Your SlideShare is downloading. ×
TRUSTe Transparency Report 2013
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

TRUSTe Transparency Report 2013

130
views

Published on

TRUSTe’s 2013 Transparency Report, describing how our data privacy management platform helped companies power trust, drive engagement and ensure privacy compliance in 2013.

TRUSTe’s 2013 Transparency Report, describing how our data privacy management platform helped companies power trust, drive engagement and ensure privacy compliance in 2013.

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
130
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. TRUSTe TRANSPARENCY REPORT: 2013 TRUSTe Inc. 835 Market Street, Suite 800 San Francisco, CA 94103 888.878.7830 www.truste.com Published May 2014
  • 2. TRUSTe Transparency Report 2013 2 Contents Letter from our CEO ������������������������������������������������������������������������������������������������������������������������������� 3 2013: Year in Review ������������������������������������������������������������������������������������������������������������������������������� 5 TRUSTe Data Privacy Management Solutions I) Privacy Assessments ��������������������������������������������������������������������������������������������������������������������������6 II) Privacy Certifications ������������������������������������������������������������������������������������������������������������������������ 7 A. TRUSTed Websites and TRUSTed Websites Basic ����������������������������������������������������������������������������������������� 7 B. TRUSTed Cloud ������������������������������������������������������������������������������������������������������������������������������������������������������������������ 7 C. TRUSTed Apps and Mobile Sites ������������������������������������������������������������������������������������������������������������������������������ 7 D. TRUSTed Data �������������������������������������������������������������������������������������������������������������������������������������������������������������������� 8 E. TRUSTed Smart Grid ������������������������������������������������������������������������������������������������������������������������������������������������������� 8 F. APEC Privacy ����������������������������������������������������������������������������������������������������������������������������������������������������������������������� 8 G. Children’s Privacy �������������������������������������������������������������������������������������������������������������������������������������������������������������9 H. EU Safe Harbor ������������������������������������������������������������������������������������������������������������������������������������������������������������������9 I. EDAA �����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������9 III) Monitoring Services & Compliance Controls ��������������������������������������������������������������������������9 A. Website Monitoring ���������������������������������������������������������������������������������������������������������������������������������������������������������9 B. TRUSTed Ads �������������������������������������������������������������������������������������������������������������������������������������������������������������������� 10 C. TRUSTed Consent Manager �������������������������������������������������������������������������������������������������������������������������������������� 10 TRUSTe Certification Operations Review A. TRUSTe Certification Program Requirements  �������������������������������������������������������������������������������������������������11 B. TRUSTe Certification Process �����������������������������������������������������������������������������������������������������������������������������������13 C. Consumer Dispute Resolution �����������������������������������������������������������������������������������������������������������������������������������14 TRUSTe Privacy Research and Education Series.............18 Appendices Appendix A — TRUSTe Privacy Program Requirements ������������������������������������������������������ 20 Appendix B — TRUSTe EU Safe Harbor Assessment Program (2009–2013) ��������������� 20 Appendix C — TRUSTe Children's Privacy Program (2009–2013) ������������������������������������ 20 Appendix D — TRUSTe Consumer Dispute Resolution (2009–2013) ��������������������������������21 Appendix E — Consumer Feedback to the TRUSTe Dispute Resolution Process �������24
