Programs
Events
Media Center
- Newsroom
- Decisions
- Press Releases
- Blog
- Podcasts
About Us
Careers

May we suggest...

Home
Programs
All Programs
Data Privacy Framework Services - For Businesses
Get Started with DPF Services

Get Started with DPF Services

STEP 1: Determine whether your business is eligible.

To be eligible to participate in the U.S. Department of Commerce Data Privacy Framework Program, you must answer “yes” to both of the following questions:

✓ Does your organization fall under the investigatory and enforcement jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation? In general, non-profit organizations are not subject to FTC jurisdiction and are therefore ineligible to join the Data Privacy Framework Program. ( See U.S. Department of Commerce guidance here.) If you are not sure whether your organization is under the jurisdiction of either the FTC or the DoT, we recommend that you contact the Department of Commerce for further guidance.

✓ Does your U.S. organization receive or process personal data, either directly or indirectly, from the European Union, the United Kingdom (and Gibraltar), Switzerland, or other participating countries? NOTE: This may include subsidiaries, affiliates, business partners, or vendors that process such information on behalf of another organization.

BBB National Programs, like other U.S.-based alternative dispute resolution providers, is unable to offer dispute resolution services for issues relating to an organization’s transfer or processing in the United States of its own employees’ human resources data, collected and processed in the context of the employment relationship. However, the transfer and processing of such data does fall under the Data Privacy Framework Program.

STEP 2: Complete the online application.

When completing the application, be sure to have the following contact information available: telephone and email addresses for the company’s primary contact for legal notices and communications, as well as a designated contact for complaints and a billing contact. You will also need to provide your company’s gross annual sales revenue. Please read our Rules and Participation Agreement before submitting the application online.

On completing the application, you will receive a reference number and an annual fee amount based on our fee schedule for your business’s participation in the program. You will also receive a cover letter containing this information and a completed Participation Agreement to be signed by a corporate officer with signatory authority.

IMPORTANT: When completing the online application, identify your company by its legal name and state of incorporation. Add any D/B/A names and any "covered entities"—U.S.-based subsidiaries or affiliates to be covered—in the appropriate fields. You MUST use the same name to register with BBB National Programs that you will use to self-certify with the U.S. Department of Commerce, so that businesses and consumers in Europe can easily find and verify your company status with both entities.

STEP 3: Create or modify a draft of your privacy policy to conform to the Principles.

Please note that you should not post this draft privacy notice on your live website until you receive approval from both BBB National Programs and the U.S. Department of Commerce. Your draft privacy notice must specifically reference your organization’s compliance with the Principles and must be made accessible to all visitors to your public website. You must state if you will participate in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF, or all of the above with BBB National Programs, and provide our program contact information for complaints.

Please refer to our Privacy Policy Requirements page for further detail on the required disclosures.

STEP 4: Submit your finalized application materials.

Required application materials include:

✓ application fee (via electronic payment),

✓ signed Participation Agreement, and

✓ a copy of your draft privacy notice (in Microsoft Word format to allow for review).

BBB National Programs staff will process and review your application. If any additional information is required, we will contact you. Please note that your privacy notice must meet the minimum requirements set out in Step 3 before we can finalize your application to our program. Once the review process is complete you will receive an email notification indicating that your business has been accepted into the program along with your countersigned Participation Agreement and instructions on how to complete your self-certification.

STEP 5: Self-certify with the U.S. Department of Commerce.

Please self-certify with the Department of Commerce within 30 days of our approval of your application. Maintaining a current self-certification with the Department of Commerce is a requirement for ongoing participation. You will also need to complete all steps listed on the Department of Commerce’s website.

Once the Department of Commerce has determined that your privacy policy meets the requirements of the program and your certification submission is complete, they will instruct you to post your updated and approved privacy policy to your live, public-facing website. Once you notify the Department of Commerce that your notice is published, they will list your organization on the Data Privacy Framework List. Program benefits are assured from the date the Department of Commerce places your organization on the List.

IMPORTANT: When completing your self-certification application, please be sure to select BBB National Programs in the “Recourse Mechanism” field drop-down.

Apply Now

Transitioning to the Data Privacy Framework Program

If you have already self-certified your compliance with the U.S. Department of Commerce under Privacy Shield, you do not need to recertify under the Data Privacy Framework Program until your renewal date. All participants who wish to remain active must make the necessary changes to their privacy policy by October 10, 2023. For more information on the required privacy policy updates, contact us.

If your business is not yet a participant, or has left the program and is looking to return, please contact us. To get on the mailing list for updates as information is available, subscribe to the Privacy Initiatives newsletter.

Frequently Asked Questions for Businesses

What happened to Privacy Shield?

July 2020: The Schrems II decision invalidated Privacy Shield.
Between Schrems II and the launch of the Data Privacy Framework Program, as negotiations took place between the U.S. and the EU, BBB National Programs and the U.S. Department of Commerce continued to deliver services under Privacy Shield. See the full timeline of activity from then until today on our timeline.
July 2023: The Data Privacy Framework Program officially replaces Privacy Shield. IRMs like BBB National Programs will ensure businesses experience a seamless transition to the new program.

What is the Data Privacy Framework Program?

Privacy Shield has been officially replaced by the Data Privacy Framework Program, a mechanism for transferring personal data from the European Union, UK, and Switzerland to the United States. Designed by the U.S. Department of Commerce to support transatlantic commerce in coordination with the European Commission, the Data Privacy Framework Program promotes greater transparency around international data processing and enables U.S. businesses to demonstrate that their privacy practices meet data protection standards such as GDPR, including enhanced protections for consumers.

What does the Data Privacy Framework Program mean for my business?

