance services, but we receive many questions about aligning with GDPR compliance.
Other legal entities (subsidiaries or affiliates) may be covered under the parent organization’s Participation Agreement in some limited circumstances. At a minimum, the parent and the subsidiary must (1) be covered by a common website notice that is posted on all subsidiary websites and that links to BBB National Programs’ complaint handling page, (2) share a single point of contact for privacy complaints, and (3) be able to designate a corporate officer to sign the Agreement who is authorized to bind both the parent and the subsidiary. Where all these conditions cannot be met, a separate application and Agreement must be submitted for each subsidiary.
Where several entities are covered under a single Agreement, the annual fee will be based on the aggregated gross annual revenues of the parent and all covered entities.
If you would like your subsidiaries to be covered by the Program, please contact us to check on their eligibility. If we determine that subsidiaries may be covered under your Agreement, we will list all covered subsidiaries on your Participation Agreement. The list of subsidiaries covered by your Participation Agreement must match the list of covered entities on your official listing.