On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”).  These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other companies over the past year for similar violations related to false certification claims.

The websites for all five companies claimed that they were certified under the Privacy Shield. Four of the companies had submitted applications, but allegedly “failed to complete the necessary steps to obtain certification from the Department of Commerce.”  The FTC alleged that the fifth company allowed its certification to lapse but did not remove the claim of participation from its privacy policy despite warnings from Commerce.  The FTC also alleged that this company failed to comply with additional Privacy Shield requirements because it did not comply with the annual verification requirement or requirements applicable to personal information collected under the Privacy Shield after a company is no longer certified.

Per the FTC’s announcement, the settlement agreements prohibit the five companies “from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization” and also require the companies to comply with FTC reporting requirements.  The fifth company must also apply Privacy Shield protections to personal information it collected while certified to the Privacy Shield, or return or delete the information.