Three U.S. companies have agreed to settle Federal Trade Commission charges that they deceived consumers about their participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.
In separate but similar complaints, the FTC charged that Sentinel Labs, Inc., which provides endpoint protection software to enterprise customers; SpyChatter, Inc., marketer of the SpyChatter private message app; and Vir2us, Inc., which distributes cyber security software; falsely represented in their online privacy policies that they participated in the APEC CBPR system.
The APEC CBPR system facilitates privacy-respecting data transfers between APEC member economies through a voluntary, enforceable mechanism, which certifies companies as being compliant with APEC CBPR program requirements. The APEC CBPR system is based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.
Companies that seek to participate in the APEC CBPR system must undergo a review by an APEC-recognized accountability agent, which certifies companies that meet the standards. The three companies, however, were not and had never been certified, according to the complaints.
“Cross-border commerce is an important driver of economic growth, and our cross-border privacy commitments help enable U.S. companies to compete around the world,” said Acting Chairman Maureen K. Ohlhausen. “Companies, however, must live up to the promises they make to protect consumer data.”
The complaints allege that the companies violated the FTC Act by making deceptive statements that they participated in the APEC CBPR. The Commission also alleges that SentinelOne falsely claimed that it was a participant in a TRUSTe privacy program.
Under the terms of the settlement with the FTC, the three companies are prohibited from misrepresenting their participation, membership or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.
The Commission vote to accept for public comment the three consent agreements related to the three companies was 2-0. The FTC will publish descriptions of the three consent agreement packages in the Federal Register shortly. The agreements will be subject to public comment for 30 days, beginning today and continuing through March 24, 2017, after which the Commission will decide whether to make the three proposed consent orders final. Interested parties can submit comments electronically on the Sentinel Labs, Inc., SpyChatter, Inc., and Vir2us, Inc. agreements by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section of each of the three forms.
NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $40,654.
Source: Federal Trade Commission