Apparel Manufacturer Cited for False Claims of Compliance with Data Transfer Pact
The Federal Trade Commission announced recently a consent order settling charges that a Los Angeles-based clothing manufacturer falsely claimed it was abiding by two privacy frameworks that enable U.S. companies to transfer consumer data from the European Union and Switzerland. The consent order imposes no immediate penalty but carries the threat of fines for additional violations.
To participate in the U.S.-EU Safe Harbor framework and the U.S.-Swiss Safe Harbor framework, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet those frameworks’ adequacy standards: notice, choice, onward transfer, security, data integrity, access and enforcement. The FTC charged the clothing company with representing that it held current safe harbor certifications even though it had allowed them to lapse. However, the FTC said, this does not necessarily mean that the company committed any substantive violations of the privacy principles of the safe harbor frameworks.
Under the proposed consent order, the company is prohibited from misrepresenting the extent to which it participates in any privacy or data security program sponsored by the government or any other self-regulatory or standard-setting organization. The company also must report to the FTC when requested on the manner and form of its compliance with this order and must maintain and make available to the FTC for five years all documents relating to such compliance.
The FTC states that a final consent order carries the force of law with respect to future actions and that each violation of such an order may result in a civil penalty of up to $16,000. Comments on the proposed consent order are due no later than June 9.