The FTC recently announced that it approved separate final orders with three companies (Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc.) alleged to have deceived consumers by misrepresenting that they participated in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. The APEC CBPR system, as we have previously written, is a voluntary program that allows participating companies to more easily move personal data across borders of participating countries, namely the United States, Mexico, Japan, and Canada.
All three companies’ privacy policies said that the companies either “comply with the APEC CBPR” or “abide by the APEC CBPR,” despite not being certified to the program. The FTC believed that by making these statements, the companies were representing that they were certified under the APEC program in violation of the FTC Act. The FTC has brought similar actions relating to APEC CBPR participation. The FTC has brought actions against companies for similar alleged misrepresentations in other transborder programs, including the EU-U.S. Safe Harbor and recently reminded companies not to mislead consumers about participating in the new Privacy Shield program.
These cases are interesting inasmuch as they do not speak to whether a company is failing to substantively comply with the programs’ provisions, but rather that the company is misleading individuals by stating—either expressly or implicitly—that they are certified participants in the program. Both the Shield program and the APEC CBPR program clarify that only certified participants should communicate their participation.
TIP: These cases and the recent FTC reminder about mentioning Shield program participation suggests that the FTC will continue to pursue companies that state compliance with these transborder programs (when they have not been certified) for violating the FTC Act.