The Federal Trade Commission sent warning letters to 28 companies that touted their certified participation in the Asia-Pacific Economic Cooperation's Cross Border Privacy Rules.

The self-regulatory rules are designed to facilitate the protection of consumer data transferred across the APEC region, which consists of 21 Pacific Rim member economies including the United States. The APEC CBPR system is based on eight data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. To participate, companies must undergo a review by an APEC-recognized Accountability Agent to establish their compliance with program requirements and undergo annual reviews to retain their status as certified participants.

In a sample letter published by the agency (recipients were not identified), the FTC expressed concern that the companies were violating Section 5 of the Federal Trade Commission Act with such claims.

"[O]ur records indicate that your organization has not taken the requisite steps to be able to claim participation in the APEC CBPR system, such as undergoing a review by an APEC-recognized Accountability Agent," wrote Maneesha Mithal, Associate Director of the FTC's Division of Privacy and Identity Protection.

Companies that falsely claim participation in the APEC CBPR system may be subject to an enforcement action, Mithal warned, noting a recent case involving Very Incognito Technologies, Inc. The manufacturer of hand-held vaporizers settled with the agency in May after the FTC charged it with falsely representing its participation in the certification system. The company agreed to a prohibition on future misrepresentations about participation, membership, or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.

Letter recipients were given a choice about the next step. The FTC instructed that the companies "immediately remove" all representations that could be construed as claiming APEC CBPR participation from their websites, privacy policy statements, and any other public documents, and contact the agency within 45 days to inform it of the removal.

Alternatively, if the organization has in fact undergone the review and certification required to support the claim that the company is certified to participate in the APEC CBPR system, the FTC should be notified.

"To protect the integrity of the APEC CBPR system, we reserve the right, if a timely and satisfactory response is not received, to take appropriate legal action," Mithal wrote.

To read a sample warning letter from the FTC, click here.

Why it matters: Advertisers beware: the FTC has stepped up enforcement of claims of participation in the APEC CBPR system. In May, the FTC settled its first case related to a deceptive claim of participation, followed by the delivery of 28 warning letters. Similarly, the FTC has brought several actions against companies that have falsely represented their certification under the Department of Commerce's Safe Harbor Program for allowing transatlantic transfers of data from the European Union to the United States. These matters remind companies to ensure their affiliation and compliance with data protection safe harbors before publicly representing their participation.