2018 has been a big year for privacy issues for companies around the world. The new European privacy law – the General Data Protection Regulation (GDPR) – came into force, the Facebook-Cambridge Analytica data breach came to light, the new but imperfect California Consumer Privacy Act (CaCPA) was created and passed at the speed of light, and real discussions occurred at the White House about the potential development of a new US national privacy framework, among many other global privacy initiatives. Some companies have responded by evaluating their privacy practices and many have affirmed their promises to consumers through updated privacy policies and new internal procedures designed to safeguard sensitive information about individuals.
As a reminder to U.S. companies (and those doing business in the United States), making a promise to keep personal information private is just the first step: you have to also keep that promise. Failure to do so may lead to legal problems. On-going diligence in ensuring that your company complies with its stated internal and consumer-facing privacy practices is not only required to comply with laws like the EU’s GDPR and the CaCPA, it can be enforced in the U.S. by regulatory agencies as well.
The FTC Is Now Policing Privacy Promises
Putting aside any debates about the ability of European privacy authorities and agencies to enforce the GDPR or other European laws or treaties against US companies, the Federal Trade Commission (FTC) has also indicated that it will enforce the promises made by companies with respect to their privacy policies.
Empowered by the FTC Act, the FTC can, does, and will take enforcement actions to ensure that companies are not deceiving U.S. consumers including with regard to their privacy promises. Much like other FTC actions to protect consumers, the concern is whether companies are deceiving the consuming public with their claims about how personal information is being protected, the rights of consumers with respect to their personal information, and the consumers’ abilities to access and manage their personal data.
Living up to their own promise to enforce, the FTC reached a settlement in early July 2018 with a California company regarding its false claim of working toward compliance with one of the cross-border data transfer mechanisms approved under the GDPR: the EU-U.S. Privacy Shield Framework. In its complaint, the FTC alleged that ReadyTech Corporation falsely claimed in its written privacy policy to be “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” ReadyTech did, in fact, initiate an application with the U.S. Department of Commerce in October 2016 to participate in the Privacy Shield Framework, but never completed the steps required to complete its application and actually participate in the Framework. The FTC alleged that this representation was a false claim violating the FTC Act’s prohibition against deceptive acts or practices. The FTC’s complaint and the July settlement is the fourth action taken by the agency for non-compliance with the requirements of the Privacy Shield Frameworks, following three other settlements in September 2017. Combined with the prior cross-border transfer mechanisms, including the predecessor Safe Harbor framework and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework, the FTC has brought 47 cases to enforce false claims of compliance involving data transfer and protection practices.
What to Expect From the FTC Regarding Privacy Enforcement in the Future
Compliance with cross-border transfer mechanisms is just one avenue of privacy practices enforcement for the FTC. Any deceptive claim a company makes to US consumers regarding their privacy practices is subject to the enforcement powers of the agency under the FTC Act. And, while the fines for non-compliance are less in the United States than the statutory fines for non-compliance with the strict terms of the GDPR (between 10-20 Million Euros or 2-4% of global revenue, whichever is greater), these FTC settlements typically come with long, expensive, and administratively-taxing compliance and reporting requirements that significantly drive up the cost of making false claims with respect to privacy practices. In its settlement with the FTC, ReadyTech is required to create certain records for a period of 20 years following the issuance of the order and must submit to compliance reporting under penalty of perjury and monitoring for that entire period.
Companies should be sure that they are living up to the promises they have made to consumers via their privacy policy. If there are claimed practices that are inaccurate, it is important to revisit and update the privacy policy to ensure that it is correct and compliant with the relevant laws that govern collection, use, sharing, and destruction of consumers’ personal information. Moreover, companies should periodically review their privacy policy and other Terms of Service/Terms of Use to ensure that they are up-to-date, correct, and complete in describing the businesses current practices, protocols, and legal authority to do what it does with data covered by privacy laws.
As you do this in your own business, if you have questions or need help determining if your practices and your statements are legal and consistent, the attorneys at Protorae Law are here to help.
Associate
703.639.0683