How to Join BBB EU Privacy Shield

Where do I start?

 

STEP 1 

Determine whether your business is eligible to use the EU-US or Swiss-US Privacy Shield Frameworks.  To be eligible to participate in Privacy Shield, you must answer “yes” to both of the following questions:

  • Does your organization fall under the investigatory and enforcement jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DoT)?  If you are uncertain as to whether your organization is under the jurisdiction of either the FTC or the DoT; we recommend that you contact the Commerce Department Privacy Shield team for further guidance.
  • Are you a US organization that receives or processes personal data either directly or indirectly from the EEA (including all European Union member states plus Iceland, Norway, Liechtenstein) or from Switzerland?  NOTE:  This may include subsidiaries, affiliates, business partners or vendors that process such information on behalf of another organization.

IMPORTANT NOTE:  BBB EU Privacy Shield, like other US-based alternative dispute resolution providers, is unable to offer dispute resolution services for issues relating to an organization’s transfer or processing in the United States of its own employees’ human resources data, collected and processed in the context of the employment relationship. However, the transfer and processing of such data does fall under the Privacy Shield Framework. For additional information, please refer to the Commerce Department’s Privacy Shield website.

STEP 2 

Complete the BBB EU Privacy Shield online application. When completing the application, be sure to have the following contact information available:  telephone and e-mail addresses for the company’s primary contact for legal notices and communications, as well as a complaint contact and a billing contact.  You will also need to provide your company’s gross annual sales revenue.  Please read the Rules document and Participation Agreement before submitting the application online.

On completing the application, you will receive a reference number and an annual fee amount based on our fee schedule for your business’s participation in the program. You will also receive a cover letter containing this information and a completed Participation Agreement to be signed by a corporate officer with signatory authority. 

IMPORTANT: When completing the online application, identify your company by its legal name and state of incorporation. Add any D/B/A names and any "covered entities"--US subsidiaries or affiliates to be covered -- in the appropriate fields. You MUST use the same name to register with BBB EU Privacy Shield that you will use to self-certify with the Commerce Department, so that businesses and consumers in Europe can easily find and verify your company status with both entities. 

STEP 3

Create or modify a draft of your privacy notice and internal privacy policy to conform to the Privacy Shield Principles.  Please note that you should not post this draft privacy notice on your live website until you recieve approval from both BBB EU Privacy Shield and the U.S. Department of Commerce.  Your draft privacy notice must specifically reference your organization’s compliance with the Privacy Shield Principles and must be made accessible to all visitors to your public website.  You must state which of the Privacy Shield Frameworks you will be using (EU-US, Swiss-US, or both) reference your participation in BBB EU Privacy Shield and provide our program contact information for complaints. Information about Privacy Shield privacy policy requirements and BBB required language for each of the Privacy Shield Frameworks can be found here.  Visit the Commerce Department’s Privacy Shield website for additional information about Privacy Shield and the self-certification process.  

STEP 4 

Submit your application materials via mail or email to BBB EU Privacy Shield: your application fee (check or electronic payment), your signed Participation Agreement, and a copy of your draft privacy notice.  Your application will be reviewed. If any additional information is required we will contact you. Please note that your privacy notice must meet the minimum requirements set out in Step 3 before we can accept your application.  Once the review process is complete you will receive an email notification indicating that your company has been accepted into the program.  This email will also include your countersigned Participation Agreement, and provides further instruction on how to complete your Privacy Shield self-certification. 

STEP 5

Self-certify with the Department of Commerce. To be assured of Privacy Shield benefits, please self-certify to the appropriate Privacy Shield Framework(s) with the Department of Commerce within 30 days of our approval of your application. Maintaining current self-certification(s) with the Department of Commerce is a requirement for ongoing participation in the BBB EU Privacy Shield program. Please review the Commerce Department’s self certification guidance here for the information you will need for self-certification.  Once the Department has determined that your privacy policy is fully compliant and your certification submission is complete, the Privacy Shield team will notify your organization that it should publish its Privacy Shield-compliant privacy policy to your live, public-facing website.  The organization should promptly notify the Privacy Shield team as soon as the relevant privacy policy is published, at which time the Department will place the organization’s self-certification on the Privacy Shield List.  Privacy Shield benefits are assured from the date the Department places the organization on the Privacy Shield List.

Important: In the Department of Commerce’s “recourse mechanism” field, please select BBB EU PRIVACY SHIELD.