  • 3. TRUSTe Transparency Report 2013 3 Letter from our CEO We are pleased to provide you with TRUSTe’s 2013 Transparency Report, describing how our data privacy management platform helped companies power trust, drive engagement and ensure privacy compliance in 2013. 2013 was the year when revelations about US government surveillance programs, and the ensuing media coverage, forced privacy into the mainstream consciousness. Along with the public awareness and outrage, came concern from European regulators about data transfers between Europe and the US. Even though privacy was ultimately excluded from trans–atlantic trade talks, concerns over international data transfers persist — as seen with the ongoing negotiations to revise the US–EU Safe Harbor Agreement. And yet, recent TRUSTe research shows that consumers remain more concerned with data collection by business than government surveillance.1 Certainly, this is one of the reasons why privacy has become an even bigger business concern in 2013. For many companies, a significant challenge is that privacy, like technology, is constantly changing — further complicating compliance obligations across multiple jurisdictions. In 2013, regulatory action and industry efforts drove many of the changes in the data privacy landscape. The FTC issued a comprehensive update to its Children’s Online Privacy Protection Act (COPPA) rules resulting in significant changes to TRUSTe’s Children's Privacy Program. The Department of Commerce’s NTIA division conducted a stakeholder proceeding that TRUSTe and others participated in which resulted in a standard for mobile privacy transparency. California passed several updates to its online privacy laws including new requirements around Do Not Track disclosures and advertising to minors. The Digital Advertising Alliance issued guidelines to companies involved in targeting ads to consumers on their mobile devices. TRUSTe continued to monitor all of these developments in 2013 and incorporated the necessary requirements into our programs, while working with clients to help them achieve compliance with new standards. We sustained our focus on technology including the development of advanced monitoring services and compliance controls such as our Website Monitoring Service, TRUSTed Ads OBA Preference Management Controls, and TRUSTed Consent Manager. These technologies help provide clients a comprehensive view of first and third party activity on their online properties at any given time and in 2013, we performed over 172,000 website scans on over 18 million web pages. We continued to see growth in our certification business, helping over 7,600 online properties safely collect and use personal information in compliance with TRUSTe’s Program Requirements. Also in 2013, our Consumer Dispute Resolution Service processed over 8,700 consumer complaints. We continued our involvement in the development of global privacy frameworks in 2013, most notably the Asia–Pacific Economic Co–operation (APEC) Cross Border Privacy Rules (“CBPR System,") which has been approved by all 21 APEC Economies including China, Japan, Korea and the United States. TRUSTe was approved as the first–ever APEC Accountability Agent in June 2013 allowing us to certify companies under TRUSTe’s APEC Privacy Program, which is based on the APEC–CBPR System. As speculation continued around proposed data protection rules in Europe, TRUSTe worked with clients to address today’s compliance challenges in the EU. This included helping clients comply with different standards for notice, consent, and control under the laws enacted in response to the EU’s Cookie Directive. We also worked with the European Digital Advertising Alliance (EDAA) to become an approved provider under the EDAA Trust Seal Certification 1 See: TRUSTe Research Reveals More Consumers Concerned about Business Data Collection than Government Surveillance, available at: http://www.truste.com/about-TRUSTe/press-room/news_us_truste_reveals_consumers_more_concerned_ about_data_collection
  • 4. TRUSTe Transparency Report 2013 4 Program. And together with Promontory Financial, we developed a BCR Management Program, designed to help businesses prepare for approval of their Binding Corporate Rules or BCRs. Finally, in 2013, we re–affirmed our commitment to privacy research and education with the launch of a new ‘Powering Trust’ event series in the US and the UK. At these events, we shared findings from our latest independent research into consumer attitudes to privacy and what this means for businesses. Now in its fifth year, this research series offers a valuable barometer of consumer confidence, business impact and recommended business practices. Thanks for taking the time to read our 2013 Transparency Report, and to learn more about TRUSTe and our business. Sincerely, Chris Babel, CEO
