Negative option conundrum: whose rules to follow?
Online marketers who use negative option continuity billing models are subject to strict disclosure requirements under both federal and state consumer protection laws, and are favorite targets of the Federal Trade Commission and state attorneys general. Payment processors that fail to properly police their merchants’ compliance with these laws are equally subject to potential liability under federal law for facilitating consumer fraud by granting deceptive marketers access to the payments system.
Further complicating this landscape, Visa and Mastercard have recently introduced their own new rules for negative option merchants and their acquirers. Word is that nutraceutical/dietary supplement marketers are likely to face particular scrutiny under these rules.
While there are many similarities among federal law, state law and these new card brand rules, there are also many key differences and competing requirements, which means that a merchant may need to structure its negative option billing practices differently depending upon which card the consumer elects to use.
Let’s start with the new Visa rules.
The New Visa Rules for Free-Trial Subscription Merchants
Visa’s updated rules for free-trial subscription merchants will take effect on April 18, 2020. These updates supplement the existing negative option rules, and apply equally to merchants selling either physical or digital goods and services if they offer free trials or introductory offers that roll into an ongoing subscription / recurring agreement. As announced by Visa in June of last year, the new rules will impose the following requirements on these merchants:
Express Consent
Under the existing rules, a merchant must require the cardholder to expressly consent to an ongoing subscription service for recurring payments at the time of enrollment.
Enhanced Notification
The new rules impose additional notification obligations, which also require the merchant to send an electronic copy (i.e., email or SMS / text, if agreed with the cardholder) of the terms and conditions of the subscription service to the cardholder at the time of enrollment—even if no payment is due at the time of enrollment. This must include:
- Confirmation that the cardholder has agreed to a subscription, unless the cardholder cancels.
- The start date of the subscription.
- Details of the goods/services.
- Ongoing transaction amount and billing frequency/date.
- Link or other simple mechanism to enable the cardholder to easily cancel any subsequent transactions online.
Merchants must also send an electronic reminder notification (i.e., email or SMS/text) including an online cancellation link at least seven (7) days before initiating a recurring transaction if:
- A trial period, introductory offer or promotional period has expired.
- The nature of the recurring agreement has changed (for example, the price or billing period).
Explicit Transaction Receipts
Merchants must disclose the following on transaction receipts:
- Length of any trial period, introductory offer or promotional period, including clear disclosure that the cardholder will be charged unless the cardholder takes steps to cancel any subsequent transactions.
- Transaction amount and date for the initial transaction (even if no amount is due) and for subsequent recurring transactions.
- A link or other simple mechanism to enable the cardholder to easily cancel any subsequent transactions online.
Easier Cancellation / Modification
Merchants must provide an easy way to cancel the subscription or payment method online, regardless of how the cardholder initially interacted with the merchant. For example, the ease of cancellation should be similar to “unsubscribing” from an email distribution list.
Statement Descriptor
An additional descriptor indicating a trial period-related transaction will be required in the Merchant Name field of the Clearing Record for the first financial transaction at the end of the trial period. This descriptor (e.g., “trial,” “trial period,” “free trial”) will then appear on cardholder statements, online banking, mobile apps and SMS/text alerts in the same way discretionary, additional invoice/order numbers appear for ecommerce transactions. Additionally, the Recurring Payment Indicator will be required to be populated for the first transaction, even if the amount is not equal to the usual/ongoing obligation.
Expanded Dispute Rights
The new rules will expand the existing “Misrepresentation” dispute condition for transactions where merchandise or digital goods have been purchased (i) through a trial period or (ii) as a one-off purchase, and the cardholder was not clearly advised of further billing after the purchase date. Merchants may respond by showing they have acted appropriately, provided they can prove: (i) the cardholder expressly agreed to future transactions at the time of the initial interaction; and (ii) the merchant electronically notified the cardholder (based on the details the cardholder provided) before processing new transactions following the trial/promotional period.
