The Importance of Being Honest & Accurate in Representing your Privacy Shield Status

Published On October 8, 2018 | By Michelle Anderson, Amanda Irwin and Mason Weisz | FTC & State AG, Privacy
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

The Federal Trade Commission (“FTC”) announced settlements on September 27, 2018 with four companies that the FTC alleged falsely claimed to be EU-U.S. Privacy Shield certified. These settlements with IDmission, LLC, mResource LLC, SmartStart Employment Screening, Inc., and VenPath, Inc. – in conjunction with another settlement in July and three others in November 2017 – bring the FTC’s total publicly announced Privacy Shield enforcement actions to eight.

Alleged Misrepresentations

All four of the companies’ websites or privacy policies represented that they participated in the EU-U.S. Privacy Shield program when, according to the FTC, they had never been certified or their certification had lapsed. One company, IDmission, applied for but never completed the steps necessary for Privacy Shield certification, and the other three companies obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. Additionally, the FTC contended that SmartStart and VenPath failed to protect personal information collected during their participation in the Privacy Shield program once they were no longer certified.

Settlement Details

The proposed settlements prohibit each company “from misrepresenting the extent to which they participate in any privacy or data security program” and require recordkeeping and compliance monitoring. Two of the companies, VenPath and SmartStart, must (1) continue to apply all EU-U.S. Privacy Shield protections to the information collected while they participated in the program; (2) protect it by another equivalent means (e.g., binding corporate rules or the Standard Contractual Clauses); or (3) return or delete the personal data within ten days of the FTC’s order.

Reminders for Companies Applying for or Certified under the Privacy Shield

These settlements are a reminder that:

  • Companies that aren’t yet Privacy Shield-certified or whose certifications have expired should refrain from creating a false impression that they are certified; and
  • Companies that are certified but then withdraw from the program retain obligations to protect the personal data collected while participating in the framework consistent with Privacy Shield requirements – or delete such data.

Privacy Shield’s Future

This FTC enforcement comes at a time when the future of the Privacy Shield is uncertain. In July 2018, the European Parliament issued a non-binding resolution urging the European Commission to suspend the Privacy Shield unless the U.S. complies with EU data protection rules by September 1, 2018. On August 30, 2018, the Department of Commerce issued a response to that resolution. Although the European Commission has not suspended Privacy Shield, the Commission is expected to release its second annual review on Privacy Shield’s adequacy in mid-October 2018. The first annual review was released on October 18, 2017.

 

About The Authors

Michelle Anderson counsels clients on a range of privacy, security, and consumer protection matters. She works closely with clients to understand their goals and risk profiles to help develop strategies for compliance with domestic and international privacy and security laws and regulations.

Prior to joining ZwillGen, Amanda interned at Facebook, where she worked with the privacy policy team on issues related to cross-device tracking, advertising technologies, and privacy by design. Previously, Amanda interned at the Federal Trade Commission (“FTC”), where she assisted attorneys in the Bureau of Consumer Protection on the pretrial litigation process for deceptive advertising claims.

Mason helps clients navigate a constantly shifting web of domestic and international laws regulating data collection, marketing, data sharing, computer crime, data security, electronic surveillance, online content, children’s privacy, financial privacy, information management, and other areas of privacy and Internet law. A former web designer, he has extensive experience with issues relating to digital media, new technology and e-commerce.

Leave a Reply

Your email address will not be published. Required fields are marked *