Five companies settled FTC charges for falsely identifying themselves as participants in the EU-U.S. Privacy Shield framework, which allows companies to transfer consumer data from the European Union and Switzerland to the United States.

According to the FTC, four of the companies falsely stated on their websites that they were certified under the EU-U.S. Privacy Shield framework. The FTC alleged that the four companies had only submitted applications under the Privacy Shield but did not receive certifications.

In addition, the FTC alleged that the fifth company to settle, EmpiriStat, Inc. ("EmpiriStat"):

  • stopped participating in the Privacy Shield in 2018 but continued to identify itself as a member;
  • failed to meet the annual requirement to verify that it was in compliance with the Privacy Shield principles; and
  • did not affirm to the Department of Commerce that, after falling out of participation, it would continue to adhere to the Privacy Shield Protections for personal information that was collected during its participation.

Pursuant to the settlement agreements, all five companies (i) are prohibited from misrepresenting their participation or compliance with the privacy programs, and (ii) must adhere to FTC reporting requirements. The FTC ordered EmpiriStat to either continue adhering to the Privacy Shield protections for personal information collected during its participation or delete the information.

Comments on the agreements must be submitted within 30 days of their publication in the Federal Register.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.