As US companies continue to spend time and effort complying and responding to all of the new privacy laws and regulations both in the United States and aboard (i.e. GDPR and California Consumer Privacy Act of 2018) companies cannot forget the basics. If you represent something in your Privacy Policy it better be accurate, up to date, and not misleading!
On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation. In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.” According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.
The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks. By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States. To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard. A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC. Continue reading…