FTC Settles Alleged Privacy Shield Act Violations with Background Check Company

The FTC recently announced a settlement with a NY-based company over allegations it misrepresented its participation in and compliance with the EU-U.S. Privacy Shield framework in violation of Section 5 of the FTC Act.  The FTC alleged in its Complaint that the company, which provides security and background check services, continued to claim participation in the EU-U.S. Privacy Shield after its certification lapsed.

Specifically, after obtaining Privacy Shield certification in 2017 to support its background check services, the company did not properly renew its certification of participation in the EU-U.S. Privacy Shield after it expired 2018, nor did it withdraw from the program and affirm its commitment to protect any personal information it had acquired while in the program.  Even after receiving a warning to take down its claims that it participated in Privacy Shield unless it met its obligations to renew its certification, the company did not do so, and continued to claim it was participating in the Privacy Shield framework.

The terms of settlement include a prohibition upon misrepresenting company participation in the EU-U.S. Privacy Shield framework, or in any other government-sponsored, self-regulatory, or standard setting organization’s privacy or data security programs.  Additionally, the company is required to either continue applying Privacy Shield protections to personal information it collected while participating in the program or to return or delete the information.