After all of the GDPR compliance assessments, implementation and hullaballoo in the last year or so, many companies chose to certify that they are compliant with the EU-U.S. Privacy Shield framework rather than implementing a full-blown GDPR compliance program.

To attain Privacy Shield certification, companies must submit an application and certify that when consumer data is transferred from the EU to a U.S. company, the transfer has been done in compliance with EU law. Once a company obtains Privacy Shield certification, it can present itself as being compliant on its website and to the public. However, sometimes companies don’t know that they have to update their certification on an annual basis in order to continue hold themselves up as being Privacy Shield certified.

The Federal Trade Commission (FTC) is the enforcer for Privacy Shield certification. The FTC has publicly stated that it monitors company websites to determine whether they have kept their certification current. If a company misrepresents itself as being compliant with Privacy Shield certification, the FTC can commence an enforcement action against the company for falsely claiming Privacy Shield Certification.

On September 3, 2019, the FTC announced that it has settled with five different companies on allegations that “they falsely claimed participation in the EU-U.S. Privacy Shield.” According to the FTC press release, the FTC alleged that four companies – DCR Workforce, Inc., Thru, Inc., LotaData, Inc. and 214 Technologies, Inc. – “all falsely claimed in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework” because they each submitted an application for Privacy Shield certification, but “failed to complete the necessary steps to obtain certification.”

The FTC also settled with EmpiriStat, Inc., which it alleged “falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse in 2018.”

The settlements require the companies stop misrepresenting participation in any privacy or data security program sponsored by the government, and they must comply with FTC reporting requirements.

Lessons learned?

1)         Don’t hold yourself up as being Privacy Shield certified if you haven’t submitted an application, and completed the necessary steps to obtain certification; and

2)         Be mindful of the continual certification requirements and don’t let the certification lapse.