The FTC recently finalized settlements with five companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework. In each complaint, the FTC alleged that DCR Workforce, Inc., Thru, Inc., LotaData, Inc., and 214 Technologies, Inc. made false and misleading representations when they stated that they participated under the Privacy Shield framework on their website when they were not participants under the framework. Additionally, in the complaint against EmpiriStat, Inc., the FTC alleged that EmpiriStat, Inc. made a false and misleading representations when it stated that it was a current participant under the Privacy Shield framework on its website after it had allowed its certification to lapse and had been warned by the U.S. Department of Commerce to take down its claim of participation.
As a part of the settlements, each company is prohibited from misrepresenting participation in the EU-U.S. Privacy Shield framework or any other privacy or security program sponsored by a government or self-regulatory or standard setting organization. Additionally, EmpiriStat, Inc. must continue to apply the Privacy Shield framework to any personal information it collected while participating in Privacy Shield.
These settlements appear to address a concern by the EU Commission, as we previously have discussed, that more companies should be examined for Privacy Shield compliance.
Putting it Into Practice: The FTC continues to focus on Privacy Shield enforcement. It is a good reminder for those companies whose policies state they are participating in this framework to review their practices and ensure their certification is up to date.