The Federal Trade Commission reached a deal with privacy certification company TRUSTe to settle charges that the company misled consumers about its recertification program and that it falsely perpetuated its reputation as a nonprofit entity.
Consumers believe that a business with a TRUSTe seal has complied with standards such as the Children’s Online Privacy Protection Act or the U.S.-EU Safe Harbor Framework, the agency said, but over a seven-year period TRUSTe failed to conduct more than 1,000 recertifications for all companies holding TRUSTe Certified Privacy Seals. Even though the company’s Web site states that recertifications are conducted on an annual basis, between 2006 and 2013 TRUSTe just didn’t get around to doing it, the agency claimed.
In addition, after the company became a for-profit corporation in 2008, TRUSTe neglected to provide updated references about its status to clients. Companies bearing the TRUSTe seal continued to use the model language previously provided by TRUSTe stating that it was a nonprofit entity, the FTC said, perpetuating a misperception.
Pursuant to a proposed consent order, TRUSTe will be prohibited from future misrepresentations about its certification process, the certification timeline, and its corporate status. As a COPPA safe harbor entity, TRUSTe will be required to provide information about its activities in annual reports to the FTC for the next decade. The company also promised to pay $200,000.
While the Commission vote to accept the proposed consent agreement was unanimous, Commissioner Maureen Ohlhausen partially dissented with regard to the nonprofit misrepresentation charges. She argued that to be liable for deception under a “means and instrumentalities” theory requires that the party itself make a representation. TRUSTe’s recertification of an entity without requiring (albeit requesting) that the company update the relevant language that it was now a for-profit entity should not trigger liability, Ohlhausen said.
She expressed her concern that the FTC was “stepping beyond the limits.” “TRUSTe did not pass to clients any false or misleading representations regarding its for-profit status.”
In a joint statement, FTC Chairwoman Edith Ramirez and Commissioners Julie Brill and Terrell McSweeny characterized the means and instrumentalities charge as “particularly appropriate” given TRUSTe’s “unique position in the privacy self-regulatory ecosystem. Companies that purport to hold their clients accountable to protect consumer privacy should themselves be held to an equally high standard.”
The agreement is open for public comment until Dec. 17.
To read the complaint, proposed consent agreement, and statements from the Chairwoman and Commissioners in In the Matter of True Ultimate Standards Everywhere, Inc., click here.
Why it matters: In a press release, FTC Chairwoman Edith Ramirez characterized the action as a failure of self-regulation. “TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” she said. “Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” The case also provided the Commissioners an opportunity to debate the scope of “means and instrumentalities” liability – an important consideration for advertisers.