FTC Obtains TRO Against E-Commerce Merchant Falsely Claiming Safe Harbor Certification

By Mehmet Munur

On July 31, the Federal Trade Commission obtained a temporary restraining order against a California website for deceptively claiming to be a member of the EU Safe Harbor administered by the Department of Commerce. This is the first FTC enforcement involving the FTC’s authority to prosecute violations involving EU Safe Harbor and FTC’s authority to prosecute an American company for deception of foreign consumers.

According to the FTC complaint, the defendants posed as UK websites, did not deliver on minimal consumer protections, and lied about being in the Safe Harbor. Balls of Kryptonite, LLC, is based out of Pasadena, California. However, it operates under www.bestpricedbrands.co.uk and www.bitesizedeals.co.uk, states prices in pound sterling, and referred to UK competitors and Royal Mail. The website did not specifically state its location, though such a disclosure is required under the Distance Selling Directive. Therefore, the FTC inferred that the websites advertised and sold consumer electronics products to consumers in the UK “under the pretext of being located within the UK.”

The websites shipped products from the US to the UK. Customers also had to pay substantial customs duties and import taxes. Some of these products were incompatible with the UK power grid. The websites also stated that the products would be covered under warranty. The products were not designed for distribution in the UK and, therefore, were not covered by warranty. Further, consumers were not allowed to cancel their orders, charged 50% restocking fees, and items were not shipped for weeks.

Finally, the defendants advertised that they self-certified with the Department of Commerce for the EU Safe Harbor when they were not. However, this false statement defies all logic. It does not help the defendants establish that they are a website based in the UK. A corporation must have a US establishment that receives personal information from the EU/EEA before it can certify to the Safe Harbor. Maybe this was the company’s way of stating that it was transferring data to the US. Maybe, the website owner believed that the Safe Harbor deception would make their website more attractive to UK customers. Nonetheless, Balls of Kryptonite is likely subject to this enforcement not due to inadequate legal advice, but lack of legal advice.

Nevertheless, the temporary restraining order resulting from the enforcement action makes an interesting example due to its scope. The TRO enjoins the defendants from misrepresenting “[t]he extent to which Defendants are members of, adhere to, comply with, are certified by, are endorsed by, or otherwise participate in any privacy, security, or any other compliance program sponsored by any government or third party.” Thus, the FTC enjoined the defendants from misrepresenting that they are members of any third-party privacy program. In effect, the FTC is recognizing that the health of the Safe Harbor Program is intricately linked to the third-party programs. The Safe Harbor Enforcement Principle requires an independent dispute resolution mechanism that TRUSTe’s EU Safe Harbor Program and BBB EU Safe Harbor offer. However, one could argue that third-party privacy seals programs should enforce their own marks and that the FTC should focus on the Safe Harbor program exclusively.

The enforcement action sets a much-needed precedent for false claims related to the Safe Harbor program. Nevertheless, the majority of the complaint was based on false statements concerning the shipment of goods. The Safe Harbor issue appears to be tacked onto the other issues. The Safe Harbor program has been in existence for nearly a decade and studies by the European Commission in 2004 and others in 2008 have argued that enforcement has been lax. One would hope that, in the future, the FTC would bring section five claims exclusively in the data protection realm in addition to mixed consumer protection claims.