Expanded Policy for Negative Option and Up-Selling Merchants
The Global Brand Protection Program includes specific references to two existing business models: “Negative Option” and “Up-Selling” merchants. The Visa Rules will be updated with additional cardholder disclosure and consent requirements that will apply to these business models in all regions. In addition to the requirements outlined in the Visa Rules and Visa’s Global Acquirer Risk Standards, these merchants must comply with all other requirements applicable to the transaction type(s). For example, if a Negative Option merchant operates a recurring / subscription model, they must also comply with all relevant Stored Credential requirements.
Again, these rules will take effect on April 18, 2020.
The new Mastercard rules took effect back on April 12, 2019.
The Mastercard High Risk Negative Option Billing Merchant Rules
Mastercard’s High Risk Negative Option Billing Merchant Rules (the “Negative Option Rules”) are embodied in Sections 5.1.1, 5.4.1 and 6.2.2.1.1 of the Transaction Processing Rules (December 19, 2019) and Section 9.4.10 of the Mastercard Security Rules and Procedures — Merchant Edition (September 10, 2019).
The Mastercard Negative Option Rules apply to Card-Not-Present (CNP) merchants selling physical goods (such as cosmetics, health-care products, or vitamins) on a recurring basis via a subscription service that involves a trial period. They impose several obligations on the merchant:
The merchant must provide a direct link to an online cancellation procedure on the website where the cardholder purchased the product.
For a physical product/sample provided to a cardholder for a trial period, the trial date begins on the date that the cardholder receives the product—not before.
After the trial period has expired, but before charging the cardholder, the merchant must obtain the cardholder’s explicit consent to the initial recurring transaction based on the merchant’s disclosure of the following information: (1) the transaction amount, (2) the payment date of the transaction, (3) the merchant’s name as it will appear on the cardholder’s statement, and (4) easy to follow instructions for canceling the subscription and terminating recurring payments.
Any time a charge is approved, the merchant must provide the cardholder with an electronic receipt that both states the cancellation policy and includes instructions on how to cancel the subscription. Likewise, any time a charge is declined, the merchant must provide the cardholder with an electronic receipt that states the reason why the authorization was declined (e.g. insufficient funds).
Finally, the merchant must provide the cardholder with written confirmation in either hard copy or electronic format when either or both of the following events occur: (1) the cardholder’s trial period expires; and/or (2) the recurring payment transaction cycle has been terminated by either the cardholder or the merchant.
The Negative Option Rules also impose several obligations on the acquirer.
Before an acquirer may process non-face-to-face high-risk negative option billing transactions, the acquirer must register the merchant in the Mastercard Registration Program. The acquirer must also register any third-party service providers with access to account data (e.g. shopping carts, CRMs).
The acquirer must use MCC 5968 (Direct Marketing—Continuity/Subscription Merchants).
The acquirer must monitor authorization transaction messages to identify when the same account number appears among different high-risk negative option billing MIDs in the acquirer’s portfolio within 60 calendar days. In such cases, the acquirer must reach out to the merchant to verify that the sales were bona fide.
Finally, at the time of registering the merchant, the acquirer must have verified that the merchant’s activity complies fully with all laws applicable to Mastercard, the merchant, the acquirer and any prospective customer. This means verifying the merchant’s compliance with the Negative Option Rules, as well as applicable federal and state laws, such as the Restore Online Shoppers Confidence Act (“ROSCA”) and the California Automatic Renewal Law (discussed below).
So what does this last provision mean for merchants and acquirers?
ROSCA and the California Automatic Renewal Law
ROSCA embodies the federal law in this area. ROSCA prohibits charging consumers for goods or services sold in transactions effected on the Internet through a negative option feature unless the seller (1) clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information, (2) obtains the consumer’s express informed consent before making the charge, and (3) provides a simple mechanism to stop recurring charges.
California’s Automatic Renewal Law (Business and Professions Code Section 17600 et seq.) is even more exacting, and has been the go-to standard for evaluating merchant compliance. The California statute applies to any Internet-based offer made to a California resident. It requires the advertiser to clearly and conspicuously disclose the complete terms of the negative option offer, either in “larger type than the surrounding text,” or, if the same size as surrounding text, then in “contrasting type, font, or color” or “set off” by markings, “in a manner that clearly calls attention to the language.” This minimum mandate of “equal or greater size” is more precise and inflexible than the FTC’s “clear and conspicuous” standard, and generally ensures compliance with the FTC standard.
