FAQ for EU Privacy Shield

Frequently Asked Questions


How long will it take for BBB EU Privacy Shield to accept my application after you receive my Participation Agreement and annual fee?

We can usually accept applications within two days of receiving your signed Participation Agreement, a draft Privacy Shield-compliant privacy policy that meets our requirements, and your annual fee.   If the draft privacy policy you provide for our review does not meet our minimum requirements, we will require revisions before accepting your application.  To avoid delays, please follow the privacy policy guidelines and ensure that you use our required language, found here.

What will you look for when you review our privacy policy?

We look for the following three elements in reviewing your privacy policy:

  1. The policy must include an affirmative commitment to adhere to each of the Privacy Shield Principles at the core of the Privacy Shield Framework, and should address the 13 requirements of the Privacy Shield Notice principle. 
  2. The policy must identify BBB EU Privacy Shield as your independent recourse mechanism for Privacy Shield privacy complaints and include contact information for the program.
  3. The policy must be clearly posted on your Web site or be publicly available on request. 

Note: Do not make your Privacy Shield-compliant privacy notice live on the Web until the Department of Commerce has reviewed your certification and instructs you to post the policy.   Additional details about privacy notices and required BBB language can be found here.

Is your fee schedule based on my business’s worldwide gross revenue or on revenue from EU business alone?

Our fees are based on your business’s total gross revenue, not simply revenue from EU-related business.

My business is already BBB Accredited. Does accreditation include EU Privacy Shield dispute resolution?

No, accreditation does not cover EU Privacy Shield dispute resolution.  BBB EU Privacy Shield is a specialized program recognized by the Department of Commerce as a dispute resolution mechanism under the EU Privacy Shield Framework.  The BBB EU Privacy Shield Participation Agreement binds participating businesses to arbitrate disputes from European consumers concerning alleged violations of the EU Privacy Shield Principles and includes other necessary provisions that are not part of your BBB accreditation agreement.

Can our Participation Agreement be structured to cover our subsidiaries or affiliates? When must a subsidiary create its own separate account?

Named subsidiaries or affiliates may be covered under the parent’s Agreement in some limited circumstances.  At a minimum, the parent and the subsidiary must be covered by a common Privacy Shield privacy policy that is posted on all subsidiary websites and that links to the BBB’s complaint handling page, they must share a privacy officer and point of contact for privacy complaints, and the parent must be able to designate a corporate officer to sign the Agreement who is authorized to bind both the parent and the subsidiary. Where several entities are covered under a single Agreement, the annual fee will be based on the aggregated gross annual revenues of the covered entities.  Where all of these conditions cannot be met, a separate application and Agreement must be submitted for each subsidiary. 

If you would like your subsidiaries to be covered by the Program, please contact us to check on their eligibility.  If we determine that subsidiaries may be covered under your Agreement, you must add the names of all subsidiaries to be covered before signing the Agreement and returning it to us.

Will BBB EU Privacy Shield provide a program seal or mark for our Web site?

We do not currently offer a BBB EU Privacy Shield seal or mark for your site.  Unless your business is BBB Accredited (in which case it may use the Accredited Business Seal in accordance with its BBB accreditation agreement), it may not use the BBB name or any of its trademarks on its web site or marketing materials, except to identify BBB EU Privacy Shield as its dispute resolution provider in its published privacy policy. 

Will BBB EU Privacy Shield assist us with the required annual verification that our privacy practices are consistent with the Principles?

While BBB EU Privacy Shield does provide self-certification guidance and ongoing compliance assistance to our participating businesses, we do not offer verification services.  However, an annual verification to ensure compliance with the Principles is a Privacy Shield certification requirement.  The majority of our participants choose to do an internal self-assessment and verification rather than using a third-party provider. When choosing this option, simply state “in-house” in the verification section of your Department of Commerce certification application.

Does BBB EU Privacy Shield publish information on the complaints it receives?

The Program Rules require that a Procedure Report be published online each year there is relevant data to report. The Reports include a statistical summary showing: (1) the number and nature of contacts from the public and the actions taken by the CBBB and Panelist with respect to those contacts; and (2) the number and nature of Complaints deemed ineligible for processing during the period, including the specific reason for a determination of ineligibility.