The Federal Trade Commission (FTC) Act gives the FTC the power to prevent and punish unfair business practices in all aspects of business within the United States. The FTC usually involves itself when companies purposefully mislead the public in facts about the company’s business. Recently, the FTC published its first case regarding the Asia-Pacific Economic Corporation (APEC) Cross-Border Privacy Rules (CBPR) system.

The FTC issues a complaint when it has reason to believe that some form of the FTC Act has been violated. In this case, the company in question was Very Incognito, Inc. operating under the name of Vipvape. According to the FTC, Vipvape claimed to be part of the CBPR system, but APEC had not actually certified the company according to the complainant.

What is the CBPR system?

The CPBR system is operated and supported by the APEC. APEC is a forum for Pacific Rim economies to help promote and regulate growing economies, and was formed in 1989. One of its initiatives includes the CBPR system, which is a voluntary accreditation system that allows for a member state’s businesses to voluntarily apply for and receive recognition if the business properly meets the CPBR standards. APEC’s CPBR aims to reduce barriers to information flows, enhance consumer privacy, and promote interoperability.

Once reviewed and accepted, the business may advertise and promote that it is part of the CPBR system. Companies often advertise this accreditation to bolster reputation and esteem.

Why did Vipvape get in trouble for advertising its membership?

According to the FTC report, Vipvape was never a full member of the CPBR system, so it had no right to advertise as such on its website. Because of this, it directly fell under the FTC Act, according to the complainant. The FTC has issued rulings and settlements regarding misleading advertisements before, but this is the first time it has been in correlation with the CPBR system. The FTC previously published an advisory page to help avoid this type of false advertisement.

The vote to accept the consent agreement passed 3-0. After the publishing of the settlement form, the public has 30 days to comment before it will be decided by the Commission to become final. The settlement bars Vipvape from continuing to misrepresent its participation, membership, or certification in any privacy or security program sponsored by a government or self-regulatory organization.

For more information about the FTC Act and how it could impact your company’s advertising, contact Revision Legal’s Corporate attorneys through the form on this page or by calling 888-317-5945.

Image courtesy of Flickr user Ecig Click

The Legal Framework Behind FTC Enforcement of Privacy Certifications

The FTC’s authority to bring actions like the Vipvape case flows directly from Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” A company falsely claiming membership in a recognized privacy certification program — whether APEC’s CBPR or any other government-endorsed scheme — commits a per se deceptive act. Consumers and business partners rely on those seals and certifications when making decisions about sharing data. When the certification is fabricated, those decisions are made on false grounds.

What the APEC CBPR System Actually Requires

Getting certified under the APEC Cross-Border Privacy Rules is not a one-time checkbox exercise. An applicant business must work with an APEC-recognized Accountability Agent — a third-party auditor approved by the APEC Data Privacy Subgroup — to assess whether the company’s privacy policies and practices meet the CBPR program requirements. Those requirements cover nine information privacy principles: preventing harm, notice, collection limitation, uses of personal information, choice, integrity of personal information, security safeguards, access and correction, and accountability. Only after the Accountability Agent certifies compliance does a business gain the right to display the CBPR trustmark.

Vipvape never completed that process. It displayed the trustmark anyway, hoping consumers and partners would assume the certification was genuine. That is precisely the type of conduct the FTC was designed to address.

Cross-Border Privacy Enforcement After the Vipvape Decision

The Vipvape action was significant not just because it was the first CBPR enforcement case, but because it signaled the FTC’s intent to treat cross-border privacy frameworks with the same scrutiny it applies to domestic privacy representations. The settlement barred Vipvape from misrepresenting participation in any privacy or security program sponsored by a government or self-regulatory organization — a broad prohibition that extends well beyond APEC.

For businesses operating across the Pacific Rim, this means false Safe Harbor claims, false Privacy Shield representations, and false ISO 27001 certifications all carry similar exposure. The FTC has demonstrated it will pursue these cases even when the business is small and the settlement amount is modest. The reputational and injunctive consequences — not just the financial penalty — are the real deterrent.

Practical Compliance Obligations for US Companies Seeking CBPR Certification

US-based companies that want to legitimately participate in the CBPR system must take several concrete steps:

• Select an approved Accountability Agent. The FTC is one of the recognized Accountability Agents in the United States, but companies can also work with private third-party agents that have been approved by APEC. Each agent has its own intake and assessment process.
• Conduct a gap analysis against the nine CBPR principles. Before applying, a company should audit its existing privacy policies and data handling practices against each of the nine principles. Gaps need to be remediated before certification is sought.
• Maintain certification through annual re-assessment. CBPR certification is not permanent. Certified companies are subject to ongoing compliance monitoring and must recertify periodically. A lapse in certification means the trustmark must come down immediately.
• Display the trustmark only as authorized. The CBPR trustmark may only appear on websites and marketing materials while certification is current and in good standing. Any deviation from the approved usage guidelines creates FTC exposure.

The Broader Landscape: FTC Enforcement of International Privacy Frameworks

The Vipvape case sits within a larger pattern of FTC enforcement actions targeting companies that make false or misleading privacy representations. The FTC has pursued similar cases under the EU-US Safe Harbor framework, the EU-US Privacy Shield, and TRUSTe certifications. In In re TRUSTe, Inc. (2014), the FTC found that TRUSTe, itself a privacy certification organization, had failed to conduct required annual re-certifications for hundreds of certified websites. The action reinforced that the integrity of the entire certification ecosystem depends on consistent, honest compliance.

Companies doing business across borders should treat privacy certification representations as they would any other material claim about their products or services. If the representation would be actionable as false advertising in another context, it is equally actionable as a deceptive trade practice in the privacy context.

What Happens When the FTC Investigates a Privacy Misrepresentation

When the FTC opens an investigation into a company’s privacy practices, the process typically begins with a civil investigative demand — essentially a subpoena — requiring production of documents, data, and written responses. The investigation can move quickly if the misrepresentation is straightforward, as it was in the Vipvape case, where the company was clearly not certified. Once the FTC determines a violation has occurred, it typically seeks a consent order that includes: (1) injunctive provisions prohibiting the specific conduct and related conduct; (2) recordkeeping and reporting requirements that can span twenty years; and (3) in some cases, disgorgement of ill-gotten gains or monetary penalties for future violations.

The consent order in the Vipvape case, while it did not include a significant monetary component, carries long-term compliance obligations. Any future violation of the order would expose the company to civil penalties of up to $51,744 per violation per day under 15 U.S.C. § 45(l) — a figure that has been adjusted upward through inflation-based amendments.

Talk to an Attorney

If your business participates in any privacy certification program — or is considering doing so — you need to ensure your certifications are current, accurate, and properly displayed. False or lapsed certifications create immediate FTC exposure and can undermine consumer trust in ways that are difficult to repair. The attorneys at Revision Legal advise companies on privacy compliance, FTC regulatory requirements, and cross-border data transfer frameworks. Contact us through the form on this page or call 855-473-8474.