Reiterating its commitment to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks, the Federal Trade Commission announced on Monday that it has reached settlements with 13 companies alleged to have misled consumers either by claiming Safe Harbor membership despite never having applied, or by allowing their Safe Harbor certifications to lapse.
A related FTC Business Center blog post concerning the settlements provided tips for companies to help avoid Safe Harbor compliance violations, including reminders that:
- Privacy policy representations regarding the handling of personal information must be truthful and may be subject to FTC enforcement;
- Using templates can be risky – every statement in a privacy policy must reflect that company's specific practices, so any "form" document must be reviewed line by line for accuracy; and
- Safe Harbor certification must be renewed annually, so adding a calendar reminder to review (and update, as appropriate) the company's policy a few weeks before the recertification deadline can help avoid lapses.
Just three months ago, the FTC announced similar settlements with two companies that had allowed their Safe Harbor certifications to lapse, but continued to represent on their websites that they were members of the framework. In one of those cases, the FTC further alleged that the company misled consumers regarding its dispute resolution procedures, and "deceptively claimed to be a licensee of the TRUSTe Privacy program."
The FTC was active in the Safe Harbor enforcement arena last year as well. In June 2014 the Commission announced settlements with 14 companies that were alleged to have falsely claimed Safe Harbor membership. In addition, the FTC has brought Safe Harbor charges stemming from alleged privacy violations, such as in its settlements with Google in 2011, and Facebook and Myspace in 2012.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
