2018 has been a big year for privacy issues for companies around the world. The new European privacy law – the General Data Protection Regulation (GDPR) – came into force, the Facebook-Cambridge Analytica data breach came to light, the new but imperfect California Consumer Privacy Act (CaCPA) was created and passed at the speed of light, and real discussions occurred at the White House about the potential development of a new US national privacy framework, among many other global privacy initiatives. Some companies have responded by evaluating their privacy practices and many have affirmed their promises to consumers through updated privacy policies and new internal procedures designed to safeguard sensitive information about individuals.
As a reminder to U.S. companies (and those doing business in the United States), making a promise to keep personal information private is just the first step: you have to also keep that promise. Failure to do so may lead to legal problems. On-going diligence in ensuring that your company complies with its stated internal and consumer-facing privacy practices is not only required to comply with laws like the EU’s GDPR and the CaCPA, it can be enforced in the U.S. by regulatory agencies as well.
The FTC Is Now Policing Privacy Promises
Putting aside any debates about the ability of European privacy authorities and agencies to enforce the GDPR or other European laws or treaties against US companies, the Federal Trade Commission (FTC) has also indicated that it will enforce the promises made by companies with respect to their privacy policies.
Empowered by the FTC Act, the FTC can, does, and will take enforcement actions to ensure that companies are not deceiving U.S. consumers including with regard to their privacy promises. Much like other FTC actions to protect consumers, the concern is whether companies are deceiving the consuming public with their claims about how personal information is being protected, the rights of consumers with respect to their personal information, and the consumers’ abilities to access and manage their personal data.
What to Expect From the FTC Regarding Privacy Enforcement in the Future
Compliance with cross-border transfer mechanisms is just one avenue of privacy practices enforcement for the FTC. Any deceptive claim a company makes to US consumers regarding their privacy practices is subject to the enforcement powers of the agency under the FTC Act. And, while the fines for non-compliance are less in the United States than the statutory fines for non-compliance with the strict terms of the GDPR (between 10-20 Million Euros or 2-4% of global revenue, whichever is greater), these FTC settlements typically come with long, expensive, and administratively-taxing compliance and reporting requirements that significantly drive up the cost of making false claims with respect to privacy practices. In its settlement with the FTC, ReadyTech is required to create certain records for a period of 20 years following the issuance of the order and must submit to compliance reporting under penalty of perjury and monitoring for that entire period.
As you do this in your own business, if you have questions or need help determining if your practices and your statements are legal and consistent, the attorneys at Protorae Law are here to help.