In addition to the clear and conspicuous disclosure requirements, California’s Automatic Renewal Law requires businesses to (1) obtain the consumer’s affirmative consent to the agreement (e.g. scrolling through the text of the agreement, and selecting the “I Agree” button) prior to completing the subscription purchase transaction, and (2) provide the consumer with an acknowledgement that includes the automatic renewal or continuous service offer terms, and cancellation policy and instructions for canceling, in a manner that is capable of being retained by the consumer. If the offer contains a free trial, the acknowledgment must also disclose how to cancel to avoid paying for the goods or services. Finally, if there is a material change to the terms of the automatic renewal offer (such as pricing), a business must provide the consumer with prior notice of the change and how to cancel before the change takes effect in a manner that is clear and conspicuous.
As of July 1, 2018, the California Automatic Renewal Law also requires that the business provide consumers with a mechanism for canceling the recurring billing plan online. Allowing consumers to cancel via email is acceptable so long as the business also provides a template for the cancellation email.
So Which Do I Follow?
Navigating these conflicting rules and laws is not a simple task. Indeed, a merchant may need to structure its negative option billing practices differently depending upon whether the consumer uses Visa or Mastercard to pay.
For example, the Visa and Mastercard rules alike apply to merchants that offer free trials that convert into an ongoing subscription. However, unlike the Mastercard rules, the Visa rules also apply to merchants that offer upsells and use negative option billing without a free trial. Both sets of rules apply to physical goods, but the Visa Rules also apply to digital goods and services. Both sets of rules require express consent. However, Visa requires the merchant to obtain the cardholder’s consent before the initial transaction/trial begins, whereas Mastercard requires the merchant to obtain the cardholder’s consent after the trial has ended but before the card is charged.
Adding in federal and state law requirements may mean additional disclosures. For example, while Mastercard requires the merchant to obtain the cardholder’s consent after the trial has ended, but before the card is charged, ROSCA requires the merchant to clearly and conspicuously disclose all material terms of the transaction before obtaining the consumer’s billing information.
The problem is even more complex for acquirers. Absent rigorous underwriting procedures that go well beyond a mere review of the websites disclosed in connection with the merchant application, they may not even know the merchant is engaged in negative option marketing. Why? Because experienced fraudsters—who also like to use negative option billing—are likely to use “shell companies” and “bank pages” to conceal the true nature of their activities.
I routinely review negative option billing practices for compliance with card brand rules and applicable law, and can help you navigate these issues. Feel free to email me at bcebeci@romeandassociates.com to schedule a consultation.
Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law, Digital Marketing and FTC Issues.
Cat chases dog, cheese eats mouse, ISO sues FTC: strange times in payments
Notwithstanding the DOJ’s abandonment of Operation Chokepoint in 2017, the Federal Trade Commission (“FTC”) has continued to treat ISOs as gatekeepers to the payments system, threatening them with liability where they fail to adequately police their merchants—while denying this policy publically. Yet earlier this month, one ISO took the offensive and, in a groundbreaking move, initiated a preemptive strike against the FTC rather than simply allowing itself to fall victim to these tactics.
On December 5, 2019, Complete Merchant Solutions LLC (“CMS”) filed suit against FTC in the federal district court of Utah—Case No. 2:19-cv-00963-CMR. The Complaint seeks a declaration and injunction to stop the FTC from engaging in conduct that CMS alleges “is not only unfair and harassing but also far beyond the express limitations of its jurisdiction and enforcement powers.”
