FTC: Twelve Companies Falsely Claiming to Comply with International Safe Harbor Privacy Framework

Twelve businesses spanning a variety of industries recently agreed to settle with the FTC stemming from charges that they falsely claimed to hold current certifications under the US-EU Safe Harbor framework. The complaints also alleged that three of the companies deceptively claimed to hold current certifications under the US-Swiss Safe Harbor framework, as well. Under both frameworks, companies can self-certify compliance with the seven “privacy principles” (which mirror, in part, EU privacy laws) and register in the U.S. with the U.S. Department of Commerce. The FTC charged that claiming to hold a current certification when, in fact, the certification had lapsed was a violation of the FTC Act. The Commission was careful to note that this alone was not necessarily an indication that any of these companies had actually violated any of the privacy principles under the framework. Under the settlement, each company is prohibited from misrepresenting its certification status under the US-EU and US-Swiss Safe Harbor frameworks.

TIP: Companies who elect to self-certify their compliance with either of these Safe Harbor frameworks should ensure their certifications remain current if they represent they have current certifications to the public. Companies may want to check their status on the Safe Harbor List maintained by the Department of Commerce.