Marketing research firms should be vigilant: Safe Harbor enforcement actions are on the rise.
Two U.S. businesses recently agreed to settle U.S. Federal Trade Commission (FTC) charges that they falsely claimed they were abiding by an international privacy framework known as the U.S.-EU Safe Harbor, which enables U.S. companies to transfer consumer data from the European Union to the United States in compliance with EU law.
To participate in the U.S.-EU Safe Harbor Framework, a company must self-certify annually to the Department of Commerce that it complies with the seven privacy principles required to meet the EU’s adequacy standard. A participant may also highlight for consumers its compliance with the Safe Harbor by displaying the Safe Harbor certification mark on its website.
In this most recent enforcement action, the FTC complaint against one of the businesses, TES Franchising LLC, also alleged that TES deceived consumers about the nature of its dispute resolution procedures. On its website, TES stated that Safe Harbor-related disputes would be settled by an arbitration agency, would take place in Connecticut, and costs would be split between the consumer and the company. According to the FTC’s complaint, TES had agreed in its Safe Harbor certification filing that it would resolve disputes through the European data protection authorities, which do not require in-person hearings and resolve disputes at no cost to the consumer. The complaint also alleges that the company deceptively claimed to be a licensee of the TRUSTe Privacy program.
A key take-away of all this? If a company does elect to self-certify with the Department Commerce, it is imperative that the information reported be both accurate and current. Failure to do so can lead to an enforcement action by the FTC and, possibly, private class action lawsuits as well.
One potential aid in Safe Harbor compliance for a research company would be the CASRO program, which provides alternative independent dispute resolution and enforcement measures.