TRUSTes EU Safe Harbor Seal Program Compliance and Enforcement Update Conference on Cross-Border Data Flows & Privacy October 15-16, 2007 Martha K. Landesberg Director of Policy and Counsel, TRUSTe
About TRUSTe Independent non-profit headquartered in San Francisco Mission: Advancing Privacy and Trust for the Networked World –Build on widely-accepted privacy best practices –Elevate responsible players –Help consumers identify who they can trust –Supplement legislation and regulation –Address emerging privacy vulnerabilities and threats Celebrating 10 th Anniversary
TRUSTe: 10 Years of Impact Web Privacy Seal –2,400 Websites –1,500 companies –22 of Top 50 most visited websites –1 Million click-to-verify pageviews monthly –Thousands of consumer complaints resolved annually EU Safe Harbor Seal by authority of the US Department of Commerce Childrens Online Privacy Protection Act Safe Harbor by authority of the US Federal Trade Association Privacy Seal beyond legal requirements for legitimate mail Trusted Download Program (beta) –Certifying consumer downloadable software (not Spyware)
TRUSTe E.U. Safe Harbor Seal Program Launched in licensees with 317 websites 14 new Sealholders in 2007 Millions of consumers Notable EU Sealholders: Adobe Systems Audible Apple Computer Best Buy Carlson Companies Facebook Harris Interactive Logitech McAfee, Inc. Microsoft Monster Oracle Sybase Verisign
TRUSTe International Services Foreign language privacy statement translation is certified by TRUSTe Click to Verify seal on certified privacy statement links to validation page in foreign language Watchdog Dispute Resolution services provided in languages other than English
TRUSTe EU Safe Harbor Program Certification Process Improves Licensee Practices 1.Online Application 2.Enforceable Contract 3.Payment 4.Strong Commitment Over 90% required to make changes to business practices –Notice at Point of Collection –Privacy Policy disclosures esp. cookies and third-party sharing –HTTPS for sensitive data (e.g. credit card)
TRUSTe EU Safe Harbor Program Certification Process 1.Strict Standards Incorporate all Safe Harbor Privacy Principles 2.Self-Assessment + Rigorous TRUSTe Review Web Site Audit Access Reputation and other data Revision of policy and practice 3.Transparent Privacy Statement -Sealholder states adherence to Principles -Clear notice of complaint mechanism 4.Seals Awarded and Displayed 5.Ongoing Monitoring & Dispute Resolution 6.Annual Recertification Required
TRUSTe Privacy Seal Certification Prospective sealholder submits completed 67-question self-assessment to TRUSTe TRUSTe reviews the prospective member's website, privacy practices and privacy statement against our program requirements TRUSTe team delivers a Site Findings Report (SFR) to the prospective member with required changes for improvement and compliance with program requirements Prospective member makes necessary corrections to comply with TRUSTe program requirements TRUSTe Compliance team does quality check of prospective members Web site and practices against TRUSTe program requirements TRUSTe issues license to display seal New member implements TRUSTe seals per TRUSTe seal implementation requirements TRUSTe monitors members website for proper implementation throughout the year TRUSTe checks compliance with new requirements and regulations during recertification
TRUSTe Validation Page Foreign language privacy statement translation is certified by TRUSTe Click to Verify seal on certified privacy statement links to validation page in foreign language
Evaluate websites from many angles: proactive and reactive approach Ongoing Monitoring Technological scans seeding Reputation monitoring Ongoing reviews Watchdog monitoring Other reviews of blogs, press, consumer postings Approximately 50% of scans discover problems
TRUSTe E.U. Safe Harbor Seal Program Watchdog Dispute Resolution Online independent recourse mechanism Free of charge to consumers Easy-to-use online form Transparent, fair and equitable Complaints for offline data can be submitted by mail or fax
TRUSTe Watchdog Complaints We receive complaints of all sorts per year –Resolve privacy complaints –Forward non-privacy issues to sealholder as a courtesy –Refer out-of-scope complaints to appropriate resources We work with consumer and sealholder to resolve issues Complaints provide critical input to monitoring process We also offer self help through web site and newsletters Note: for all TRUSTe Watchdog Complaints
TRUSTe EU Safe Harbor Program Complaints from EU Citizens 200 Privacy Complaints in past 12 months –All resolved –Typical issues: Spam Cant unsubscribe Cant close account Unauthorized sharing with third parties –New issue trends: Phishing Spyware Unauthorized profile posted Access: unable to correct personal information
Consumer files complaint with the TRUSTe Watchdog Dispute Resolution Program watchdog_complaint.php TRUSTe reviews all complaints for jurisdiction and responds to consumer within five (5) business days TRUSTe forwards complaint to TRUSTe licensee who is required to respond within five (5) business days Licensee provides restitution to consumer directly or via TRUSTe at consumer request Consumer is given 10 business days to accept or reject proposed restitution When consumer responds, TRUSTe mediates resolution satisfying both consumer and licensee and then TRUSTe closes the complaint record When consumer does not respond, TRUSTe considers the resolution accepted and closes the complaint record Steps to Resolve a Watchdog Complaint Working with Consumer and Sealholder to reach satisfactory resolution
Types of Investigations Process (65%): –Unsubscribe me –Close account –Cant reach licensee Technical (20%): –Interface disclosures –TRUSTe seeding of client lists to check unsub link, unauthorized third-party mail Privacy Statement Analysis (14%): –Notice about data sharing, cookies etc. Legal/Policy Analysis: –Legal status of unusual business models or practices –Potentially deceptive notice May be triggered by Watchdog complaints or on TRUSTe initiative
Severity Scorecard: Early Warning System Used to analyze Watchdog complaints by company and provide early warning Weighting helps assess: –severity of complaint(s) –trends in complaint type –trends in complaint volume Color/letter process map reflect: type of follow-up and sealholder changes required: –type of investigation –privacy policy change –notice at opt-in –type of information collected –data spill assistance to Licensee –level of escalation within TRUSTe TRUSTe Watchdog Diagnosis (Complaints per Month) Increasing Offenses weight ed score 123+ Unable to unsubscribeDEG Unauthorized profile with my information DEG Unwanted DEG Excessive DEG sent without permissionDEG Unable to close accountDEG Unable to change/delete personal information DEG Shared personal informationABC Violated privacy policyABC Unable to contact licenseeABC Children's information (under 13)ABC Inconsistent Unsubscribe Instructions ABC Inaccurate Disclosure: POCABC Inaccurate Disclosure: PSABC
Enforcement Options Suspend Certification –Notified on Verification Page –Seal still on Website –Timeframe for Resolution Terminate –Termination for Convenience (non-public) - other issues not directly related to contract and/or reputation issues –Terminate and Rehabilitate –Termination for Cause (publish on website) –Terminate and refer case to law enforcement/regulators Process must be transparent, consistent, fair, and lead to positive consumer outcomes –Usually result in company coming back into compliance Independent Non-Profit Status Important
Compliance and Enforcement Toolbox Certification: –90% improve practices Watchdog Dispute Resolution –100% resolution –Small # of terminations Proactively monitor –Scanning – Seeding Enforcement Options –Decline to Recertify –Suspend –Terminate
Safe Harbor is Working Licensees demonstrate their ongoing commitment to Safe Harbor Privacy Principles Keeping companies compliant is a win-win for consumers and marketplace Measure of success: number of companies that have made commitment and are staying compliant Referral to FTC has not been necessary – a testament to our sealholders commitment
Contact Information Martha Landesberg Director of Policy and Counsel TRUSTe 1750 K Street, Suite 1229 Washington, DC