FTC Continues to Enforce Privacy Policy Promises: Four New Settlements Based on EU-U.S. Privacy Shield Representations

by: Sara Chubb

The Federal Trade Commission (“FTC”) continued its enforcement of the EU-U.S. Privacy Shield program with an announcement last week of settlements with Click Labs, Inc., Incentive Services, Inc., Global Data Vault, LLC and TDARX, Inc. relating to allegations that each company had misrepresented its participation in the program. Additionally, two of the four companies allegedly failed to comply with program requirements, while the two other companies are alleged to have falsely claimed to also participate in the Swiss-U.S. Privacy Shield framework. After a vow to “aggressively enforce the Privacy Shield and other cross-border privacy frameworks,” (see our prior post on Privacy Shield enforcement) this brings the number of enforcement actions by the FTC relating to the EU-U.S. Privacy Shield program to 21 since its inception in 2016.

The allegations claim that all four companies made either explicit or implied claims of participation in one or both of the programs in their privacy policies. In the case of Click Labs and Incentive Services, each allegedly initiated an application for certification under the EU-U.S. Privacy Shield program, but did not complete the steps for certification in either the EU-U.S or Swiss-U.S. programs.

In the cases of Global Data Vault and TDARX, each obtained EU-U.S. Privacy Shield certification in 2017, but did not take the necessary steps to renew its participation. Following expiration of each company’s certification, the company continued to represent participation in the program and failed to withdraw and affirm its commitment to protect personal information acquired while it was part of the program. The FTC’s complaints against Global Data Vault and TDARX also allege that during the time each company had a current certification, it failed to meet the program’s yearly verification requirement that it affirm its assertions about its privacy practices are true and such practices have been implemented.

The settlements for all four companies prohibit them from misrepresenting participation or compliance with any privacy or security program from any self-regulatory or standard-setting organization, including, without limitation, the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, and the APEC Cross-Border Privacy Rules. Global Data Vault and TDARX must also continue to apply program principles to the personal information collected while each participated in the program. All orders include compliance reporting and record-keeping obligations and will remain in effect for twenty years.

Key Takeaway: The FTC continues to focus its attention on privacy representations, underscoring the need for companies to regularly review their publicly-facing statements to ensure they remain accurate and in compliance with applicable law. Participation in the EU-U.S. Privacy Shield and similar programs creates an obligation to comply with the principles of the program and ensure all representations about compliance and participation in the program are accurate and current.