The Federal Trade Commission (FTC) has issued warning letters to 28 companies that claim to be certified participants in the Asia-Pacific Economic Cooperative’s (APEC) Cross-Border Privacy Rules (CBPR) system on their websites but, according to the FTC, do not appear to have met the necessary requirements to make that claim.
The APEC privacy system is a self-regulatory program applicable to data that moves among the APEC member economies. It includes a voluntary, but enforceable, code of conduct implemented by participating businesses. Under the system, companies can be certified as compliant with APEC CBPR program requirements based on nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.
According to the FTC’s press release, the companies that received the letters must remove the claims regarding APEC CBPR from their websites immediately and inform FTC staff that they have done so, or provide information proving they are actually certified. If they fail to do so, the letter warns that the companies may face enforcement under the FTC Act.
The FTC recently settled its first case related to a deceptive claim of certification in the APEC CPBR system.
The FTC’s Sample letter issued on July 14, 2016, is available here.