The FTC entered into a consent order over allegations that a company falsely claimed it was in the process of certifying its compliance under the EU-U.S. Privacy Shield framework. The settlement comes a month after the FTC announced similar consent orders with four other companies concerning alleged false Privacy Shield certifications, which we previously covered here.
The Privacy Shield framework establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. To do so, a company must self-certify to the Department of Commerce that it complies with the Privacy Shield framework and related requirements. In the complaint accompanying the FTC’s most recent consent order, the FTC claimed that the company stated on its website that it was “in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” The FTC alleged that although the company initiated an application in October 2016 for Privacy Shield certification, it did not complete all necessary steps to participate in the Privacy Shield framework.
This consent order is similar to the last four consent orders entered into with the FTC over Privacy Shield certifications, which also involved incomplete or untimely certification renewals.
Additional information on the consent order can be found here.