In 2014, the FTC stepped up enforcement against companies that either falsely represented that they were Safe Harbor certified or displayed the Safe Harbor Framework (Safe Harbor Program) Certification Mark on their websites at a time when they were not in fact certified. Companies looking to self-certify in the future, and those that have self-certified more than one year ago and failed to re-certify, should take note of this important trend.
Critically, certification does not last forever. Instead, companies must annually re-certify to retain their status as a “current participant” in the Safe Harbor Program.
What are some best practices to avoid unwanted attention from the FTC?
- If your company self-certified more than one year ago and has not re-certified, delete any and all references to being a “current” Safe Harbor participant from your website and marketing materials;
- If your company is currently certified, perform audits according to a written protocol to verify continued compliance with the seven Privacy Principles;
- If your company has agreements with vendors, obtain quarterly reports verifying vendor compliance and negotiate the contractual right to independently verify compliance;
- Educate marketing people about the danger of falsely representing that the company is a “current” participant in the Safe Harbor Program if in fact certification has lapsed; and
- Docket the one-year anniversary of self-certification and implement periodic reminders one and three months beforehand so that recertification is performed in a timely manner.
Companies would be well-advised to consult with outside counsel to ensure that they have not made public misstatements about their Safe Harbor certification status and to evaluate whether they are at risk of an FTC enforcement action.