On April 7, 2015, the Federal Trade Commission (“FTC”) announced that two companies have agreed to settle claims that the companies failed to update their privacy policies to reflect lapsed compliance with the U.S.-E.U. and U.S.-Swiss Safe Harbor Frameworks for privacy and data protection.  As a condition of settlement, TES Franchising, LLC and American International Mailing, Inc. have agreed to sign 20-year consent orders prohibiting them from misrepresenting participation in either framework and requiring them to make ongoing disclosures and reports to the FTC.  TES Franchising was also accused of falsely reporting compliance with the True Ultimate Standards Everywhere, Inc. (“TRUSTe”) Privacy Program.

Enacted in 1995, the European Union Directive on Data Protection set privacy and data protection requirements for entities that transfer personal data outside of the European Union.  The European Commission and U.S. Department of Commerce negotiated the U.S.-E.U. Safe Harbor Framework in 2000, allowing U.S. companies to certify to the Commerce Department that they comply with certain principles that meet the European Union’s standard.  The U.S.-Swiss Safe Harbor Framework is identical in the relevant respects.  TRUSTe, in contrast, is a private company that provides privacy and data security certifications to online businesses that have met TRUSTe’s standards.

According to a draft FTC Complaint, TES Franchising submitted a self-certification of compliance with the Safe Harbor Frameworks to the Commerce Department in 2011, but failed to renew its certification in 2013.  Until February 2015, however, TES Franchising’s website privacy policy continued to claim the company was in compliance.  The FTC categorized the statements as “false and misleading” and therefore deceptive acts or practices in violation of Section 5 of the FTC Act.  TES Franchising’s privacy policy also stated that it was a licensee of the TRUSTe Privacy Program, which the FTC alleged was also false and misleading. 

Similarly, in the draft FTC Complaint against American International Mailing, Inc., American International Mailing submitted a self-certification of compliance with the Safe Harbor Frameworks in 2006 but failed to renew its certification in 2010.  The company’s website privacy policy continued to claim the company was compliant with the Safe Harbor Frameworks.

To settle the investigations, both companies agreed to sign consent orders (found here and here) to be in effect for 20 years.  The orders prohibit both companies from making any similar misrepresentations.  Each company is also required to submit a formal report to the FTC within 60 days and to make further reports at the FTC’s request.  Additionally, each company must notify the FTC 30 days prior to any change that may affect compliance, deliver copies of the consent order to all current and future personnel, and maintain all related documents for FTC inspection.

While neither draft complaint indicates any lapse in meeting the actual privacy standards of the Safe Harbor Frameworks, the FTC is nevertheless signaling its focus on privacy and accurate disclosure of company privacy policies.