The Federal Trade Commission (FTC) recently brought charges against three U.S. companies for deceptively misrepresenting in their online privacy policies that they were certified, and participated in, the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system. The three companies included SpyChatter, Inc., a marketer of SpyChatter private messaging app; Vir2us, Inc., a distributor of cyber security software; and Sentinel Labs, Inc. (Sentinel One), a provider of endpoint protection software to enterprise customers. On Feb. 22, 2017, the FTC announced that it had reached settlements with each of the three companies. The proposed orders are open for comments from the public for thirty days.
APEC Privacy Framework and the CBPR System
The Asia-Pacific Economic Cooperation (APEC) is a forum of 21 Member Economies located along the Pacific Rim. The APEC Privacy Framework is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. The APEC CBPR System was built with the aim to provide a structure to build consumer, business, and regulator trust in cross-border flows of personal information to companies located in APEC Member Economies.
To obtain certification that its personal handling practices meet the requirements of the APEC Privacy Framework and those of the CBPR System, a company must submit its practices with respect to the collection and use of personal information for review by an APEC-recognized accountability agent, which after careful examination, will decide if the company’s practices meet the required standards. Though participation in the CBPR system is voluntary, it is legally enforceable once an organization joins and certifies that it abides by the APEC Privacy Framework principles and that its internal organization meets the criteria set forth in the APEC CBPR System.
Consumers and businesses who conduct business with companies that have obtained approval of their APEC CBPR practices are assured that these companies are in compliance with specific standards for privacy and security and that their data is properly protected. When companies falsely advertise in their online policies that they abide by these guidelines and regulations, their misrepresentation about the nature of their practices with respect to personal information can significantly erode confidence in whether, and how, consumer data is actually being protected.
In each of the complaints filed against SpyChatter, Inc., Vir2us, Inc., and Sentinel Labs, Inc., the FTC alleged that the company falsely represented that it participated in the APEC CBPR system when, in fact, it “is not, and never has been certified to participate in APEC CBPR.” Each complaint references specific language from each company’s website in which the company “disseminated or caused to be disseminated privacy policies and statements.”
For example, the Vir2us, Inc. website stated that the company “abides by the Asia-Pacific Economic Corporation (APEC) Cross Border Privacy Rules System. This APEC CBPR System provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.” Similarly, the SpyChatter, Inc., website privacy statement stated that the company “abides by APEC CBPR system, which provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.”
Even though each website made a representation to the public that it abides by these highly regarded standards for privacy data, the complaints alleged that none of the companies either participated in, or was certified in, the privacy practices it claimed.
The FTC’s Findings
On Feb. 22, 2017, the FTC released its Proposed Orders against each of the three companies separately. The content of the three orders is similar. Once it is final – after the expiration of the comment period – the order will remain in effect for twenty (20) years from the issue date.
Each order prohibits each company from misrepresenting “in any manner, expressly or by implication” that it is either certified or participates in any privacy or security program “sponsored by a government or any self-regulatory or standard-setting organization,” including but not limited to APEC CBPR, and in Sentinel One’s case, TRUSTe. Each company is required to create keep records for twenty (20) years, to be made available for review by the FTC at any time. These records must include: (1) accounting records showing the revenues from all goods or services sold; (2) personnel records of any person providing services relating to the order; (3) all records necessary to demonstrate full compliance with the order; and (4) a copy of each advertisement, promotion, or marketing material that is the subject of this order.
The remaining parts of the orders discuss reporting and compliance provisions. For example, each company will be required to acknowledge the FTC’s order by delivering a copy of the order to all current employees or persons who have responsibility within the company, and all persons who may in the future have responsibilities with the company related to the order. The company must obtain a signed and dated acknowledgement that those persons have received the Order.
What does this mean for you and your company?
In the past, the FTC has conducted enforcement actions against companies that misrepresented their adherence to, and participation in, the Safe Harbor. This is the first time that it turned to compliance with the similar set of issues, rules, and standards associated with the protection of personal information in the context of cross-border transfers between the United States and the Asia-Pacific Region.
These three cases and the upcoming final orders are a reminder that the FTC remains vigilant in overseeing the representations made by companies in statements they post on their websites regarding their personal data handling practices. To help reduce the risk of being the target of similar enforcement actions, companies should be careful about the representations they make in the documents that they publish and should consider conducting periodic reviews and audits of privacy statements and other website disclosures. Consider the following:
- Representations made on your company’s website should clearly, accurately, and fully describe your company’s practices. Puffing and creativity have no place on these disclosures.
- Choose your words and descriptions carefully to avoid inaccuracies in listing your privacy practices and avoid using words that might lead to conclusions about your company’s compliance or participation with any privacy or security program. Though the APEC CBPR is a voluntary program, it is legally binding once such representations have been made to the public and other companies.
- Take the time to verify and ensure that you are certified in the policies you are claiming and that you are properly abiding by the guidelines.