What’s the News?

TRUSTe, Inc., a major provider of privacy certifications for online businesses, recently settled with the Federal Trade Commission (FTC) over charges that it has been engaging in deceptive business practices. The FTC alleged that TRUSTe was misrepresenting the frequency of its recertification reviews of participating businesses, as well as its own corporate status. News of the settlement serves as a reminder to online businesses of the need to ensure compliance with applicable privacy laws and industry best practices.

How TRUSTe’s Privacy Seals Work

TRUSTe offers certification “seals” to companies that meet designated criteria for the consumer privacy programs that it administers. These seals, which are displayed on company websites and mobile applications, are intended to assuage consumer concerns about how businesses will treat their personal information. When a company applies for a seal, TRUSTe investigates the company’s practices to certify compliance with the specifications of the seal program at issue.

On its website, TRUSTe claims to conduct an annual recertification review of all participating businesses in order to ensure ongoing compliance with the relevant seal program. But according to the FTC complaint, TRUSTe failed to conduct an annual review in more than 1,000 instances between 2006 and 2013. In addition, the FTC claimed that TRUSTe failed to have its clients amend language in their privacy policies that incorrectly identified TRUSTe as a nonprofit entity. TRUSTe had given model language to its clients when it was, in fact, a nonprofit, but failed to provide replacement language upon its transition to for-profit status in 2008.

The settlement agreement enhances federal oversight of TRUSTe’s business practices in a number of ways. In addition to requiring a $200,000 payment, it enjoins the company from making any misrepresentations about its certification process or its corporate status. It also requires the company to maintain detailed records and provide extensive reporting to the FTC on its Children’s Online Privacy Protection Act (COPPA) seal program for the next 10 years.

What Businesses Need to Know Going Forward

In light of the settlement, consumers may (understandably) have concerns about the privacy practices of online businesses. Companies — especially those holding TRUSTe seals — should engage in a thorough review of their privacy policies to ensure compliance with privacy laws and industry best practices. While certification programs can be an effective way of ensuring such compliance, they are generally not required by law and are not the only option for ensuring compliance with state and federal privacy laws.