The three companies told consumers that they adhered to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system, which facilitates privacy-respecting data transfers between countries. This agreement is similar to the EU-U.S. and Swiss-U.S. Privacy Shield, which are overseen by the FTC.
Sentinel Labs provides endpoint protection software to enterprise customers, SpyChatter markets a private messaging app, and Vir2us distributes cybersecurity software. The companies falsely told consumers that they abide by the Asia-Pacific privacy rules.
Under the terms of the settlements with the FTC, the companies are prohibited from misrepresenting their participation in any privacy program sponsored by a government organization.
The FTC does not have the authority to obtain civil penalties for these initial violations, but once the order is finalized, the companies could be subject to fines per violation per day that the companies continue to violate the order. For example, SpyChatter will be subject to civil penalties of up to $40,654 per violation per day, according to a letter from the FTC.
“The prospect of paying civil penalties will provide SpyChatter with an incentive to comply with the order,” the letter stated. “Accordingly, we believe the order provisions, along with the risk of substantial civil penalties for violating the order, appropriately address the conduct at issue. We also believe that the Commission bringing this action against SpyChatter will deter other companies from engaging in similar conduct.”