FTC Settles Case Alleging Deceptive Privacy Statements

The Federal Trade Commission recently announced that it has settled charges against a California company for allegedly misrepresenting that it was in the process of being certified as complying with the EU-U.S. Privacy Shield framework.

In short, the Privacy Shield establishes a process to allow companies to transfer
consumer data from European Union countries to the United States in compliance with EU law. According to FTC defense lawyer Richard B. Newman, the Privacy Shield framework is administered by The Department of Commerce. The promises companies make when joining the Privacy Shield are enforced by the Federal Trade Commission.

The settlement “ … demonstrates the Federal Trade Commission’s continuing commitment to vigorous enforcement of the Privacy Shield,” FTC Chairman Joe Simons commented. “We believe Privacy Shield is a critical tool for ensuring transatlantic data flows and protecting privacy that benefits both companies and consumers.”

As set forth in the FTC’s complaint, the agency alleges that ReadyTech Corporation, a provider of online training services, falsely claimed on its website that it is “in the process of certifying that we comply with the U.S.-E.U. Privacy Shield Framework.” According to the FTC, ReadyTech initiated an application to the U.S. Department of Commerce in October 2016, however, the company failed to complete the steps necessary to participate in the Privacy Shield framework.

The Federal Trade Commission’s complaint alleges that the company’s deceptive claim that it is in the process of certification violates the FTC Act’s prohibition against deceptive acts or practices. As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization, including but not limited to the EU-U.S. Privacy Shield framework and the Swiss-U.S. Privacy Shield framework. The company must also comply with standard reporting and compliance requirements.

The matter marks the fourth regulatory enforcement action enforcing Privacy Shield. It also marks the 47th case enforcing the Privacy Shield, the predecessor Safe Harbor framework, and the Asia Pacific Economic Cooperation Cross Border Privacy Rules framework. To date, the FTC has brought hundreds of privacy and data security cases.

The Federal Trade Commission actively enforces privacy promises made to consumers. When companies represent to consumers that they will safeguard their personal information, the FTC can and often does take law enforcement action to make sure that the promises are adhered to.

Of late, the Federal Trade Commission has initiated legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information. In a number of these cases, including the ReadyTech matter, the FTC has charged the defendants with violating Section 5 of the FTC Act, which bars unfair and deceptive acts and practices in or affecting commerce. In addition to the FTC Act, the agency also enforces other federal laws relating to consumers’ privacy and security.

Privacy and data security issues are at the top of both federal and state regulatory agenda. Such issues are intertwined in most, if not all, digital marketing-related activities, from lead generation to telemarketing.

The FTC uses a variety of tools to protect consumers’ privacy and personal information. The principal tool is to bring enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior (e.g., implementation of comprehensive privacy and security programs, assessments by independent experts, monetary redress to consumers, disgorgement of ill-gotten gains, deletion of wrongfully procured consumer information, and provision of robust consumer choice mechanisms, etc.).

Companies that violate FTC orders can have civil monetary penalties for the violations imposed. The agency can also obtain civil monetary penalties for violations of certain privacy statutes and rules, including, but not limited to, the Children’s Online Privacy Protection Act and the Telemarketing Sales Rule.

If you are interested in learning more about this topic, want to review your privacy and data security compliance protocols, or if you are the subject of a regulatory investigation or enforcement action, please email the author at rnewman@hinchnewman.com, or phone (212) 756-8777.

Richard B. Newman is an Internet marketing attorney at Hinch Newman LLP focusing on advertising and digital media matters. Follow him on Facebook.

Informational purposes only. Not legal advice. Always seek the advice of an attorney. Previous case results do not guarantee similar future result. Hinch Newman LLP | 40 Wall St., 35th Floor, New York, NY 10005 | (212) 756-8777.

Advertising Material

Photo Credit: Visual Content Flickr via Compfight cc