Data Privacy Framework (DPF) Services
Compliance Made Simple
Privacy is both a legal obligation and a critical element of customer service. BBB National Programs delivers cross-border privacy compliance services to U.S. businesses of all sizes. As your Independent Recourse Mechanism (IRM), we provide you with the one-on-one customized support you need.
Our Services
Monitoring
Dispute Resolution
Handling personal data involves a lot of moving parts. It’s our mission to help you.
The Process
Work with BBB National Programs to prepare for DPF Program self-certification in three easy steps.
Step 1: Sign Up with BBB National Programs
When completing BBB National Programs’ application, please answer each question to the best of your ability and be sure to have the following available:
- Contact information (telephone and email addresses) for the company’s primary contact for legal notices and communications, as well as a designated contact for complaints and a billing contact.
- Your company’s gross annual sales revenue.
- Your company’s legal name and state of incorporation (this same name must be used when you self-certify with the U.S. Department of Commerce). Add any D/B/A names and any "covered entities"—U.S.-based subsidiaries or affiliates to be covered—in the appropriate fields.
When you complete the application, we will provide you with a letter containing a reference number, fee information, and a completed Participation Agreement for signature. Please read our Rules and Participation Agreement before submitting the application online.
Read the Rules
Step 2: Prepare Your Certification Package
We will:
- Review your privacy policy and other applicable notices
- Provide recommendations based on the DPF Principles
- Confirm that they are accessible to all visitors to your public website
For example, you must state if you will participate in the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, the Swiss-U.S. DPF, or all of the above. We have outlined some of those options on our Privacy Policy Requirements page and will work with you to ensure the new language is applied correctly.
Once your application with BBB National Programs is complete, it is time to self-certify with the U.S. Department of Commerce DPF Program.
Read the Privacy Policy Requirements
Step 3: Self-Certify with the DPF Program
- When completing your self-certification application, you will select BBB National Programs in the “Recourse Mechanism” field drop-down.
- You will also need to complete all steps listed on the Department of Commerce’s website.
Once your certification submission is complete, the U.S. Department of Commerce will instruct you to post your approved privacy policy to your website. Once you notify the Department of Commerce that your notice is published, they will list your organization on the Data Privacy Framework List.
Self-Certify with Commerce
Data Privacy Framework List
Annual Reporting
BBB National Programs publishes annual Procedure Reports that provide summaries of our program operations throughout the year. In accordance with our obligations as a U.S. Department of Commerce-recognized Independent Recourse Mechanism, our annual procedure reports provide aggregate statistics about our dispute resolution services.
Frequently Asked Questions (FAQs)
What is the Data Privacy Framework Program?
Privacy Shield was recently replaced by the Data Privacy Framework Program, a mechanism for legally transferring personal data from the European Union, the United Kingdom (and Gibraltar), Switzerland, or other participating countries to the United States. Designed by the U.S. Department of Commerce to support transatlantic commerce in coordination with the European Commission, these mechanisms promote greater transparency around international data processing and enable U.S. businesses to demonstrate that their privacy practices meet data protection requirements such as GDPR, including enhanced protections for consumers. Privacy Shield was officially replaced by the Data Privacy Framework Program in July 2023.
What are my rights under the Data Privacy Framework Program?
Among other requirements, a participating organization must provide you:
- Information on the types of personal data collected;
- Information on the purposes of collection and use;
- Information on the type or identity of third parties to which your personal data is disclosed;
- Choices for limiting use and disclosure of your personal data;
- Access to your personal data;
- Notification of the organization’s liability if it transfers your personal data;
- Notification of the requirement to disclose your personal data in response to lawful requests by public authorities;
- Reasonable and appropriate security for your personal data;
- A response to your complaint within 45 days;
- Cost-free independent dispute resolution to address your data protection concerns; and
- The ability to invoke binding arbitration to address any complaint that the organization has violated its obligations under the Principles to you and that has not been resolved by other means.
What is the role of BBB National Programs?
For more than 20 years, BBB National Programs, a non-profit organization based in the United States, has operated an approved independent dispute resolution mechanism. We help EU, UK, and Swiss individuals resolve privacy complaints under the Data Privacy Framework Program, and previously under Privacy Shield.
How do I file a complaint against a company?
You can learn more about the steps to file a complaint by visiting this page: For Consumers.