Yesterday, the Federal Trade Commission (“FTC” or the “Commission”) accepted, subject to final approval, a consent agreement to settle charges that a hand-held vaporizer manufacturer misrepresented its participation in the Asia-Pacific Economic Cooperation (“APEC”) Cross Border Privacy Rules (“CBPR”) system. 

Expanding on its recent focus on EU-U.S. data transfers (including support for the newly-negotiated Privacy Shield Framework), the FTC issued a Complaint alleging that Respondent, Very Incognito Technologies, Inc., doing business as Vipvape (“Vipvape”), violated Section 5 of the FTC Act by representing in its privacy policy that it abided by the APEC CBPR when, in reality, it is not – and has never been – certified to participate in the cross-border system. 

This is the first public enforcement action by the agency based solely on violations relating to the APEC CBPR framework. 

Background on the CBRP System 

The APEC CBPR system is a voluntary accountability-based system to facilitate privacy-respecting data flows among APEC economies. The CBPR System is based on the APEC Privacy Framework’s nine information privacy principles, namely: preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability. 

To participate in the CBPR system, companies must undergo a review by an APEC-recognized accountability agent to establish compliance with the program’s requirements.  Companies wishing to remain certified under the CBPR system must also undergo annual compliance reviews. 

In the United States – which along with Japan, Canada and Mexico is one of the participating APEC CBPR system economies – the FTC is responsible for enforcement.  Where, as in this case, it believes a company has misrepresented its participation in the program, the FTC can assert its expansive Section 5 authority to challenge the deception. 

Settlement Terms 

The Commission’s Decision and Order, if finalized following the public comment period, will prohibit Vipvape from making misrepresentations regarding its participation in any privacy or security program sponsored by a government or self-regulatory organization, including but not limited to the APEC CBPR system.  It will also impose numerous reporting and compliance obligations on Vipvape, including 20-year recordkeeping and monitoring requirements that have become common in many recent privacy-related FTC settlements.  Vipvape will not face any monetary penalties. 

Guidance for Companies 

In commenting on the consent agreement, the FTC’s Business Blog offered three compliance tips for companies: 

  1. Live Up to Your Privacy Promises: Although participation in a self-regulatory system such as APEC’s CBPR is voluntary, businesses must honor any express or implied statements to consumers regarding their compliance. 
  2. Do Not Assume You Make No Promises: Organizations should check their privacy policies to ensure they substantiate any statements regarding how they handle data, including compliance with any self-regulatory frameworks. 
  3. Make Compliance Checks Routine: Importantly, the FTC reminds companies that “data compliance can never be a one-and-done box to check.”  The APEC CBPR system and other self-regulatory frameworks require periodic reevaluation of the certifying entity’s practices.  In addition, as data handling practices change, privacy policies must be updated to reflect a business’ current practices – something with which we here at Paul Hastings’ Privacy & Cybersecurity Practice are always available to assist.