In its first wave of Safe Harbor enforcement actions, the Federal Trade Commission announced settlements on October 6th with 6 companies over misrepresentations that they are current with their Safe Harbor certifications. In each case, the company had self-certified its compliance with the Safe Harbor Program through the Department of Commerce, but did not keep its annual certification current, while still representing that it was a valid member of the Safe Harbor Program.
The FTC brought the enforcement actions under its Section 5 authority, alleging that the companies’ misrepresentations are deceptive. The scope of the FTC’s actions is limited to the companies’ lapsed certification and did not address whether the companies were compliant with the substantive requirements of the Safe Harbor Program.
The proposed settlement agreements, open for public comment until November 5th, prohibits each company from making representations about its membership in any privacy, security, or any other compliance program sponsored by the government or any other third party. In addition the proposed terms require each company to comply with reporting and compliance obligations, including the retention of documents relating to its compliance with the order for 5 years and initial compliance reports to the FTC.
The key take-away from these actions is that the FTC is going to be more pro-active in its scrutiny of members of the Safe Harbor Program. We anticipate more enforcement actions under Section 5 based on misrepresentations about compliance with Safe Harbor obligations, and likely further actions against companies with lapsed certifications.
The FTC complaints, proposed settlements and related documents are available at http://ftc.gov/opa/2009/10/safeharbor.shtm.