TrustArc

Last updated
TrustArc
FormerlyTRUSTe Inc. (1997-2017)
Company type Private
Industry Internet security
Founded1997;27 years ago (1997)
Founders
Headquarters,
Key people
  • Chris Babel (CEO)
  • Tim Sullivan (CFO)
  • Elizabeth Blass (CCO)
  • Michael Lin (CPO)
ProductsPrivacy management
Website trustarc.com

TrustArc Inc. (formerly TRUSTe) is a privacy compliance technology company based in Walnut Creek, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws and best practices. [1] Their privacy seal or certification of compliance can be used as a marketing tool. [2]  

Contents

History

TrustArc was founded as a non-profit industry association called TRUSTe in 1997 by Lori Fena, then executive director of the Electronic Frontier Foundation, and Charles Jennings, a software entrepreneur, with the mission of fostering online commerce by helping businesses and other online organizations self-regulate privacy concerns. [3] [4]

In 2000, TRUSTe became the first organization to join the Safe Harbor framework of the U.S. Department of Commerce and the European Union, and subsequently launched its EU Safe Harbor Seal Program. [5] The EU-US Safe Harbor was agreed upon by the Department of Commerce and the EU to provide a framework for American companies to comply with European data and privacy standards. [6]

In 2001, TRUSTe became a Children's Online Privacy Protection Act Safe Harbor organization for the Federal Trade Commission and thereafter launched its Children's Privacy Seal Program. [7] That year, Fran Maier, who had helped build Match.com and had been running the company following the departure of its co-founder, Gary Kremen, joined the organization as executive director. [8] [9] One of her first efforts was to address consumer issues with email spam, which at the time was estimated to comprise 59 percent of all email traffic. [10]

The same year, TRUSTe's founding executive director, Susan Yamada, who was formerly editor of Upside Magazine, resigned, though later went on to serve as board chair. [3]

In 2008, TRUSTe changed its structure from a non-profit industry association to a venture-backed for-profit company, raising its first round of capital from Accel Partners. This raised the question of whether a for-profit company would be less stringent on the companies it certifies than a non-profit. [11]

In November 2009, Chris Babel, former Senior Vice President of VeriSign's worldwide Authentication Services, joined TRUSTe as chief executive officer. [12] Maier remained active in the company until 2014, serving variously as president, CEO and board chair.

In 2013, TRUSTe was approved by the European Interactive Digital Advertising Alliance as an official certification provider for the EU Self-Regulatory Programme for Online Behavioural Advertising. [13] The same year, TRUSTe was named the first approved Accountability Agent for the Asia-Pacific Economic Cooperation's Cross Border Privacy Rules System. [14] [15]

In 2016, in an effort to help companies prepare for the European Union's General Data Protection Regulation, which extends the scope of the EU data protection law established in 1995 to all foreign companies processing data of EU residents, TRUSTe partnered with the International Association of Privacy Professionals to offer free compliance assessments of a company's privacy practices. [16] [17]

On June 6, 2017, the company changed its name from TRUSTe to TrustArc. [18]

Services

TRUSTe logo TRUSTe Logo.png
TRUSTe logo

TrustArc's certification subsidiary, TRUSTe, provides privacy dispute resolution services, designed to help oversee consumer requests and complaints regarding the privacy practices of those companies participating in TRUSTe's program. [19]

Criticism and controversies

A Wired article in 2002 questioned whether TRUSTe certification could be trusted, noting that "TRUSTe officials often seemed to be covering for their clients" rather than revoking privacy seals for violations. [20]

In January 2006, Harvard economics researcher Benjamin Edelman published a study showing that sites with TRUSTe certification were 50 percent more likely to violate privacy policies than uncertified sites. [21] Edelman also reported that TRUSTe did not go far enough to punish seal holders that break their rules and was not prompt enough in revoking the seal on companies that violate privacy standards. [22]

Federal Trade Commission settlement

On November 17, 2014, the Federal Trade Commission announced that TRUSTe had agreed to settle a complaint that it misrepresented to consumers its recertification program, and its status as a non-profit entity, against a $200,000 penalty. [23] The FTC complaint alleged that from 2006 to 2013, TRUSTe failed, in over 1000 instances, to conduct annual privacy checks on the companies it certified. [24] [25] Consumer organizations, including Center for Digital Democracy and the Consumer Federation of America, argued for higher penalties and more FTC oversight, but the FTC declined to increase the penalties. [26] FTC Commissioner Maureen Ohlhausen issued a partial dissent to the FTC ruling, "because TRUSTe never misrepresented its corporate status," and had informed clients of its for-profit status. [27]

See also

Related Research Articles

<span class="mw-page-title-main">Children's Online Privacy Protection Act</span> American federal cyber law in 2000

The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at 15 U.S.C. §§ 65016506.

