The FTC announced that it recently approved a final order against Vipvape (Very Incognito Technologies, Inc.), in which it had alleged that the company falsely stated that it participated in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system, when in fact the company was not certified to participate. The APEC CBPR system, as we have written about in the past, allows participating companies a mechanism for transferring personal information among certain countries (U.S., Mexico, and Japan) without running afoul of local laws.
As part of its settlement with the FTC, Vipvape agreed not to misrepresent, either expressly or by implication, that it is a certified member of the APEC CBPR program, or is otherwise certified or endorsed by “any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization.” For 20 years Vipvape must give a copy of the Final Order to, among others, all officers as well as all employees with responsibilities related to the Final Order (and these individuals must sign an acknowledgement of the Final Order).
TIP: As with cases involving the U.S.-EU Safe Harbor Program, this settlement demonstrates that the FTC is concerned with companies falsely representing participation in self-regulatory or other voluntary programs. Companies should take care not to mislead on this front. Those interested in learning more about the APEC CBPR system can read the requirements here.