The FTC issued warning letters to 28 companies that allegedly advertised participation in the Asia-Pacific Economic Cooperative Cross-Border Privacy Rules system (“APEC CBPRs”), but had not received the requisite certification. A company seeking to participate in the CBPR system must first have its compliance established by an APEC-recognized accountability agent.
The APEC CBPRs is a voluntary, self-regulated system developed by participating APEC countries, including the United States. The system requires participating businesses to develop and implement data privacy policies consistent with the APEC Privacy Framework. The framework is based on nine data privacy principles: preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability. Companies certified under the system appear on the CBPRs website.
In the United States, the FTC enforces the APEC CBPR system under the FTC Act. The FTC has demanded that the 28 companies remove the claims regarding APEC CBPR from their websites immediately, and to confirm with the FTC that they have done so or that they are, in fact, certified.
This is not the first time that the FTC has targeted companies over false APEC CBPRs representations. In May of this year, a San Francisco-based manufacturer of hand-held vaporizers settled with the FTC over charges that it deceived consumers about its participation in APEC CBPRs. Under the terms of the settlement, the company is prohibited from misrepresenting its participation, membership, or certification in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization.
FTC enforcement actions have not been limited to the APEC CBPRs. In August 2015, the FTC charged 13 U.S. Companies with misrepresenting that they were compliant with the US-EU Safe Harbor framework, when company certifications had lapsed or certifications had not been applied for at all.