<span class="mw-page-title-main">Federal Trade Commission</span> United States government agency

The Federal Trade Commission (FTC) is an independent agency of the United States government whose principal mission is the enforcement of civil (non-criminal) antitrust law and the promotion of consumer protection. The FTC shares jurisdiction over federal civil antitrust law enforcement with the Department of Justice Antitrust Division. The agency is headquartered in the Federal Trade Commission Building in Washington, DC.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

<span class="mw-page-title-main">International Association of Privacy Professionals</span> Nonprofit membership association

The International Association of Privacy Professionals (IAPP) is a nonprofit, non-advocacy membership association founded in 2000. It provides a forum for privacy professionals to share best practices, track trends, advance privacy management issues, standardize the designations for privacy professionals, and to provide education and guidance on career opportunities in the field of information privacy. The IAPP offers a full suite of educational and professional development services, including privacy training, certification programs, publications and annual conferences. It is headquartered in Portsmouth, New Hampshire.

The International Safe Harbor Privacy Principles or Safe Harbour Privacy Principles were principles developed between 1998 and 2000 in order to prevent private organizations within the European Union or United States which store customer data from accidentally disclosing or losing personal information. They were overturned on October 6, 2015, by the European Court of Justice (ECJ), which enabled some US companies to comply with privacy laws protecting European Union and Swiss citizens. US companies storing customer data could self-certify that they adhered to 7 principles, to comply with the EU Data Protection Directive and with Swiss requirements. The US Department of Commerce developed privacy frameworks in conjunction with both the European Union and the Federal Data Protection and Information Commissioner of Switzerland.

BBB National Programs, an independent non-profit organization that oversees more than a dozen national industry self-regulation programs that provide third-party accountability and dispute resolution services to companies, including outside and in-house counsel, consumers, and others in arenas such as privacy, advertising, data collection, child-directed marketing, and more. The Center for Industry Self-Regulation (CISR) is BBB National Programs' 501(c)(3) non-profit foundation. CISR supports responsible business leaders in developing fair, future-proof best practices, and the education of the public on the conditions necessary for industry self-regulation.

The Chief Privacy Officer (CPO) is a senior level executive within a growing number of global corporations, public agencies and other organizations, responsible for managing risks related to information privacy laws and regulations. Variations on the role often carry titles such as "Privacy Officer," "Privacy Leader," and "Privacy Counsel." However, the role of CPO differs significantly from another similarly-titled role, the Data Protection Officer (DPO), a role mandated for some organizations under the GDPR, and the two roles should not be confused or conflated.

<span class="mw-page-title-main">Jon Leibowitz</span> American lawyer

Jonathan David Leibowitz is an American attorney who served under President Barack Obama as Chair of the Federal Trade Commission (FTC) from 2009 to 2013. Leibowitz was appointed to the commission in 2004, and resigned in 2013. During Leibowitz's tenure, the FTC brought privacy cases against Google, Facebook and others for violating consumer privacy, as well as enforcement against "pay-for-delay" deals in which pharmaceutical companies paid competitors to stay out of the market. Prior to joining the FTC, Leibowitz was Vice President for Congressional Affairs from 2000 to 2004 of the MPAA.

<span class="mw-page-title-main">Trust seal</span>

A trust seal is a seal granted by an entity to websites or businesses for display. Often the purpose is to demonstrate to customers that this business is concerned with security and their business identity. The requirements for the displaying merchant vary, but typically involve a dedication to good security practices, or the use of secure methods for transactions, or most importantly verified existence of the company. Trust seals can come in a variety of forms, including data security seals, business verified seals and privacy seals and are available from a variety of companies, for a fee. A trust seal can be either active or passive. Most seals are validated when they are created and remain so for a specific duration of time, post expiry of which the business/process has to be re-validated.

