Privacy laws in Asia-Pacific countries such as Japan, Australia, New Zealand and Singapore restrict the export of personal information except when the exporter meets certain qualifying conditions. One qualifying condition is if the exporter is in compliance with the Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules System (CBPR). Under the CBPR, the exporting company would have its data privacy policy and practices reviewed and certified by a third party to confirm the policy and practices are consistent with the applicable domestic law. For example, if an exporting company desired to export personal information of Japanese citizens, its privacy policy and practices would need to be consistent with Japanese law in order for the third party to certify the exporter was CBPR compliant. A company promoting compliance with CBPR on its website would be representing, directly or indirectly, expressly or by implication, that it was certified by a third party to participate in APEC’s CBPR system.
The U.S.’s data protection scheme does not require a third party to review a company’s privacy practices and policy prior to its export of personal information from the U.S. However, the U.S. scheme does prohibit a company from making false statements about its privacy practices and policy. Acting Federal Trade Commission (FTC) Chairman Maureen K. Ohlhausen recently reinforced the importance of this U.S. requirement, stating that companies “must live up to the promises they make to protect consumer data.”
Recently, the FTC charged three U.S. companies with violating Section 5(a) of the FTC Act on the grounds they falsely represented in their privacy policy that they were compliant with the APEC’s CBPR. In representing they were compliant with CBPR, these companies implied a third party had reviewed their privacy policy and privacy practices for compliance with the applicable domestic law. In fact, the FTC alleged, none of these companies had ever had their privacy policy or practices reviewed by a third party. The FTC claimed these false representations constituted deceptive acts or practices, which are prohibited under Section 5(a) of the FTC Act. The three companies charged by the FTC were Sentinel Labs, Inc. (endpoint protection software to enterprise customers), SpyChatter, Inc., (SpyChatter private message app), and Vir2us, Inc. (cyber security software distributor).
The FTC also claimed Sentinel Labs falsely stated in its privacy policy that TRUSTe reviewed Sentinel’s privacy policy and practices for compliance with TRUSTe requirements regarding transparency, accountability and choice regarding the collection and use of personal information. By claiming it had been awarded the TRUSTe Privacy Seal, the FTC claimed, Sentinel represented it met TRUSTe’s requirements. In fact, the FTC showed TRUSTe had never even reviewed Sentinel’s privacy policy or practices. The FTC claimed Sentinel’s misrepresentations regarding TRUSTe compliance constituted deceptive acts or practices, which are prohibited under Section 5(a) of the FTC Act.
The three companies decided to settle with the FTC, and the FTC entered into consent orders with each of them. The consent orders prohibit the companies from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization. The companies are subject to monitoring and recordkeeping requirements. Notably absent is any material penalty or fine.
Because none of the companies had ever been certified under TRUSTe or APEC’s CBPR, it is possible the misrepresentations in the companies’ privacy materials were the result of simply cutting and pasting other policies and practices and just changing names, without reviewing the wording. The better practice when adopting a privacy policy or practice is for a company to draft its own wording based on its collection, use, security and transfer practices, rather than copying another policy and simply changing the names. A company should also carefully review the draft wording to confirm whether there are any incorrect statements. It is also helpful to periodically review a policy and set of practices to see whether changes are needed because of changes in the way the company handles personal information.