  • 5. TRUSTe Transparency Report 2013 5 2013: Year in Review In 2013: • TRUSTe certified 7,610 online properties representing approximately 5,000 clients. • Our Consumer Dispute Resolution Service processed 8,729 consumer complaints. • And, our Website Monitoring Solution completed over 172,000 website scans identifying and scoring privacy risk for over 19,000 third party trackers. A chart illustrating the number of TRUSTe certified properties is provided below: TRUSTe Certified Properties (2009 — 2013) #ofWeb&MobileProperties 0 2000 4000 6000 8000 1000 3000 5000 7000 9000 1. Figures include data for all TRUSTe Certified Properties, including TRUSTed Websites, TRUSTed Websites Basic, TRUSTed Cloud, TRUSTed Mobile Apps, TRUSTed Mobile Websites, TRUSTed Data, Children’s Privacy, APEC Privacy, EDAA and TRUSTed Smart Grid. 2. For details on TRUSTe’s EU Safe Harbor Assessment Program, see Appendix B. 3. For details on TRUSTe’s Children’s Privacy Program, see Appendix C. 4. In 2013, TRUSTe certified approximately 1,200 fewer properties under its TRUSTed Websites Basic offering and approximately 1,000 more properties under its Websites, Cloud, Children’s Privacy and other certifications. 2009 1723 2010 3657 2011 5455 2012 7809 2013 7610
  • 6. TRUSTe Transparency Report 2013 6 TRUSTe Data Privacy Management Solutions TRUSTe offers a comprehensive set of data privacy management solutions helping companies safely collect and use customer information across their web, mobile, cloud, and advertising channels. Our products are delivered via our Data Privacy Management Platform and include privacy assessments, privacy certifications, monitoring services, and compliance controls. WEB ADS CLOUD MOBILE DATA Data Privacy Management Platform CONTROLCERTIFY MONITORASSESS Powering Trust I) Privacy Assessments While TRUSTe is often known for its certification services and the TRUSTe “Certified Privacy” Seal, companies also engage TRUSTe to perform privacy impact and readiness assessments. This is often an example of “privacy by design” in action, as many of these assessments are conducted by companies who want to address privacy questions for a new product or service they plan to launch. The goal of a TRUSTe privacy assessment is identify the “gap” between the client’s business practices and the relevant privacy standards. Clients may opt to pursue TRUSTe certification after the assessment is complete. Examples of the types of assessments TRUSTe performed in 2013 include: • Alignment of privacy program with the requirements of COPPA • EU Safe Harbor readiness assessment • Readiness assessment for transfers of HR data under EU Safe Harbor • Privacy impact assessments for new and existing products • Assessing privacy impact of mobile and location services • Assessing privacy impact of advertising practices
  • 7. TRUSTe Transparency Report 2013 7 II) Privacy Certifications TRUSTe offers a range of privacy certifications addressing platform specific privacy considerations (e.g., web, mobile, app, cloud), consumer specific privacy considerations (e.g., children), and geographic specific privacy considerations (e.g., EU, Asia Pacific). Descriptions of our certification offerings are provided below: A. TRUSTed Websites2 and TRUSTed Websites Basic Both TRUSTed Websites and TRUSTed Websites Basic are based on the same set of TRUSTe Privacy Program Requirements, and are represented by the same TRUSTe seal. The main difference between the two programs is that TRUSTed Websites is a more customizable privacy solution, while TRUSTed Websites Basic is a more automated solution.3 In TRUSTe’s experience, privacy risk does not always correlate to company size; a very small business can have incredibly complex data collection and management practices, while very large companies can sometimes have very simple data collection and use practices. However, for small and medium sized clients with low–risk business practices, TRUSTed Websites Basic might be the right solution. B. TRUSTed Cloud4 TRUSTe launched its TRUSTed Cloud certification in March 2011. This program certifies the privacy practices of “Service Providers” which are companies that process data on behalf of another entity. TRUSTe reviews and assesses the privacy practices of data collected through the Service Provider’s platform or service portal, focusing on how the Service Provider manages and processes the data collected on behalf of its clients. Areas of assessment include: collection limitation and use, and data management processes such as sub–processor vetting, security, and data retention policies. C. TRUSTed Apps and Mobile Sites5 TRUSTed Apps, a mobile certification program, was launched in November 2010 and provides certification for both mobile applications and mobile–optimized web sites. This program recognizes that the mobile context provides additional privacy and transparency challenges not faced in the traditional web environment. A particular focus for our mobile certification program is the collection of geo–location data. TRUSTe classifies this information as sensitive data that requires the user’s express consent prior to collection, and must be encrypted during transmission. Understanding how a mobile application uses such sensitive data requires enhanced certification procedures. We also provide clients certified under this program with a customized short notice privacy statement, optimized for viewing on a mobile device. This short notice includes the disclosures consumers care about most in the mobile context: whether geo–location data is collected, what types of tracking take place, and what kind of data is shared with third parties. 