FTC Settlement Raises Questions About Reliability of Online Privacy Certifications


A proposed Consent Order entered into by one of the leading providers of privacy certifications to online businesses, TRUSTe, Inc., calls into question the effectiveness of the online certification programs many businesses rely on.  In its Complaint against TRUSTe, the Federal Trade Commission (“FTC”) alleges that TRUSTe mislead consumers by, among other things, providing an annual recertification of more than 1,000 companies’ privacy policies without conducting a review of the companies’ compliance with applicable privacy requirements.  While TRUSTe did not admit fault for purposes of settling the allegations brought by the FTC complaint, the complaint raises serious questions about the ability of online businesses to rely upon certification organizations for privacy compliance.

Self-regulation and industry certification programs play a major role in facilitating online privacy.  The requirements of the Children’s Online Privacy Protection Act (“COPPA”), the FTC rules, and numerous other federal statutes (not to mention state and foreign online privacy laws) create a complex set of privacy regulations for online businesses to navigate.  As a result, many online businesses find it easier and more cost effective to use a certification program, like the programs offered by TRUSTe, to ensure online privacy compliance.  However, such programs rely upon the faith of online business owners and consumers alike that the program provider actually provides the privacy oversight it claims to provide.

In addition to the credibility issues that arise from the TRUSTe complaint and settlement, online businesses that rely on TRUSTe for their privacy certification are now potentially more exposed to FTC investigation.  While the Consent Order does not fault the online businesses that relied on TRUSTe’s certifications, the Consent Order does require TRUSTe to, among other things, maintain and make available to the FTC upon request detailed records regarding the assessments TRUSTe conducts to determine the fitness of new applicants and the continuing fitness of existing participants in any COPPA safe harbor program offered by TRUSTe.  The Consent Order also requires TRUSTe to provide documents to the FTC upon request related to consumer complaints against participants in TRUSTe’s COPPA safe harbor program, documents related to disciplinary action taken against participants in any COPPA safe harbor program, and documents related to approvals of COPPA safe harbor program participants’ use of verifiable parental consent mechanisms.

Online privacy and data security is a complicated area of the law that many businesses do not have the expertise to handle in-house, but the TRUSTe Consent Order illustrates the potential for a business to open up gaps in its online privacy and data security protections if it relies solely on a certification program provided by a third party.  Companies need to be aware of their online privacy and data security compliance obligations even if a company primarily outsources its compliance monitoring.  If you or your company has any questions about your online privacy and data security policies, please contact Linda McReynolds at lgm@commlawgroup.com.

ATTORNEY ADVERTISING DISCLAIMER: This information may be considered advertising in some jurisdictions under the applicable law and ethical rules. The determination of the need for legal services and the choice of a lawyer are extremely important decisions and should not be based solely upon advertisements or self-proclaimed expertise. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers

Sign Up To Receive Our
Advisories and Compliance Alerts

Sign up for our email list to receive notifications regarding new advisories and news