In the wake of the recent approval by the European Commission of the EU-U.S. Privacy Shield, the FTC announced that it has issued warning letters to 28 companies who it believes are deceptively representing that they participate in the APEC Cross-Border Privacy Rules system. This warning follows an order from earlier this month against Vipvape which we reported on here. In order to participate in the APEC CBPR system, companies must follow the requirements outlined at www.cbprs.org. As part of the process, companies must be reviewed by a recognized accountability agent. Once certified, they get listed on the www.cbprs.org website.
By sending out this warning letter to companies it believes are falsely representing they have been certified compliant with the APEC CBPR system, the FTC is demonstrating that it is continuing to check to make sure that companies are not making claims about participation when they are not certified. It has stated in its sample warning letter (posted on its website here) that it is doing so to “protect the integrity of the APEC CBPR system.”
This action echoes the type of cases the FTC indicated it has taken and will take in the future to protect the Privacy Shield program.
TIP: Companies should take care about making representations in their privacy policies about third party programs. There is a risk that such statements might be viewed as express or implied representations that the companies participate in a self-regulatory or other voluntary scheme. Many, however, like Privacy Shield or APEC CBPR, require that specific steps (like certification or registration) occur. The FTC is taking an aggressive approach, suggesting companies should review their current policies.