The concept of the informed consumer is fundamental in the law of the European Union. Since the European Council Resolution of 14 April 1975, one of the primary objectives of the European Community, and then the European Union, has been the provision of information to consumers. The rationale is that market actors are enabled to make better choices when they are informed and have a greater capacity to understand the importance of their market actions and choices.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

In re Gateway Learning Corp, 138 F.T.C. 443 File No. 042-3047, was an investigatory action by the Federal Trade Commission (FTC) of the Gateway Learning Corporation, distributor of Hooked on Phonics. In its complaint, the FTC alleged that Gateway had committed both unfair and deceptive trade practices by violating the terms of its own privacy policy and making retroactive changes to its privacy policy without notifying its customers. Gateway reached a settlement with the FTC, entering into a consent decree in July 2004, before formal charges were filed.

<span class="mw-page-title-main">Julie Brill</span> American lawyer

Julie Simone Brill is an American lawyer who serves as Chief Privacy Officer and Corporate Vice President for Global Privacy, Safety and Regulatory Affairs at Microsoft. Prior to her role at Microsoft, Brill was nominated by President Barack Obama on November 16, 2009, and confirmed unanimously by the US Senate to serve as Commissioner of the US Federal Trade Commission on March 3, 2010. Brill served as a Commissioner of the Federal Trade Commission (FTC) from 2010 to 2016.

Lori Fena is an American internet activist, entrepreneur, and author, best known as the former director of the Electronic Frontier Foundation from 1995 to 1998 and author of "The Hundredth Window". Fena is currently the co-founder and VP of Business Development for Personal Digital Spaces and Founder and executive director of the Sustainable Information Economy.

Do Not Track legislation protects Internet users' right to choose whether or not they want to be tracked by third-party websites. It has been called the online version of "Do Not Call". This type of legislation is supported by privacy advocates and opposed by advertisers and services that use tracking information to personalize web content. Do Not Track (DNT) is a formerly official HTTP header field, designed to allow internet users to opt-out of tracking by websites—which includes the collection of data regarding a user's activity across multiple distinct contexts, and the retention, use, or sharing of that data outside its context. Efforts to standardize Do Not Track by the World Wide Web Consortium did not reach their goal and ended in September 2018 due to insufficient deployment and support.

<span class="mw-page-title-main">Maureen Ohlhausen</span> American lawyer (born 1962)

Maureen Kraemer Ohlhausen is an American lawyer who is a former Commissioner of the Federal Trade Commission, a position she held from April 4, 2012, to September 25, 2018. On January 26, 2017, President Donald Trump designated Ohlhausen to serve as Acting Chairwoman of the FTC. In January 2018, she was nominated by President Trump to a seat on the United States Court of Federal Claims. Ohlhausen withdrew her nomination for the federal judiciary in December 2018, opting instead to join Baker Botts as partner and co-chair of the firm's antitrust practice.

<i>United States v. Google Inc.</i>

United States v. Google Inc., No. 3:12-cv-04177, is a case in which the United States District Court for the Northern District of California approved a stipulated order for a permanent injunction and a $22.5 million civil penalty judgment, the largest civil penalty the Federal Trade Commission (FTC) has ever won in history. The FTC and Google Inc. consented to the entry of the stipulated order to resolve the dispute which arose from Google's violation of its privacy policy. In this case, the FTC found Google liable for misrepresenting "privacy assurances to users of Apple's Safari Internet browser". It was reached after the FTC considered that through the placement of advertising tracking cookies in the Safari web browser, and while serving targeted advertisements, Google violated the 2011 FTC's administrative order issued in FTC v. Google Inc.

FTC v. Balls of Kryptonite is an enforcement action brought in 2009 by the U.S. Federal Trade Commission (FTC) in United States District Court for the Central District of California. The defendant was Jaivin Karnani, a Southern California man, his company Balls of Kryptonite LLC, and several other corporate names they did business as. In 2011 the FTC secured a court order barring Karnani and Balls of Kryptonite from engaging in many of the deceptive business practices that had brought him to the agency's attention.

A privacy seal is a type of trust seal or trustmark granted by third party providers for display on a company's website. Companies pay an annual fee to have an image of the third party provider's seal pasted onto their homepage or privacy policy page. Users can oftentimes click on the seal and be redirected to the web assurance seal service's website which verifies the validity of the privacy seal. They are meant to act as a visual assurance for consumers that the website in question meets a certain standard of privacy. The idea of a privacy seal originates with its physical manifestation – companies have long sought seals of approval like Good Housekeeping to be placed on their tangible products in order to draw in customers who value "quality". While all web assurance seal services follow the guidelines set by the Federal Trade Commission, some providers may have additional requirements. Checks are then conducted on a regular or random basis to ensure compliance. Privacy seals can be applied to various types of e-commerce websites. Some seal providers even create a special privacy seal that is geared toward a certain product like mobile apps or accounting. There are many privacy compliance technology companies, most notably TRUSTArc, CPA Canada WebTrust, PwC Privacy and BBBOnline.