2 More details on TRUSTed Websites are at: http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed- websites 3 TRUSTed Websites Basic features our automated Privacy Policy Generator - an innovative TRUSTe technology that evaluates businesses against TRUSTe’s Privacy Program Requirements while providing a cost-effective, privacy solution. TRUSTe’s Privacy Policy Generator scans a prospective client’s website and based on this information and other client input, generates a privacy policy that is hosted by TRUSTe. The same features that strengthen TRUSTe’s custom privacy certification back TRUSTed Websites Basic – clients must contractually agree to abide by the TRUSTe-generated privacy policy and submit to our consumer dispute resolution process. 4 More details on TRUSTe’s Cloud Privacy Certification are at: http://www.truste.com/privacy_seals_and_services/ enterprise_privacy/cloud-certification 5 More details on TRUSTe’s Mobile Privacy Solutions is at: http://www.truste.com/privacy_seals_and_services/enterprise_ privacy/mobile_certification
  • 8. TRUSTe Transparency Report 2013 8 D. TRUSTed Data6 The TRUSTed Data certification program was launched in May 2011 to address the data collection and use practices of companies that collect data across multiple unaffiliated web sites over time. These companies are known as third party data collectors — they collect data through websites or applications they do not own. By way of example, these types of companies would include ad networks, data aggregators, and demand side platforms (DSPs). The key components of TRUSTed Data certification are: understanding the types of data collection (including the types of technologies used), what type of data is collected both directly and from third party sources and the obligations associated with that data, how that data is used, and how consumers are able to exercise choice over the use of that data. For example, third party data collectors must obtain the consumer’s express consent prior to collecting sensitive data such as health information for targeted marketing. E. TRUSTed Smart Grid7 The TRUSTed Smart Grid Privacy Program was launched in 2012 and is based on the Smart Grid Guidelines, a framework for smart grid privacy that was jointly developed by the Future of Privacy Forum8 and TRUSTe. Under this program, we assess and certify the privacy practices of third–party companies that access consumer energy usage data or “CEUD” to power “smart” services and products. F. APEC Privacy9 TRUSTe has been working with APEC Member Economies10 since 2004, when this group formally approved the APEC Cross Border Privacy Rules (“CBPR”) System. The CBPR System represents the most widely accepted data protection standard, which has been endorsed by regulators in all 21 APEC Member Economies, including the United States. TRUSTe’s APEC Privacy Program is a comprehensive certification based on the specific requirements of the CBPR System. TRUSTe was approved as the first accountability agent under the CBPR System in June 2013 In August 2013, IBM was certified under the TRUSTe APEC Privacy Program, followed by Merck (November 2013) and Yodlee (December 2013). TRUSTe advances the APEC–CBPR System by helping organizations be accountable and transparent in their data management practices. We work with companies to adopt uniform best practices, furthering “privacy interoperability” while also promoting the free flow of data among APEC Member countries. We also work directly with privacy enforcers and help them fulfill their APEC–CBPR mandate by providing consumer dispute resolution services, and working with companies to bring their data protection policies in line with the APEC– CBPR System. 6 More details on TRUSTed Data Collection is at: http://www.truste.com/privacy_seals_and_services/enterprise_privacy/ data-collection-certification 7 More details on TRUSTed Smart Grid is at: http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-smart- grid 8 TRUSTe is a member of the Future of Privacy forum, a Washington, DC based think tank that seeks to advance responsible data practices. For more details visit: www.future of privacy.org 9 More details on TRUSTe’s APEC Privacy Program are at: http://www.truste.com/products-and-services/enterprise-privacy/ apec-accountability 10 APEC has 21 members - referred to as “member economies” - which account for approximately 40 percent of the world’s population, approximately 55 percent of world GDP and about 44 percent of world trade. APEC’s 21 Member Economies are Australia; Brunei Darussalam; Canada; Chile; People’s Republic of China; Hong Kong, China; Indonesia; Japan; Republic of Korea; Malaysia; Mexico; New Zealand; Papua New Guinea; Peru; The Republic of the Philippines; The Russian Federation; Singapore; Chinese Taipei; Thailand; United States of America; Viet Nam.