One Of The Good Guys
CMS is an ISO for acquirers Commercial Bank of California, Chesapeake Bank, Deutsche Bank, Merrick Bank, and Wells Fargo. From soon after its founding in 2008, CMS focused on serving e-commerce businesses and other start-up technology companies. Over the past decade, CMC has grown from a tiny start-up to a highly successful company. CMS has won several awards, been recognized nationally and regionally, has attracted investment from blue-chip equity funds, and provides work for nearly 300 employees and independent contractors, while serving more than 5,500 merchant accounts that together produce over $3 billion in payments annually.
According to its Complaint, since 2013, CMS has maintained a chargeback rate well below the 1% mark. In 2018, CMS’ chargeback rates were just .58% by dollar and .23% by count. CMS employs rigorous underwriting practices, which have led it to decline approximately 16% of merchant applications since 2013. CMS also subscribes to costly merchant-monitoring tools, including G2 and TSYS Fraud, to identify suspicious payment activity, fraud, and other red flags; and also monitors the Mastercard Merchant Online Status Tracking (MOST) system.
A “Barrage” Of CIDs
Nonetheless, CMS alleges that, for the past two years, FTC has directed numerous Civil Investigative Demands (CIDs) to CMS “seeking vast amounts of information relating almost entirely to a handful of business which CMS and its sponsoring banks ceased working with years ago.” In response, CMS has produced over 45,000 documents—totaling over 475,000 pages—responded to numerous interrogatories, and produced multiple employees for depositions.
CMS contends that the evidence produced to FTC shows that: CMS declined applications for 21 merchants responsive to the CID (“responsive merchants”); responsive merchants were 3% of CMS’ total merchants in 2011, declining to only 0.5% in 2016 and 0.08% in 2017; by 2016 and 2017, less than 0.1% of CMS’ processing volume was for responsive merchants; the overwhelming majority of responsive merchants were terminated by CMS before any regulator filed a complaint or subpoenaed CMS; and, of the 37 responsive merchants later involved in FTC enforcement actions, CMS had terminated 34 prior to the time of suit.
Nonetheless, FTC was not satisfied.
FTC Threatens Suit
CMS alleges that, on February 4, 2019, FTC staff informed CMS that they planned to recommend enforcement action and sent CMS’ lawyers a proposed complaint and consent order. The proposed complaint’s theory is that CMS “failed to adequately screen and monitor its merchant-clients,” and thereby misled its sponsoring banks.
According to CMS, the FTC’s proposed consent order directed CMS to:
- Terminate all businesses that use telephones to induce the purchase of goods or services;
- Terminate all businesses that represented that their goods or services would help consumers earn income from home, obtain training or education on how to establish a business or make money from a business, obtain employment for an upfront fee, or obtain government grants or government income, benefits, or scholarships;
- Terminate all businesses that involve a subscription model where consumers have to tell the business to cancel their subscription (that is, every subscription product); and
- Engage in heightened screening of “High Risk Client[s],” a category defined as covering any merchant with more than 15% card-not-present transactions, more than $200,000 in card-not-present transactions a year, or any merchant that sells:
- Discount buying clubs;
- Foreclosure protection or guarantees;
- Lottery sales or sweepstakes;
- Medical discount benefits packages;
- Multi-level marketing distribution;
- Nutraceuticals (a category that includes vitamins);
- Payment aggregators;
- Cryptocurrency;
- Third party payment processors;
- Penny auctions;
- Real estate seminars and training programs; and
- Computer technical support services.
Unacceptable Consequences
Thus, CMS argues that, under the FTC’s first proposal, CMS would not be able to solicit Amazon as a merchant, because it sells books by Princeton Review about how to get scholarships for college. CMS would not be able to solicit Brigham Young University as a merchant because it has a business school that represents that its services can assist students in starting or running a business. CMS would have to subject CVS or Walmart to heightened scrutiny, because they sell multivitamins. And, CMS would have to subject Best Buy or Apple to heightened scrutiny, because the Geek Squad and the Genius Bar provide computer technical support services.
