5 Companies Settle FTC Allegations of Falsely Claiming Participation in EU-U.S. Privacy Shield

In separate actions, the FTC alleges that management software provider DCR Workforce, Inc.; cloud-based file transfer software provider Thru, Inc.; LotaData, Inc., which provides analysis of mobile users’ data; and facial recognition software provider 214 Technologies, Inc. all falsely claimed in statements on their websites that they were certified under the EU-U.S. Privacy Shield framework. The FTC alleges that LotaData, Inc. also falsely claimed that it was a certified participant in the Swiss-U.S. Privacy Shield framework, which establishes a data transfer process similar to the EU-U.S. Privacy Shield framework.

The FTC alleges that while 214 Technologies, Thru, LotaData, and DCR Workforce each submitted applications under the Privacy Shield, all four companies failed to complete the necessary steps to obtain certification from the Department of Commerce, which administers the Privacy Shield frameworks. The FTC enforces the promises companies make when joining the frameworks.

“These companies made false claims about complying with Privacy Shield, and today’s settlements show that the FTC is protecting Privacy Shield’s integrity and supporting the thousands of U.S businesses who do it right,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection.

The FTC also alleges that statistical analysis and support services provider EmpiriStat, Inc., falsely claimed it was a current participant in the Privacy Shield after allowing its certification to lapse in 2018. In addition, the FTC alleges that EmpiriStat falsely claimed it complied with the Privacy Shield principles when in fact it failed to verify that its published policy was accurate and completely implemented, an annual requirement under the framework. The company also failed to abide by the Privacy Shield requirement that companies that stop participation in the framework affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program, according to the FTC’s complaint.

As part of the proposed settlements with the FTC, all five companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, EmpiriStat must also continue to apply the Privacy Shield protections to personal information it collected while participating in the program, or return or delete the information.

The Commission voted 5-0 to issue the proposed administrative complaints and to accept the consent agreements with the five companies. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs, and subscribe to press releases for the latest FTC news and resources.