Don’t Misrepresent Your U.S. – E.U. Privacy Shield Status: FTC Brings An Enforcement Action

As US companies continue to spend time and effort complying and responding to all of the new privacy laws and regulations both in the United States and aboard (i.e. GDPR and California Consumer Privacy Act of 2018) companies cannot forget the basics.  If you represent something in your Privacy Policy it better be accurate, up to date, and not misleading!

On July 2, 2018, the Federal Trade Commission (FTC) issued a number of press releases and a proposed settlement with California-based employee training company ReadyTech Corporation.  In announcing the settlement, FTC Chairman Joe Simons said, “Today’s settlement demonstrates the FTC’s continuing commitment to vigorous enforcement of the Privacy Shield.”  According to the FTC, this is the 4th case enforcing the Privacy Shield and 47th case enforcing international privacy frameworks such as the Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules.

The ReadyTech settlement should be a warning for other companies that make representations in their Privacy Policies about the Privacy Shield, GDPR, CCPA and other data security and privacy frameworks.  By way of background, the Privacy Shield framework allows companies to transfer personal data lawfully from the EU to the United States.  To join the Privacy Shield framework, a company must self-certify to the U.S. Department of Commerce that it complies with the Privacy Shield Principles and related requirements that have been deemed to meet the EU’s adequacy standard.  A company, like ReadyTech, that claims it has self-certified to the Privacy Shield Principles, but failed to self-certify to the U.S. Department of Commerce, may be subject to an enforcement action by the FTC.

Here, the FTC used its authority under Section 5 of the FTC Act to compel ReadyTech to withdraw representations that it was “in the process of certifying” that they comply with the Privacy Shield.  According to the FTC, ReadyTech initiated a Privacy Shield application in October 2016 but did not complete the steps necessary to participate in the framework.  The FTC alleged that ReadyTech’s statement that it was “in the process” of certifying to the Privacy Shield framework was a misrepresentation and misleading because ReadyTech did not take “active” steps necessary to complete the application.  The FTC stated, “Your company doesn’t have to participate in Privacy Shield, but once you state or imply something about your participation, describe your status accurately.”

Lesson Learned: Companies must continuously review their Privacy Policies and make sure that any of their representations regarding the company’s applications for the Privacy Shield or other privacy frameworks are updated and accurate.

Ryan Blaney

Ryan Blaney

Ryan represents health care and life sciences clients in a wide range of litigation, regulatory, and transactional matters, but has particular experience in the areas of privacy law compliance and health care fraud litigation. In his regulatory and transactional practice, Ryan serves public and private health care companies, academic medical centers, health systems, hospitals and physician organizations, manufacturers, medical devices, information technology and health plans

More Posts - Website

Leave a Reply

Your email address will not be published. Required fields are marked *