U.S. Federal Trade Commission building
U.S. Federal Trade Commission building (Photo: Diego M. Radzinschi / NLJ)

The Federal Trade Commission continued its recent crackdown on companies that misrepresent their privacy compliance credentials, settling charges today with children’s online game company Fantage.com Inc.

Fantage was the 13th company hit with FTC charges this year for claiming to be currently certified by an international privacy framework known as the U.S.-E.U. safe harbor. In January, the FTC settled charges with 12 entities, including three professional football teams—the Atlanta Falcons, the Denver Broncos and the Tennessee Titans—for claiming they held current safe harbor certifications.

More than 3,000 companies participate in the safe harbor program, which is administered by the U.S. Department of Commerce in consultation with the European Commission. Companies must self-certify every year to the Department of Commerce that they comply with the European Union’s seven privacy principles: notice, choice, onward transfer, security, data integrity, access and enforcement. The companies can then display the blue-and-red U.S.-E.U. safe harbor certification mark on their websites.

Fantage’s problem, according to the FTC, was that the company self-certified in 2011, but didn’t renew its credentials until last month. In the meantime, the company continued to state, “When we collect personal information from residents of the European Union, we follow the privacy principles of the U.S.-E.U. Safe Harbor Framework.”

“From June 2012 until January 2014 respondent was not a ‘current’ participant in the U.S.-EU Safe Harbor Framework. Therefore, the representation … was false and misleading” and in violation of Section 5 of the FTC Act, the commission’s administrative complaint said.

Under the terms of the settlement, Fantage is prohibited from misrepresenting the extent to which it participates in any privacy or data-security program.

“The FTC has made it clear it is serious about making safe harbor work as a viable program,” said privacy and data protection specialist Ann Killilea, a counsel to McDermott Will & Emery who is not involved in the case. The agency is “ready and able to take enforcement action.”

On the FTC’s Business Center blog, senior attorney Lesley Fair today offered some advice to companies: “Be an in-house hero and check what your company says expressly or by implication about participation in the Safe Harbor Framework. (Your privacy policy is a good place to start.),” she wrote. “If you’re in compliance, mark your scheduler for your company’s next annual self-certification. If not, you have two choices: Re-certify or remove the false claim.”

In November, the European Commission released a report on safe harbor and made 13 recommendations to U.S. authorities for improvement. The commission said it would review safe harbor in summer 2014 and decide whether to maintain, suspend or adapt the program.

“This is in particular foreseen in case of a systemic failure on the U.S. side to ensure compliance, for example if a body responsible for ensuring compliance with the Safe Harbour Privacy Principles in the United States is not effectively fulfilling its role,” European officials warned in a press release.

The recommendations include a suggestion that “a certain percentage” of companies “should be subject to ex officio investigations of effective compliance of their privacy policies (going beyond control of compliance with formal requirements),” and that “False claims of Safe Harbour adherence should continue to be investigated.”

Contact Jenna Greene at jgreene@alm.com.