Security Experts:

TRUSTe to Pay $200,000 Under Agreement With FTC on Privacy Seal Program Charges

TRUSTe Reaches Agreement With FTC on Privacy Seal Program Charges

Data privacy management solutions provider TRUSTe has agreed to pay $200,000 as part of a settlement with the United States Federal Trade Commission (FTC), which accused the company of failing to conduct annual re-certifications for some customers, and facilitating misrepresentation as a non-profit entity.

Many organizations rely on TRUSTe's seals to show their customers that they meet consumer privacy requirements such as the ones detailed in the US-EU Safe Harbor Framework and the Children’s Online Privacy Protection Act (COPPA).

However, according to a complaint filed by the FTC, TRUSTe failed to conduct annual re-certifications between 2006 and January 2013 for customers who signed up for multi-year agreements (over 1,000 cases). A second charge refers to the fact that TRUSTe changed its corporate status from "non-profit" to "for-profit" in 2008, but failed to ensure that the organizations using its seals updated their privacy policies to reflect this change.

"TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge. Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action," FTC Chairwoman Edith Ramirez said in a statement on Monday. 

As part of its settlement with the FTC, TRUSTe must pay $200,000, and avoid making misrepresentations about its certification process and its corporate status. In its annual filing to the FTC, the company, which is a COPPA Safe Harbor certification provider, must supply detailed information regarding its COPPA-related activities, and maintain comprehensive records on these activities for a period of ten years.

In a blog post published on Monday, TRUSTe CEO Chris Babel admitted that two of the company's processes were flawed. Babel explained that the annual reviews not conducted in the case of multi-year customers represented only 10% of the total number of reviews in the period between 2006 and January 2013.

"Multi-year clients that did not undergo the annual review step of their certification were reviewed when their agreements were up for renewal. Because over 90% of multi-year clients signed two-year contracts, the vast majority were reviewed every other year," Babel explained.

The annual re-certification issue was addressed by TRUSTe in January 2013 when the company implemented new controls for the process. The corporate status issue was addressed late last year when the company started requiring customers to remove the non-profit reference from their privacy policy before being re-certified, Babel said.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.