acm-header
Sign In

Communications of the ACM

Communications of the ACM

TRUSTe: An Online Privacy Seal Program


Private data market

Facebook's value is based on its ability to exploit the online behaviors and interests of its users.

According to a recent Business Week/Harris survey [1], privacy is the number one consumer issue facing the Internet—ahead of ease-of-use, spam, security, and cost. By disclosing a site's privacy practices, content providers will significantly ease consumer privacy concerns and build a more trusting environment for online transactions. According to the same survey, 78% of online users would increase their use of the Internet if privacy practices were disclosed; and even more compelling, 61% of non-users would be more likely to begin using the Internet if privacy practices were disclosed.

Internet privacy concern has also prompted the U.S. government to threaten regulation if the Internet industry is unsuccessful in regulating itself. In several well-publicized events last summer, the U.S. Federal Trade Commission (FTC) made it clear that its patience is running out with industry efforts to self-regulate privacy practices.

In June, the FTC issued its long awaited report entitled "Privacy Online: A Report to Congress." The report criticized online sites for not doing enough to protect consumer privacy by stating, "...it is evident that substantially greater incentives are needed to spur self-regulation and ensure widespread implementation of basic privacy principles." [3]

In July, the FTC announced its intention to recommend online privacy regulation unless the online industry takes demonstrable action to protect consumer privacy by January 1999. FTC Chairman Robert Pitofsky presented a congressional subcommittee with a model for protecting consumers who visit U.S. commercial Web sites. The statute would guarantee consumers four basic practices regarding personal information. Sites would need to provide notice of their information practices including what they collect and how they use it; offer choices for the way the information is used beyond what it was provided for; offer consumers reasonable access to that information and opportunities to correct inaccuracies; and take reasonable steps to protect the security and integrity of the information.

In August 1998, the FTC announced that GeoCities had agreed to settle FTC charges of deceptively collecting personal information in the Commission's first online privacy case. The Commission clearly contends it has the authority to protect against unfair and deceptive practices in the online medium.

The FTC also recommended privacy regulation for Web sites whose content is targeted toward children. These recommendations have been addressed in the Children's Online Privacy Protection Act of 1998 (S.2326), which was approved by Congress in October 1998.

The bottom line is if Web sites don't support fair information practices and enforcement mechanisms when addressing users' privacy concerns, the government will regulate.

To help the Internet industry establish self-regulatory privacy guidelines and codes of conduct, the U.S. Department of Commerce (DOC) has provided industry with fair information practices and enforcement guidelines for what they deemed to be effective elements of self-regulation [2]. Industry has also stepped up. The Online Privacy Alliance (OPA), a diverse group of more than 60 global corporations and associations, was formed to introduce and promote businesswide actions that create an environment of trust and foster the protection of individuals' privacy online [4]. The OPA has developed guidelines to further define the DOC's fair information practices and enforcement requirements, including principles for effective privacy policies, elements of effective self-regulation, and guidelines for addressing children's privacy issues. These guidelines are recognized as the industry standard for addressing online privacy.

Back to Top

TRUSTe Online Privacy Program

TRUSTe is a non-profit, privacy seal program for Web sites dedicated to building consumers' trust and confidence on the Internet, and in so doing, accelerating the growth of the Internet. In displaying the TRUSTe trustmark, Web sites send a clear signal to users that they've openly agreed to disclose their information gathering and dissemination practices, and that their disclosure is backed by credible third-party assurance. Specifically, TRUSTe licensees agree to the following requirements:

Notice. The Web site must post a privacy statement linked from the home page, which includes disclosure of the site's information gathering and dissemination practices. TRUSTe works with the Web site to develop comprehensive privacy statements that are easy to read and understand.

Choice. The Web site must provide, at a minimum, the ability for users to opt-out of having their personal information used by third parties for secondary purposes.

Security. The Web site must implement reasonable procedures to protect personal information from loss, misuse, or unauthorized alteration.

Data quality and access. The Web site must provide a mechanism for consumers to correct inaccuracies in their information.

Verification and oversight. TRUSTe provides assurance to users that the site is following its stated privacy practices through initial and periodic reviews, seeding, and compliance reviews. The Web site agrees to cooperate with TRUSTe's oversight process.


In displaying the TRUSTe trustmark, Web sites send a clear signal to users that they've openly agreed to disclose ,M-40,K-20">their information gathering and dissemination practices.