References

  1. "Operating Geos". Yahoo Finance. 25 June 2013.
  2. Reidenberg, Joel R.; Russell, N. Cameron; Herta, Vlad; Sierra-Rocafort, William; Norton, Thomas B. (2018). "Trustworthy Privacy Indicators: Grades, Labels, Certifications, and Dashboards" (PDF). Washington UL Rev. (6.
  3. 1 2 Fena, Lori; Jennings, Charles (2003). The Hundredth Window. Archive.org: Simon & Schuster. p. xix. Retrieved 27 August 2017. Lori still serves on its board of directors as chair ...
  4. The Hundredth Window:Protecting Your Privacy and Security in the Age of the Internet. Simon and Schuster Free Press. 2000. ISBN   068483944X.
  5. "Thank you for inviting me today to talk about TRUSTe and our experience with the WHOIS sys". judiciary.house.gov. Archived from the original on 2005-02-26.
  6. The EU-U.S. Privacy Collision: A Turn to Institutions and Procedures, 126 Harv. L. Rev. 1966 (2013)
  7. "Children's Privacy Seal".
  8. Angwin, Julia (February 12, 1998). "LOVE'S LABOR LOST Online matchmaker still seeks love, money". San Francisco Chronicle. pp. B3. Retrieved 28 September 2017.
  9. "Interagency Public Workshop: Get Noticed: Effective Financial Privacy Notices". 24 July 2013.
  10. "Privacy group to put seal on spam". CNET.
  11. Hansell, Saul (July 15, 2008). "Will the Profit Motive Undermine Trust in Truste?". New York Times.
  12. "People". TrustArc. Retrieved 2017-06-07.
  13. "EDAA approves TRUSTe, BPA Worldwide and ePrivacyconsult as Certification Providers". July 15, 2013.
  14. "The Cross Border Privacy Rules System: Promoting consumer privacy and economic growth across the APEC region". APEC.
  15. "APEC CROSS-BORDER PRIVACY RULES SYSTEM" (PDF). Apec.org. Asia Pacific Economic Cooperation Secretariat. p. 4. Retrieved 26 September 2017.
  16. European Union. "DIRECTIVE 2002/58/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 12 July 2002" (PDF). EC.Europa.EU. European Union. Retrieved 14 November 2017. concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
  17. International Association of Privacy Protection. "IAPP & TRUSTe GDPR Readiness Assessment". IAPP.org. Retrieved 14 November 2017.{{cite web}}: |last1= has generic name (help)
  18. "TRUSTe Transforms to TrustArc". TrustArc. Jun 6, 2017. Retrieved 2017-06-07.
  19. "Privacy Dispute Resolution". TrustArc.com. Retrieved 27 September 2017. helps efficiently manage privacy inquiries ...
  20. Boutin, Paul (April 9, 2002). "Just how Trusty is TrustE?". Wired.
  21. Edelman, Benjamin (September 25, 2006). "Certifications and Site Trustworthiness" . Retrieved 2008-07-03.
  22. Edelman, Benjamin (March 18, 2008). "Coupons.com and TRUSTe: Lots of Talk, Too Little Action" . Retrieved 2008-07-03.
  23. "TRUSTe Settles FTC Charges it Deceived Consumers Through Its Privacy Seal Program". Federal Trade Commission. November 17, 2014.
  24. Clark, Daniel S. "UNITED STATES OF AMERICA FEDERAL TRADE COMMISSION Complaint 1323219" (PDF). FTC.gov. para 1: Federal Trade Commission. Retrieved 27 September 2017.{{cite web}}: CS1 maint: location (link)
  25. Wyattnov, Edward (Nov 17, 2014). "F.T.C. Penalizes TRUSTe, a Web Privacy Certification Company". New York Times.
  26. Davis, Wendy (March 18, 2015). "TRUSTe Finalizes Settlement With FTC". Media Post.
  27. Ohlhausen, Maureen K. (November 17, 2014). "Partial Dissent of Commissioner Maureen K. Ohlhausen - In the Matter of True Ultimate Standards Everywhere, Inc. ("TRUSTe")". Federal Trade Commission. Federal Trade Commission of the United States. Retrieved 27 September 2017.