A proposed Consent Order entered into by one of the leading providers of privacy certifications to online businesses, TRUSTe, Inc., calls into question the effectiveness of the online certification programs many businesses rely on. In its Complaint against TRUSTe, the Federal Trade Commission (“FTC”) alleges that TRUSTe mislead consumers by, among other things, providing an annual recertification of more than 1,000 companies’ privacy policies without conducting a review of the companies’ compliance with applicable privacy requirements. While TRUSTe did not admit fault for purposes of settling the allegations brought by the FTC complaint, the complaint raises serious questions about the ability of online businesses to rely upon certification organizations for privacy compliance.
Self-regulation and industry certification programs play a major role in facilitating online privacy. The requirements of the Children’s Online Privacy Protection Act (“COPPA”), the FTC rules, and numerous other federal statutes (not to mention state and foreign online privacy laws) create a complex set of privacy regulations for online businesses to navigate. As a result, many online businesses find it easier and more cost effective to use a certification program, like the programs offered by TRUSTe, to ensure online privacy compliance. However, such programs rely upon the faith of online business owners and consumers alike that the program provider actually provides the privacy oversight it claims to provide.
In addition to the credibility issues that arise from the TRUSTe complaint and settlement, online businesses that rely on TRUSTe for their privacy certification are now potentially more exposed to FTC investigation. While the Consent Order does not fault the online businesses that relied on TRUSTe’s certifications, the Consent Order does require TRUSTe to, among other things, maintain and make available to the FTC upon request detailed records regarding the assessments TRUSTe conducts to determine the fitness of new applicants and the continuing fitness of existing participants in any COPPA safe harbor program offered by TRUSTe. The Consent Order also requires TRUSTe to provide documents to the FTC upon request related to consumer complaints against participants in TRUSTe’s COPPA safe harbor program, documents related to disciplinary action taken against participants in any COPPA safe harbor program, and documents related to approvals of COPPA safe harbor program participants’ use of verifiable parental consent mechanisms.
Online privacy and data security is a complicated area of the law that many businesses do not have the expertise to handle in-house, but the TRUSTe Consent Order illustrates the potential for a business to open up gaps in its online privacy and data security protections if it relies solely on a certification program provided by a third party. Companies need to be aware of their online privacy and data security compliance obligations even if a company primarily outsources its compliance monitoring. If you or your company has any questions about your online privacy and data security policies, please contact Linda McReynolds at firstname.lastname@example.org.