  • 9. TRUSTe Transparency Report 2013 9 G. Children’s Privacy11 TRUSTe’s Children’s Privacy Certification applies specifically to websites and apps that are fully or partially targeted towards children under the age of 13, and to general audience websites that knowingly collect personal information from children under 13. TRUSTe’s Children’s Privacy program requirements are consistent with the requirements of the Children’s Privacy Protection Act or COPPA. In 2013, we made several significant updates to our Children’s Privacy Program based on amendments to the COPPA Rule which came into effect in July 2013. H. EU Safe Harbor12 The TRUSTe EU Privacy Program helps companies prepare for self–certification under the US–EU and US–Swiss Safe Harbor Frameworks through an assessment, and by providing independent resolution of consumer disputes. The TRUSTe EU Privacy Program is not a TRUSTe certification offering. Rather, TRUSTe’s Privacy Program Requirements are consistent with the requirements of the EU–US Safe Harbor Framework which requires companies to attest that their practices satisfy the Safe Harbor Principles of notice, choice, access, data integrity, onward transfer, security and enforcement. TRUSTe requires that all our EU Safe Harbor clients add a statement to their privacy policies regarding their compliance with the US–EU or US–Swiss Safe Harbor Frameworks as appropriate. I. EDAA13 In 2013, TRUSTe became an approved provider under the EDAA Trust Seal Certification Program. This program reduces privacy risks for EU companies that act as a third party data collector across desktop environments. TRUSTe is responsible for independently assessing company compliance with the European Principles on OBA and issuing the EDAA Trust Seal to companies that can demonstrate they meet the standards required. Companies that successfully complete certification receive a detailed report outlining TRUSTe’s findings and are awarded the EDAA Trust Seal to easily demonstrate to regulators, potential partners, or consumers their compliance with privacy best practices in the EU for online data collection. III) Monitoring Services & Compliance Controls A. Website Monitoring In 2012, TRUSTe launched its Website Monitoring service to help companies have a clear understanding of the tracking technologies used by both themselves (first party) and by others (third parties). The capabilities of TRUSTe’s Website Monitoring technologies can also be used in certifications — in conjunction with cookie consent management, for monitoring DAA/EDAA OBA compliance, and as a standalone tool. When left unmanaged, tracking code on websites can lead to risk of privacy violations with unauthorized third parties tracking the website’s customers. This in turn can result in the degradation of website performance (slow loading time, lower search engine rankings) or even data leakage with potential revenue loss through unauthorized targeting and retargeting of valuable site users. 11 More details on TRUSTe’s Childrens Privacy Certification are at: http://www.truste.com/products-and-services/enterprise- privacy/coppa 12 More details on how TRUSTe can help you comply with the EU-US Safe Harbor framework are at: http://www.truste.com/ privacy_seals_and_services/enterprise_privacy/eu_safe_harbor_seal 13 More details on the EDAA Trust Seal are available at: http://www.truste.com/products-and-services/enterprise-privacy/ edaa-cert
  • 10. TRUSTe Transparency Report 2013 10 The Website Monitoring service helps address these concerns by bringing transparency to the process. The cloud–based service scans a website to identify a variety of trackers and clients can manage the depth and frequency of these website scans to provide optimal coverage. The results of these scans, as well as detailed reports of first and third party tracking activity, are available to clients through a self–service portal. Through this portal, clients have the ability to authorize known and approved third party data collectors and vendors, as well as get alerts to new trackers that appear on a website in subsequent scans. Finally, the results of a monitoring scan feed directly into compliance controls such as TRUSTe’s Consent Manager. The TRUSTe Website Monitoring service first scans a website to identify trackers — such as cookies, flash cookies or locally stored objects (“LSOs”), web beacons/pixels, java scripts, local storage and E–tags. The tracker is then cross–referenced against TRUSTe’s extensive database of more than 19,000 tracking URLs corresponding to over 5,000 different business entities involved in third–party