On April 7, 2015, the Federal Trade Commission (“FTC”) announced that two companies have agreed to settle claims that the companies failed to update their privacy policies to reflect lapsed compliance with the U.S.-E.U. and U.S.-Swiss Safe Harbor Frameworks for privacy and data protection. As a condition of settlement, TES Franchising, LLC and American International Mailing, Inc. have agreed to sign 20-year consent orders prohibiting them from misrepresenting participation in either framework and requiring them to make ongoing disclosures and reports to the FTC. TES Franchising was also accused of falsely reporting compliance with the True Ultimate Standards Everywhere, Inc. (“TRUSTe”) Privacy Program.
Enacted in 1995, the European Union Directive on Data Protection set privacy and data protection requirements for entities that transfer personal data outside of the European Union. The European Commission and U.S. Department of Commerce negotiated the U.S.-E.U. Safe Harbor Framework in 2000, allowing U.S. companies to certify to the Commerce Department that they comply with certain principles that meet the European Union’s standard. The U.S.-Swiss Safe Harbor Framework is identical in the relevant respects. TRUSTe, in contrast, is a private company that provides privacy and data security certifications to online businesses that have met TRUSTe’s standards.
To settle the investigations, both companies agreed to sign consent orders (found here and here) to be in effect for 20 years. The orders prohibit both companies from making any similar misrepresentations. Each company is also required to submit a formal report to the FTC within 60 days and to make further reports at the FTC’s request. Additionally, each company must notify the FTC 30 days prior to any change that may affect compliance, deliver copies of the consent order to all current and future personnel, and maintain all related documents for FTC inspection.
While neither draft complaint indicates any lapse in meeting the actual privacy standards of the Safe Harbor Frameworks, the FTC is nevertheless signaling its focus on privacy and accurate disclosure of company privacy policies.