TRUSTe conducts an initial review of each Web site and privacy statement to ensure consistency, adherence to program principles, and whether privacy statements disclose what type of personal identifiable information is being gathered, who is collecting it, how it will be used, and with whom it will be shared. After the privacy program is in place, TRUSTe continues to review the site and privacy statement periodically to ensure that all the required criteria continue to be met. All initial and periodic reviews are conducted at TRUSTe's facility by accessing the licensee's Web site.

TRUSTe seeds Web sites with unique identifiers to track the uses of personal information. For example, TRUSTe visits a site under an assumed identity and inputs unique information specific for that Web site to see if it complies with its stated practices.

If TRUSTe has reason to believe a licensee is not following its stated privacy practices, a third-party CPA firm such as PriceWaterhouseCoopers or KPMG Peat Marwick may conduct a compliance review. Compliance reviews compare the Web site's actual privacy practices with stated practices and are performed on-site at the licensee's physical location.

Complaint Resolution. TRUSTe provides users a structure to resolve complaints that cannot be adequately resolved by the TRUSTe licensee. TRUSTe maintains an audit trail of licensee's privacy statements, so on any given day, TRUSTe knows the licensee's stated practices. TRUSTe's escalation process assures that complaints will be answered in a fair and timely fashion.

Consequences. Depending on the severity of the privacy breach, such as failing an on-site compliance review or failing to agree with the outcome of TRUSTe's dispute resolution, TRUSTe's course of action may include revocation of the licensee's trustmark. TRUSTe may refer the issue to the appropriate law authority, which in the U.S. may include the appropriate attorney general's office, the FTC, or the Consumer Protection Agency.

Education. TRUSTe has an ongoing privacy education program targeted to consumers and businesses. Through print and banner advertisements, consumers and Web publishers are directed to content-appropriate areas of the TRUSTe Web site. This October, TRUSTe kicked-off the Privacy Partnership campaign to educate consumers about their online privacy options and to encourage business owners to post privacy statements. This grassroots Internet campaign organized by TRUSTe and supported by America Online, Excite, Infoseek, Lycos, Microsoft, Netscape, Snap, and Yahoo!, will feature over 200 million banner advertisements linked to TRUSTe's Web site that provides resources and privacy protection tips and tools.

TRUSTe Privacy Seal. TRUSTe provides an easily recognized, branded TRUSTe privacy seal, or trustmark, to all sites who are found to be in compliance with TRUSTe requirements (see Figure 1).

To prevent unauthorized use of the trustmark, TRUSTe has implemented a "Click to Verify" seal. TRUSTe approved privacy statements must display the Click to Verify seal, which links to a page on TRUSTe's secure server to confirm participation. (see Figure 2).

The TRUSTe program has always been dedicated to evolving as consumers and the marketplace demand enhancements to online privacy protection. In recognizing the special privacy protections that need to be afforded to children using the Internet, TRUSTe has implemented a Children's Program. This program is based on the FTC's recommendations to Congress and the OPA's guidelines, and calls for sites to obtain parental consent or provide parental notice in order for sites to gather and use information from children under the age of 13.

Web sites directed at children under the age of 13, or Web sites where the age of the user is known to be under 13, must follow the requirements of TRUSTe's Children's Seal Program in addition to TRUSTe's program requirement. Web sites that follow TRUSTe children's requirements will be denoted with a kid's trustmark to clearly inform parents and children of the site's compliance (see Figure 3).

In summary, TRUSTe's goal is to have a program that addresses both user and government privacy concerns by providing a cost-effective privacy solution to Web publishers. Annual licensing fees depend on the annual revenue of the company.

Back to Top

References

1. Business Week. A little net privacy, please. (Mar. 16, 1998); www.businessweek.com/@@4WZJy4cASJ*2SwAA/1998/11/b3569104.htm.

2. Department of Commerce. Discussion Draft; Elements of Effective Self-Regulation for Protection of Privacy. (Jan. 23, 1998); www.ecommerce.gov/staff.htm.

3. Federal Trade Commission. Privacy Online: A Report to Congress. (June 4, 1998); www.ftc.gov/reports/privacy3/index.htm.

4. Online Privacy Alliance. Guidelines for Online Privacy Policies—Effective Enforcement of Self-Regulation. Principles for Children's Online Activities; www.privacyalliance.org.

Back to Top

Author

Paola Benassi ([email protected]) is Product Operations Manager at TRUSTe, Palo Alto, Calif.

Back to Top

Footnotes

For additional information, visit www.truste.org.

Back to Top

Figures

F1Figure 1. TRUSTe privacy seal

F2Figure 2. TRUSTe's "Click to Verify" seal

F3Figure 3. Children's trustmark

Back to top


©1999 ACM  0002-0782/99/0200  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 1999 ACM, Inc.


 

No entries found