The should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks. By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States. To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard. A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC.
Here, the FTC used its authority under Section 5 of the FTC Act to compel ReadyTech to withdraw representations that it was “in the process of certifying” that they comply with the Privacy Shield. According to the FTC, ReadyTech initiated a Privacy Shield application in October 2016 but did not complete the steps necessary to participate in the framework. The FTC alleged that ReadyTech’s statement that it was “in the process” of certifying to the Privacy Shield framework was a misrepresentation and misleading because ReadyTech did not take “active” steps necessary to complete the application. The FTC stated, “Your company doesn’t have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.”
Lesson Learned: Companies must continuously review their Privacy Policies and make sure that any of their representations regarding the company’s applications for the Privacy Shield or other privacy frameworks are updated and accurate.