Warning Letters Issued to Companies Claiming APEC Cross-Border Privacy Certification

Warning Letters Issued to Companies Claiming APEC Cross-Border Privacy Certification

Warning letters were issued to 28 companies, by the FTC, that claim certified participation in the Asia-Pacific Economic Cooperative’s Cross-Border Privacy Rules system on their websites but do not appear to have met the requirements to make that claim.

The APEC privacy system is a self-regulatory initiative to enhance the protection of consumer data that moves among the APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. Under the system, companies can be certified as compliant with APEC CBPR program requirements based on the following nine data privacy principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.

The companies that received the letters must remove the claims regarding APEC CBPR from their websites immediately and inform FTC staff that they have done so, or provide information proving they are actually certified. The letter notes that companies falsely claiming certification in the system may be in violation of the FTC Act.