CMS further alleges that, while the FTC narrowed some of the categories in response to comments from CMS’ attorneys, the FTC indicated that it would insist on a ban on serving businesses that fall into certain categories, including any company (like Amazon) who sells nutraceuticals with an option to purchase via subscription (like Amazon’s “Subscribe and Save” program). The FTC also kept the list of suspect categories requiring heightened scrutiny and monitoring virtually identical apart from moving subscriptions (for all products other than nutraceuticals, which would still be subject to the outright ban), the business-related education and grants categories, and businesses that use telephones to induce sales from the categories subject to an outright ban to one requiring heightened scrutiny. The FTC rejected any further proposal to narrow these categories.
And the FTC sought to set the threshold for chargebacks (which would trigger a duty to “immediately” investigate) at just 55 chargebacks per month, a level well below even the “early warning” thresholds set by the card brand guidelines. What’s more, the FTC’s various draft orders all sought to impose a “strict liability” standard— meaning that CMS could be in violation of the terms of the order without any knowledge of the facts giving rise to that liability.
FTC Overstepping Its Authority
CMS argues that this is not what the law intends and is far beyond any reasonable bounds of the FTC’s authority.
The FTC Act empowers the FTC to police unfair business practices. According to CMS, however, the vague term “unfair” does not confer upon the FTC the power to make banks’ ISOs vicariously liable for failing to prevent merchants from committing fraud. And, the FTC has no authority to eject thousands of law-abiding merchants— which themselves are not the subject of any legal action—from the payment systems on which they depend based on nothing more than the FTC staff’s biases against particular industries.
CMS also points out that the FTC is expressly prohibited from regulating banks, whose relationships with ISOs are regulated by the FDIC and other banking regulators. Thus, CMS argues that FTC is seeking an end-run around this limitation of its authority by going after the ISOs—who act as a sales arm for the acquiring banks, and are there to simply facilitate the connections between merchants and banks, the entities responsible for the processing of merchant transactions.
Accordingly, the Complaint asks the Court to put an end to the FTC’s overreach and threatened legal claims by granting CMS’ request for declaratory relief, and issuing an injunction prohibiting the FTC from bringing (or threatening to bring) any action against CMS in connection with the provision of its ISO services as described herein, premised on a violation of 15 U.S.C. § 45(a) or § 53(b), as such statutes give the FTC no authority to bring such actions.
Why It Matters
This is a bold move by CMS. By filing suit against the FTC rather than waiting for FTC to commence an enforcement action, CMS has taken the initiative and framed the argument on its own terms as a champion of ISOs throughout the payments industry. This challenge is also set against the backdrop of a split among the federal circuit courts as to whether 15 U.S.C. § 53(b)—which codifies section 13(b) of the FTC Act—empowers the FTC to seek monetary relief, including restitution—an issue that has recently put the FTC on its heels in enforcement actions. This lawsuit may represent a blow to FTC’s ability to police ISOs and hold them liable for their merchants’ actions absent strong evidence of complicity.
The industry should also take note that—as evidenced by FTC’s proposed consent order to CMS—all nutraceutical, tech support, and negative continuity merchants, along with the ISOs that extend services to them, remain very much within the FTC’s crosshairs.
Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law, Digital Marketing and FTC Issues.
COPPA compliance for advertisers, websites, mobile apps and other online services
Whether you are an advertiser or online service provider, you must adapt to survive in an increasingly regulated and rapidly changing digital media environment. With an estimated 175,000 kids going online globally for the first time everyday, one of the key challenges your business may face is complying with a host of differing laws designed to protect the privacy of these young users—including the Children’s Online Privacy Protection Act (COPPA), which is specifically designed to protect children, and the California Consumer Privacy Act (CCPA) and European General Data Protection Regulation (GDPR), which contain provisions affording special protection to kids.
COPPA extends broadly to online services (advertisers, websites and mobile apps) whose audience includes children under 13, and prohibits them from collecting personal information (including persistent identifiers) from those users without first obtaining verifiable parental consent. While COPPA has been around for nearly 20 years, the Federal Trade Commission (FTC) has recently made COPPA compliance a key priority and stepped up the pace of COPPA enforcement actions.
Among those impacted by the trend are YouTube creators, who face a new dilemma to start the New Year. If their content is “made for kids,” they must immediately label it as such. By doing so, they may lose the ability to monetize their content. By failing to do so, they may expose themselves to crippling fines.
