In recent weeks, 13 U.S. businesses have agreed to settle Federal Trade Commission charges that they falsely claimed compliance with the international privacy framework known as the U.S.-EU Safe Harbor. These enforcement actions — another telling example of increasing FTC scrutiny of the privacy and security practices of all businesses — were filed against the 13 companies under Section 5 of the FTC Act.
Announcing the settlements, FTC Chairwoman Edith Ramirez stated “[e]nforcement of the U.S.-EU Safe Harbor Framework is a Commission priority. These … cases help ensure the integrity of the Safe Harbor Framework and send the signal to companies that they cannot falsely claim participation in the program.”
The framework gives U.S. companies an effective method to satisfy certain requirements of the European Commission’s Directive on Data Protection. However, the safe harbor requires participants to maintain good standing through self-certification every year to the U.S. Department of Commerce stating each is in compliance with Safe Harbor principles. The FTC charged each of the 13 companies for falsely claiming compliance with safe harbor in their online privacy notices, despite having permitted their status to lapse.
The most recent settlement, In the Matter of Fantage.com Inc., is illustrative: Fantage is a gaming company providing multiplayer online role-playing games to children. Through its website, Fantage included privacy statements affirming its participation in the U.S.-EU Safe Harbor framework. In June 2011, Fantage certified compliance to the FTC, but from June 2012 until January 2014, Fantage failed to maintain a “current” status with the FTC as a participant in the U.S.-EU Safe Harbor framework. Therefore, the FTC alleged that Fantage’s statements were false and misleading under Section 5 of the act for the period in which Fantage’s status had lapsed.
Under the proposed settlement agreement, which is subject to public comment, Fantage is prohibited from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The proposed settlement agreement also obligates Fantage to report to the FTC no later than 30 days prior to any changes affecting Fantage’s ability to comply with the terms of the settlement. The order terminates in 20 years.
More complaints from the FTC may follow. As of this writing, the FTC website at http://export.gov/safeharbor yields more than 1,000 companies whose “certification status” is listed in red as “not current.”
As privacy continues to surge to the forefront of the FTC’s enforcement initiatives, companies should ensure that adequate privacy and security practices and procedures are in place to protect employee and consumer data.
For more information on this alert or assistance with data privacy and security compliance,contact Privacy & Data Security Practice Group leader Andrew D. Castricone, firstname.lastname@example.org, or A. Louis Dorny, email@example.com.