Factual Misstatement in Privacy Policy Results in FTC Probe, Settlement

A recent settlement announced by the FTC with Fantage.com, a maker of multiplayer online role-playing games directed at children ages 6-16, highlights the importance of factual accuracy in privacy policies.  The FTC recently concluded an enforcement action against Fantage.com based on the Commission’s charge that the company falsely claimed it was abiding by the international privacy framework known as the U.S.-EU Safe Harbor that enables U.S. companies to transfer consumer data from the European Union to the U.S. in compliance with EU law.The U.S.-EU Safe Harbor Framework: The U.S.-EU Safe Harbor Framework is a voluntary program administered by the U.S. Department of Commerce in consultation with the European Commission. The Framework allows U.S. companies to transfer personal data outside of Europe under methods that are consistent with the requirements of the European Union Directive on Data Protection, enacted in 1995. The Directive requires EU Member States to implement legislation that prohibits the transfer of personal data outside the EU, unless the European Commission has determined that the recipient jurisdiction’s laws ensure the protection of such personal data — the so-called “adequacy” standard. To satisfy the adequacy standard for certain commercial transfers, the U.S. Department of Commerce and the European Commission negotiated the U.S.-EU Safe Harbor Framework, which went into effect in 2000. The Framework allows U.S. companies to transfer personal data lawfully from the EU if a company self-certifies on an annual basis to the Department of Commerce that it complies with seven principles and related requirements that have been deemed to meet the EU’s adequacy standard: notice, choice, onward transfer, security, data integrity, access, and enforcement. Companies holding current self-certifications are listed.According to the FTC’s complaint,  deceptively claimed through statements in its privacy policy that it held current certifications under the U.S.-EU Safe Harbor framework privacy policy stated:

When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-EU Safe Harbor Framework, which covers the transfer, collection, use, and retention of personal data from the European Union.

The company had in fact self-certified and maintained a “current” status with the Department of Commerce in 2011, but the annual certification lapsed in June 2012 and was not renewed until January 2014. On this basis, the FTC alleged that  conduct violated Section 5 of the FTC Act.

The FTC noted, however, that “this does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws.” Indeed, there was no allegation in the FTC’s complaint that was ever substantively out of compliance with the terms of the Safe Harbor framework.

Takeaway. As noted above, self-certification is now current. Under the proposed settlement agreement, the company is prohibited from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. While the penalty  may seem mild for the misrepresentation about its lapsed certification, will nevertheless still be subject to FTC enforcement of the terms of the settlement for the next 20 years, including its attendant record-keeping and inspection requirements. This is a high price to pay for apparent failure to maintain a current self-certification and to conduct reviews at least annually to ensure that its privacy policy was factually accurate and reflected the state of its certifications. Whether or not a U.S. company intends to participate in the U.S.-EU Safe Harbor Framework, it should conduct a review of its privacy policy at least annually to ensure that the policy reflects the company’s actual, current practices.

 

Leave a Reply

Your email address will not be published. Required fields are marked *