FTC to Enforce Voluntary GDPR Compliance Statements

U.S. based companies that have updated their privacy policies to reflect increased consumer privacy protections intending to match the European Union’s GDPR protections may have unknowingly opened themselves up to added scrutiny from the Federal Trade Commission, according to FTC spokesperson Juliana Gruenwald Henderson.

Several organizations that collect consumer data on a large scale, including Facebook and Microsoft, have taken it upon themselves to increase personal data use transparency for their consumers through clearer privacy policies. This increase in transparency is designed, in part, to increase trust among their users, as well as potentially staying one step ahead of future U.S. regulation. That domestic regulation, however, might be coming sooner than anticipated.

The FTC’s Statement

Gruenwald Henderson explained, “If a company chooses to implement some or all of GDPR across their entire operations, and as a result makes promises to U.S. consumers about their specific practices they must live up to those commitments.” She added that this enforcement, although broad in nature, would only by applied towards specific and appropriate situations and “the FTC could initiate an enforcement action if the company does not comply with the EU data protection promises for U.S. customers.”

The FTC’s statement shows the government takes seriously companies’ privacy promises to their consumers. “If the company claims that it is compliant with EU law, it better be right, because the FTC will be looking for companies that are non-compliant but say otherwise,” said David Vladeck, former director of the FTC’s Bureau of Competition.

A History of Enforcement

The FTC does have a history of bringing actions against organizations that failed to live up to EU privacy promises. For example, the FTC has brought actions against companies that claimed they complied with previous privacy frameworks such as the U.S.-EU Safe Harbor and Privacy Shield.

Takeaways for your Organization

Although making GDPR-style privacy representations may build customer trust, there is risk in rushing to make those representations without properly ensuring those representations are true.

  • Inventory Your Information – Perform a data inventory so you know what personal information your organization collects, stores, processes and shares. Document and maintain records of your processing of personal information.
  • Communication is Key – Review your privacy notices and make them concise, easy to understand with clear language.
  • Do What You Say – Make sure your privacy statement is 100% accurate. If you say you do it in your privacy statement, then make sure it’s true!
Print Friendly, PDF & Email