On February 22, 2017, the FTC announced that it had reached a settlement with three companies over charges that the companies had falsely represented their involvement in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system (APEC CBPR) in their online privacy policies.
The FTC filed similar complaints against all three companies: Sentinel Labs, Inc., which provides endpoint protection software to enterprise customers; SpyChatter, Inc., which markets the SpyChatter private message app; and Vir2us, Inc., which distributes cyber security software. The complaints alleged violations of the FTC Act due to deceptive statements made by the companies regarding their participation in the APEC CBPR system in their online policies directed at consumers.
The APEC CBPR system is a self-regulatory initiative that offers a voluntary, enforceable mechanism to enable privacy-respecting data transfers in the APEC region. Participation in APEC CBPR requires an annual review and certification by an APEC-recognized accountability agent. The certification is used to identify a company as being compliant with the APEC CBPR program requirements, including the nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability. In the U.S., the FTC enforces the APEC CBPR system. According to the FTC, none of the three companies named in its complaints had undergone the APEC CBPR official review and certification process, despite claiming to consumers that they abided by the system.
The FTC additionally alleged that Sentinel Labs falsely claimed that it was a participant in the TRUSTe privacy program, which provides privacy certifications and seals to businesses that meet certain program requirements, such as transparency of company practices, verification of privacy practices and consumer choice regarding the collection and use of consumer personal information. The FTC argued that in fact, TRUSTe had never reviewed Sentinel Labs’ privacy policies or practices or verified that the company had complied with the requirements of the TRUSTe program.
In a public statement regarding the settlement, FTC Acting Chairman Maureen K. Ohlhausen noted “Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world. Companies, however, must live up to the promises they make to protect consumer data.”
The settlement terms bar the companies from “misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.” The FTC will publish descriptions of the three consent agreement packages in the Federal Register in short time. The consent agreements are open for public comment until and through March 24, 2017.
Needless to say, as always, companies should carefully review their online policies and other statements to customers to confirm the company’s use of customer’s data is accurately summarized and not misleading. In addition, companies should be careful not to claim participation in any privacy programs such as TRUSTe that require official review and certification unless the company has received the requisite certification, even if your company voluntarily abides by the practices in such program.