The U.S.’s data protection scheme does not require a third party to review a company’s privacy practices and policy prior to its export of personal information from the U.S. However, the U.S. scheme does prohibit a company from making false statements about its privacy practices and policy. Acting Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen recently reinforced the importance of this U.S. requirement, stating that companies “must live up to the promises they make to protect consumer data.”
The three companies decided to settle with the FTC, and the FTC entered into consent orders with each of them. The consent orders prohibit the companies from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization. The companies are subject to monitoring and recordkeeping requirements. Notably absent is any material penalty or fine.