The Backstory
In September 2019, Google LLC and its subsidiary YouTube LLC agreed to pay $170 million to settle a civil action by the FTC and the New York Attorney General for alleged COPPA violations. YouTube allegedly violated COPPA by collecting cookies from viewers of child-directed channels, without first notifying parents and getting their consent, and then using those cookies to deliver targeted ads.
In addition to paying a $136 million penalty to the FTC and $34 million to New York, YouTube has developed a new system for identifying child-directed content on its platform as part of the settlement.
A New Year, A New Policy
Effective January 1, 2020, YouTube creators are responsible for determining whether their content is directed to children and then designating such content as “made for kids” as appropriate. That label may apply to individual videos (new and previously uploaded), or an entire channel.
In turn, YouTube will no longer collect cookies to deliver targeted ads to viewers of “for kids” videos and channels. Instead, YouTube will deliver “contextualized ads” based strictly on the video’s content. YouTube will also disable comments, info screens, the “donate” button, channel branding watermarks, “save to playlist” or “watch later” features, and cards and end screens for “for kids” videos, and eliminate community tabs, notification bells and stories from “for kids” channels.
Again, if a video’s intended audience is 13 and under, the creator is subject to COPPA.
Is It Child-Directed?
But, as YouTube and the FTC both acknowledge, the determination of whether content is “child-directed” may not be clear in many cases. In such cases, the FTC identifies a number of additional factors one must consider to make that determination, including:
- The subject matter,
- Visual content,
- The use of animated characters or child-oriented activities and incentives,
- The kind of music or other audio content,
- The age of the models,
- The presence of child celebrities or celebrities who appeal to children,
- Language or other characteristics of the site,
- Whether advertising that promotes or appears on the site is directed to children, and
- Competent and reliable empirical evidence about the age of the audience.
Other Considerations
FTC also suggests that, unless a video is affirmatively targeting kids, there are many subject matter categories that do not implicate COPPA. For example, videos about traditionally adult activities like employment, finances, politics, home ownership, home improvement, or travel are probably not covered by COPPA unless the content is geared toward kids. The same would be true for videos aimed at high school or college students. On the other hand, if content includes traditional children’s pastimes or activities, it may be child-directed. For example, the FTC recently determined that an online dress-up game was child-directed.
Second, a video is not automatically covered by COPPA just because it has bright colors or animated characters. While many animated shows are directed to kids, the FTC recognizes that some animated programming appeals to everyone.
Where questions still remain, the FTC suggests considering how others view your content and content similar to yours. Has your channel been reviewed on sites that evaluate content for kids? Is your channel – or channels like yours – mentioned in blogs for parents of young children or in media articles about child-directed content? Have you surveyed your users or is there other empirical evidence about the age of your audience?
Conclusion
Okay. But what about channels built around gaming content like Minecraft and Fortnite? In such cases, application of the foregoing factors may still fail to offer a clear answer, and may provide little comfort to creators. Particularly when the Rule authorizes civil penalties of up to $42,530 per violation.
Website operators, mobile app services, and advertisers (both upstream and downstream) should be equally concerned about these questions.Indeed, digital services that classify themselves as general audience services are subject to increasing challenge by regulators to prove their audience composition.
If you are unsure about whether your content or your website is subject to COPPA, you should consult with an attorney experienced in FTC matters and COPPA compliance. We regularly review media, data collection practices, and privacy policies for compliance with COPPA, the CCPA, the GDPR and the FTC Act.
Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law, Digital Marketing and FTC Issues.
Privacy Shield Compliance: Necessary Reading For US Companies Doing Business In The EU
On December 3, 2019, the Federal Trade Commission (FTC) announced settlements with four companies related to allegations that they deceived consumers over participation in the EU-US Privacy Shield Framework. The companies include Click Labs, Inc., a website and mobile app services provider; Incentive Services, Inc., a developer of service award and incentive programs for employers; Global Data Vault, LLC, a provider of data storage and recovery services; and TDARX, Inc., an IT services provider. According to FTC’s allegations, at least two of these companies continued to claim participation in Privacy Shield after allowing their annual certifications to lapse, and failed to comply with the framework.
