Home > Insights > Blogs > Internet Law Twists & Turns > Certifying privacy compliance: Is TRUSTe sufficiently trusty?

Certifying privacy compliance: Is TRUSTe sufficiently trusty?

Mark Sableman November 26, 2014

People concerned about privacy often ask, “Who can you trust?” And thus it’s worrisome when even a trusted intermediary — indeed, a privacy certification provider named for trust, TRUSTe — turns out to have a trustworthiness problem.

TRUSTe’s recent settlement with the Federal Trade Commission, and its admission that it didn’t always carry out annual recertifications of its clients, illustrates, to some extent, how tough it is to find hard-and-fast assurances in the privacy world.

Business executives want to definitively resolve their privacy issues, just as, for example, they resolve their tax-payment issues or their stores’ compliance with building and zoning laws. But privacy compliance is inherently ephemeral, and even more problematic if one cannot rely on privacy seal programs like those of TRUSTe.

Unfortunately, no one has yet created reliable one-stop shopping for assured privacy compliance.

Concerned about your Internet privacy policies? Financial and healthcare institutions have some specific requirements to follow from their regulatory agencies, but there’s no overall national template for a web privacy policy. Those who think that cut-and-paste jobs from major Internet companies will do the trick often dig themselves into deeper problems. In fact, every business has to specially consider the requirements of the California Online Privacy Protection Act, that state’s “Shine the Light” law, the federal Children’s’ Online Privacy Protection Act, and other industry- or situation-specific requirements.

Concerned about your internal employment privacy rules? You can look to National Labor Relations Board regulations and advice, but state specific precedents, rules, and expectations also need to be considered.

Concerned about your overall privacy practices? Expectations for best practices are often changed and refined. In the wake of Ubergate, if you haven’t already covered this, you ought to be updating your standards for company privacy and ethics with a rule that prohibits your executives from digging up dirt on the private lives of journalists who report on your industry.

Amid this privacy fog, however, there did seem to be an island of safety for those companies that tethered themselves to trusted privacy seal organizations, like those of TRUSTe and the Better Business Bureau.

If you signed up with TRUSTe (full name: True Ultimate Standards Everywhere, Inc.), you were telling the world that you had self-certified as complying with your own Internet privacy policy and with TRUSTe’s program requirements. TRUSTe offered its “Certified Privacy Seals” for display on the websites and mobile applications of customers who complied with its standards. Companies sought such seals in connection with their compliance with the U.S.-EU Safe Harbor Program, the Children’s Online Privacy Protection Act, and other programs.

If you used TRUSTe, your customers had the assurance (“expressly or by implication” in the FTC’s words) that TRUSTe was checking on you and verifying various aspects of your privacy promises and disclosures. Except, it turned out that it wasn’t always doing that. The FTC found that TRUSTe failed, in more than 1,000 instances, to conduct its required annual review of its customers’ practices. (TRUSTe noted that it conducted annual reviews for more than 90 percent of its customers and fixed its process in 2013.)

For this violation, in an agreed settlement, the FTC fined TRUSTe $200,000. Additionally, the company, while not admitting fault, agreed to a consent judgment that barred it from making misrepresentations about its certification process and required annual reports to the FTC for the next ten years.

Privacy issues are hard to get on top of, and in both the private and public sectors, sufficient mistakes and overreaching have occurred so that many users are deservedly concerned about how their personal information will be used. Thus, there’s an eager market for programs that certify corporate privacy programs meet basic expectations.

The TRUSTe case puts certification providers on notice that to compete in that important space, they must first assure the public that they themselves are certifiably trustworthy.

Mark Sableman is a partner in Thompson Coburn’s Intellectual Property group. He is the editorial director of Internet Law Twists & Turns. You can find Mark on Twitter, and reach him at (314) 552-6103 or msableman@thompsoncoburn.com.