An online gaming company recently agreed to settle with the FTC charges that it falsely claimed to hold a current certifications under the US-EU Safe Harbor framework. The FTC’s complaint charges, a maker of popular online role-playing games for children, made claims that its certification was current, despite the fact that its certification had lapsed. Under the framework, companies can self-certify compliance with the seven “privacy principles” (which mirror, in part, EU privacy laws) and register in the US with the US Department of Commerce. The FTC charged that claiming to hold a current certification when, in fact, the certification had lapsed was a violation of the FTC Act. The Commission was careful to note that this alone was not necessarily an indication that had actually violated any of the privacy principles under the framework. Under the settlement, the company is prohibited from misrepresenting its certification status under any government or self-regulatory data security program. We recently reported on an FTC settlement with twelve companies alleging similar certification misrepresentations under the US-EU Safe Harbor framework and the EU-Swiss Safe Harbor Framework.

TIP: Companies who elect to self-certify their compliance with either of these Safe Harbor frameworks should ensure their certifications remain current if they represent they have current certifications to the public. Companies may want to check their status on the Safe Harbor List maintained by the Department of Commerce.