If a business advertises it is a member of a privacy program, even a voluntary one, it had better be, according to the Federal Trade Commission (FTC). In separate but related complaints, the FTC alleged that three businesses – software provider Sentinel Labs Inc., private messaging app developer SpyChatter Inc., and cybersecurity software company Vir2us Inc. – represented that they were members of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) when they were not.
The CBPR is a voluntary, cross-border privacy regime designed “to protect data that flows between the regions.” Its system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access, correction, and accountability.
Although membership is voluntary, false representations about participation are enforceable. Furthermore, participation isn’t simply a matter of saying you support the principles; participants must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet CBPR standards. Despite assertions in their online privacy policies that they were CBPR members, Sentinel, SpyChatter, and Vir2us Inc. had never been certified by an APEC agent.
FTC Acting Chair Maureen Ohlhausen commented that “Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world. Companies, however, must live up to the promises they make to protect consumer data.” Ohlhausen’s comments indicate the seriousness with which the FTC continues to approach deceptive advertising related to privacy.
Under their settlement with the FTC, the three companies are barred from making any misleading assertions about their “participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.”
It is important to note that there are a growing number of privacy “seal” programs, and some organizations offer a variety of such programs. Whether ads involve compliance with the EU-U.S. Privacy Shield, APEC, or programs under the Health Information Portability and Accountability Act (HIPAA) or Children’s Online Privacy Protection Act (COPPA), to minimize risk, businesses need to ensure that claims accurately reflect the specific program they joined. And, of course, they should only advertise participation while their membership or seal status is current and their policies and practices remain in compliance.