Tag: Privacy Shield

FTC Issues Opinion and Order Against Cambridge Analytica For Deceiving Consumers About the Collection of Facebook Data, Compliance with EU-U.S. Privacy Shield

The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The Opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework.

In an administrative complaint filed in July, FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint filed by FTC staff, or a motion submitted for summary judgment of the allegations.

The FTC staff’s administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.

The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

In its Opinion, the Commission found that Cambridge Analytica violated the FTC Act through the deceptive conduct alleged in the complaint. The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.

The Commission voted 5-0 to issue the Opinion and Final Order.

Rafael Moscatel, CRM, IGP, is the Managing Director of Compliance and Privacy Partners, LLC. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.

FTC Announces Settlements with Four Companies Related to Allegations they Deceived Consumers over Participation in the EU-U.S. Privacy Shield

The Federal Trade Commission has reached settlements with four companies that allegedly misrepresented their participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States. The FTC also alleged that two of the companies failed to comply with Privacy Shield requirements.

In separate actions, the FTC settled Privacy Shield cases against:

In addition to allegations that each company falsely claimed to participate in the EU-U.S. Privacy Shield framework, the FTC also alleged that Click Labs and Incentive Services falsely claimed to participate in the Swiss-U.S. Privacy Shield framework, which establishes a process for companies to transfer consumer data in compliance with Swiss law.

In its cases against Global Data and TDARX, the FTC further alleged that the companies continued to claim participation in EU-U.S. Privacy Shield after allowing their certifications to lapse, and that those companies failed to comply with the framework. The companies allegedly failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program.

“The Privacy Shield Framework is critical to facilitating transatlantic commerce and assuring our European partners of our commitment to data protection,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Enforcement of the Privacy Shield framework is a priority of the FTC, and we will hold companies accountable where, as here, they fail to keep their Privacy Shield promises.”

The Department of Commerce administers both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks, while the FTC enforces the promises companies make when joining the programs. With today’s announcement, the FTC has now brought a total of 21 enforcement actions related to the EU-U.S. Privacy Shield framework since it was established in 2016.

Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, as well as any other privacy or data security program sponsored by any government, or any self-regulatory or standard-setting organization. As part of their settlements, Global Data Vault and TDARX also are required to continue to apply the Privacy Shield protections to personal information they collected while participating in the program, or return or delete the information.

The Commission voted 5-0 to issue the proposed administrative complaints and to accept the consent agreements with the four companies. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.

California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield

California Company Settles FTC Allegations that it Falsely Claimed Participation in EU-U.S. Privacy Shield

A California company has agreed to settle Federal Trade Commission allegations that it falsely claimed participation in the EU-U.S. Privacy Shield framework, which enables companies to transfer consumer data legally from European Union countries to the United States.

In its complaint, the FTC alleged that Medable, Inc.—which provides technology solutions to business customers operating in pharmaceutical, biotechnology, and research industries—falsely claimed in its privacy policy that it was a certified participant in the EU-U.S. Privacy Shield framework and adhered to the program’s principles. While the company initiated an application with the Department of Commerce in December 2017, it did not complete the steps necessary to participate in the framework.

The Department of Commerce administers the framework, while the FTC enforces the promises companies make when joining the program. With today’s announcement, the FTC has now brought a total of 17 enforcement actions related to the Privacy Shield framework since it was established in 2016.

As part of the settlement with the FTC, Medable is prohibited from misrepresenting its participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.

The Commission vote to issue the proposed administrative complaint and to accept the consent agreement with Medable was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.

Call us today at 323-413-7432, schedule a free consultation or visit us at www.capp-llc.com to learn more about our tailored privacy compliance solutions.