That brings the total to 21 enforcement actions related to Privacy Shield since its establishment in 2016. Thus, there can be little doubt that Privacy Shield compliance represents an enforcement priority for the FTC.
But what is Privacy Shield?
If you are a US company doing business in the EU, you should know.
By now, any US company doing business in the EU is certainly aware of the General Data Protection Regulation (GDPR) and the risk it presents to companies that fail to comply. Indeed, most such companies spent a lot of time and money in the early part of 2018 reworking their published Privacy Policies to comply with the GDPR. But many companies failed to fully understand the GDPR or actually bring their data practices into compliance.
Are you one of them? Let’s put it this way:
If you are a US company doing business in the EU and have not self-certified in Privacy Shield, there is a good chance that you may be transferring data from the European Economic Area (EEA) to the US in violation of the GDPR. Note that if a US company transfers EEA data to the US through a partner/processor—such as an analytics service that has its servers in the US—then the partner rather than the company is responsible for compliance; provided, however, that the company must enter a Data Processing Agreement with the partner whereby the partner confirms its compliance with GDPR requirements. In such cases, the company should confirm that its partner is Privacy Shield certified.
The GDPR prohibits the transfer of personal data outside of the EEA to a third-party country unless the recipient country provides an “adequate level of data protection,” the data exporter puts appropriate safeguards in place, or an exemption or derogation exists to justify the transfer.
From the EU’s perspective, the US does not have an adequate level of data protection. Moreover, while an exemption or derogation may justify some transfers of personal data, it does not offer the broad protection of self-certification under Privacy Shield.
Consent is the strongest category of exemption. But it requires a clear disclosure to the data subject of what you plan to do with the data, including all associated risks, and his/her explicit consent to the transfer of the data outside the EEA. Most of the other exemptions and derogations apply to government entities and public authorities, or require particular approval by the relevant Data Protection Agency.
Privacy Shield provides US companies with broader protection.
In order to self-register, a US company must confirm its eligibility to participate in Privacy Shield. That means that the company must be subject to the jurisdiction of the FTC or the Department of Transportation. That generally means that banks, federal credit unions, and savings and loan institutions are not eligible to participate in Privacy Shield.
Next, the company must develop a Privacy Policy Statement that complies with Privacy Shield requirements. That means notifying data subjects of your participation in Privacy Shield, the type of data being collected, the purposes for which the data is being used, any third parties with whom you will share the data, the data subject’s right to access the data and his/her choices and means to limit the use and disclosure of such data, and available recourse mechanisms.
As part of this Privacy Policy, the company must also confirm its commitment to Privacy Shield Principles, including Choice (“clear, conspicuous, and readily available mechanisms” to opt out), Accountability (transferred data “may only be processed for limited and specified purposes consistent with” data subject’s consent), Security (adhering to best industry practices to secure data), Data Integrity (limit data collection to “relevant” data, and ensure it is “reliable for its intended use, accurate, complete and current”), Access (data subject must have access, including ability to correct, amend or delete, personal data), and Recourse, Enforcement and Liability (official complaint handling process and detailed mechanism for dispute resolution through a third-party such as the Better Business Bureau, American Arbitration Association or JAMS).
Once this Privacy Policy is published, you may submit your company’s self-certification to the Department of Commerce. The associated fee is $1,500 or less for companies with annual revenue up to $500 million. You must re-certify your Privacy Shield compliance with the Department of Commerce on an annual basis. And, of course, you face the risk of a potential enforcement action by the FTC, along with civil penalties, in the event you fail to comply with your obligations under Privacy Shield.
But for US companies doing business in the EU, GDPR compliance and Privacy Shield certification go hand in hand.
Bradley O. Cebeci is a Senior Attorney with Rome & Associates, APC. Brad focuses on Payments Law, Digital Marketing and FTC Issues.