On July 14, 2016, the Federal Trade Commission (FTC) announced that it has issued warning letters to 28 companies that claim certified participation in the Asia-Pacific Economic Cooperative’s Cross-Border Privacy Rules system on their websites but do not appear to have met the requirements to make that claim.
The APEC privacy system is a self-regulatory initiative to enhance the protection of consumer data that moves among the APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. Under the system, companies can be certified as compliant with APEC CBPR program requirements based on the following nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.
The companies that received the letters must remove the claims regarding APEC CBPR from their websites immediately and inform FTC staff that they have done so, or provide information proving they are actually certified. The letter notes that companies falsely claiming certification in the system may be in violation of the FTC Act.
The FTC recently settled its first case related to a deceptive claim of certification in the APEC CPBR system.