The Data Privacy Framework Program helps U.S. businesses receive and process personal data from the European Union, the United Kingdom (and Gibraltar), Switzerland, or other participating countries after self-certifying their adherence to the protections set out in the program Principles. Your public self-certification with the U.S. Department of Commerce will ensure that European organizations and consumers know your business provides enhanced privacy protection when:

You are expanding your operations into Europe and collecting EU, U.K., or Swiss customer data;
You are processing EU, U.K., or Swiss data in the U.S. for a business partner; or
In other situations where your business is using personal data of EU, U.K., or Swiss individuals.

What services does BBB National Programs offer?

U.S. businesses participating in the Data Privacy Framework Program must provide an independent dispute resolution service to EU, UK, or Swiss individuals whose personal data they transfer to the United States. Our goal is to help businesses of all sizes meet this requirement and conduct business in Europe using adequate data protections.

What are the benefits of Data Privacy Framework Services?

For your business:

Demonstrated expertise in data privacy for more than 20 years 
Practical assistance to businesses of all sizes in navigating Data Privacy Framework Program requirements and the self-certification and recertification processes

Prompt responses to privacy inquiries and complaints

For your consumers:

We are the most trusted name in consumer dispute resolution
Online complaints process provides accessible, transparent dispute resolution
Services always provided free of charge to individual consumers

Speedy, impartial resolution through our staff conciliation process or independent Data Privacy Review

What is the GDPR and how does it relate to the Data Privacy Framework Program?

The General Data Protection Regulation (EU Regulation 2016/679) became effective May 25, 2018. This EU law regulates the data processing activities of organizations established in EU member states and applies to certain organizations established entirely outside the EU. 

The GDPR permits personal data transfers to countries outside the EU subject to compliance with set conditions, including conditions for onward transfer. Specifically, the GDPR allows for data transfers to businesses in countries with legal regimes that have been deemed by the European Commission to provide an “adequate” level of privacy protection, or under a transfer mechanism that offers adequate protection.

While the Data Privacy Framework Program meets one of the key requirements of GDPR for companies transferring data to the U.S.—that they use an “adequate” data transfer mechanism—there are numerous other elements of GDPR that U.S. companies should know about.

BBB National Programs does not provide specific GDPR guidance or compliance services, but we receive many questions about aligning with GDPR compliance.

How long will it take for my application to be accepted?

We can usually process applications within two days of receiving your signed Participation Agreement, a draft compliant privacy policy that meets our requirements, and your annual fee. If the draft privacy policy you provide for our review does not meet our minimum requirements, we will require revisions before accepting your application. To avoid delays, please follow the privacy policy guidelines and ensure that you use our  required language.

What will BBB National Programs look for when reviewing my privacy policy?

The policy must include an affirmative commitment to adhere to each of the Principles and should address the 13 requirements of the Notice principle. The policy must identify BBB National Programs as your independent recourse mechanism for privacy complaints and include contact information for the program. The policy must not include any statements that directly contradict the Principles. Additional details about privacy notices and required disclosures can be found on our Privacy Policy Requirements page and in our supplemental document Privacy Policy Checklist (provided to our participants).

Can our Participation Agreement cover our subsidiaries or affiliates?

Other legal entities (subsidiaries or affiliates) may be covered under the parent organization’s Participation Agreement in some limited circumstances. At a minimum, the parent and the subsidiary must (1) be covered by a common website notice that is posted on all subsidiary websites and that links to BBB National Programs’ complaint handling page, (2) share a single point of contact for privacy complaints, and (3) be able to designate a corporate officer to sign the Agreement who is authorized to bind both the parent and the subsidiary. Where all these conditions cannot be met, a separate application and Agreement must be submitted for each subsidiary. 

Where several entities are covered under a single Agreement, the annual fee will be based on the aggregated gross annual revenues of the parent and all covered entities.

If you would like your subsidiaries to be covered by the Program, please contact us to check on their eligibility. If we determine that subsidiaries may be covered under your Agreement, we will list all covered subsidiaries on your Participation Agreement. The list of subsidiaries covered by your Participation Agreement must match the list of covered entities on your official listing.

Is your fee schedule based on my business’s worldwide gross revenue or on revenue from EU business alone?

Our fees are based on your business’s total gross revenue, not simply revenue from EU-related business.

Will BBB National Programs provide a program seal or mark for our website?

We do not currently offer a seal or mark for your site. Your business may identify BBB National Programs as its dispute resolution provider in its published privacy policy. Please also note that creating your own certification mark, seal, or logo is currently not authorized by the U.S. Department of Commerce.

Will BBB National Programs assist us with the required annual verification?

While we do provide self-certification guidance and ongoing compliance assistance to our participating businesses, we do not offer verification services at this time. However, an annual verification to ensure compliance with the Principles is a certification requirement. Most of our participants choose to perform an internal self-assessment and verification rather than using a third-party provider. When choosing this option, simply select “Self-Assessment” in the verification section of your U.S. Department of Commerce certification application.

Does BBB National Programs publish information on the complaints it receives?

IRMs are required to annually publish aggregate statistics about our dispute resolution services. BBB National Programs publishes these statistics in its annual Procedure Report, including the number and nature of privacy complaints and the actions taken by BBB National Programs (and any Data Privacy Review Panelist); as well as the number and nature of complaints deemed ineligible for processing. In the event that a Participating Business fails to comply with a final determination of the program and is referred to the Federal Trade Commission for noncompliance, a Case Report will be published in the Procedure Report summarizing the case and its outcome, identifying the company and the fact of noncompliance.

Facebook Twitter Youtube Linkedin Podcasts

Link to homepage

Board of Directors
Leadership
Podcasts
Online Archive
Privacy Policy
Terms of Use
Contact Us