tracking activities. TRUSTe maintains information about all trackers we detect, and assigns each a Privacy Sensitivity Index (PSI) score. The PSI is based on the potential privacy risks associated with the tracker or third party deploying the tracker. Third parties are assigned a PSI score on a number factors including: likelihood to engage in online behavioral advertising (OBA), adherence to industry standards (DAA, NAI), privacy policies, consent mechanisms, and how/whether the client honors consumer opt–out preferences. TRUSTe’s Website Monitoring service can also be configured to detect personal information (PII) collection on a website or online service. This can be useful when taking an inventory of an organization’s online data collection practices. B. TRUSTed Ads In 2011, TRUSTe became a DAA–approved Online Behavioral Advertising (OBA) compliance provider with its TRUSTed Ads product. TRUSTed Ads allows companies across the online advertising ecosystem — advertisers, agencies, networks, platforms, and publishers — to achieve reliable, scalable, and cost–effective compliance with the DAA’s Self–Regulatory Program. In 2013, TRUSTe was also approved under the EDAA, a program set up to meet self– regulatory requirements for OBA in the European Union. In 2013 alone, TRUSTe served the DAA icon on almost a half trillion online ads. C. TRUSTed Consent Manager The TRUSTed Consent Manager was developed to help companies comply with certain amendments to the 2002 e–privacy directive (known informally as the “cookie directive”) that require “informed consent” before accessing or storing data on a consumer’s computer or other device. TRUSTed Consent Manager allows companies to collect informed consent from consumers regarding accessing or storing data on the user’s computer or other device in the form of cookies or other trackers, through a customizable, consumer–friendly interface that informs users about the use of cookies and options for controlling if and how cookies are used.
  • 11. TRUSTe Transparency Report 2013 11 TRUSTe Certification Operations Review A. TRUSTe Certification Program Requirements TRUSTe offers different certification programs depending on the organization’s privacy practices. Our Certification Program Requirements are built upon TRUSTe’s core privacy principle of Transparency, Choice, and Accountability, global privacy rules and regulations (such as the APEC–CBPR System) and industry best practices. The table below lists TRUSTe’s certification programs and identifies them by the specific regulatory or industry guidelines upon which they are based.14 TRUSTe Program Requirements TRUSTe Certification Programs Business Practices Certified Program Requirements Foundation Privacy Program Requirements TRUSTed Websites TRUSTed Email TRUSTed Mobile Sites and Apps Companies that have a direct relationship with the consumer and are considered “first party” or “data controllers” Fair Information Practice Principles (FIPPs) US–EU and US– Swiss Safe Harbor Frameworks.14 Asia Pacific Economic Council (APEC) Cross Border Privacy Rules OECD Guidelines CalOPPA CTIA Guidelines CAN–SPAM FTC Self–Regulatory Principles for Online Behavioral Advertising (OBA) APEC Privacy Requirements APEC Privacy Program Companies transferring data within APEC Member Economies and want to be certified under the APEC–CBPR standard APEC–CBPR System Children’s Privacy Program Requirements Children’s Privacy Companies that collect personal information from children under age 13 or offer online services targeting children under age 13. Children’s Online Privacy Protection Act (COPPA) 14 TRUSTe’s Privacy Program Requirements align with the US-EU and US-Swiss Safe Harbor Framework. Clients assessed under this program will need to take the additional step of self-registration with the Department of Commerce to achieve Safe Harbor status.
  • 12. TRUSTe Transparency Report 2013 12 TRUSTe Program Requirements TRUSTe Certification Programs Business Practices Certified Program Requirements Foundation Cloud Privacy Program Requirements TRUSTed Cloud Companies or Service Providers that process data in the cloud on behalf of another entity. Fair Information Practice Principles US—EU and US— Swiss Safe Harbor Frameworks APEC—CBPR System OCED Guidelines Cloud Security Alliance Guidelines (CSA) EDAA EDAA Trust Seal Certification Companies operating in the EU and engaged in data collection as third parties EDAA Self– certification Criteria TRUSTed Data Program Requirements TRUSTed Data Companies, often referred to as “third parties” that collect data over multiple unaffiliated sites over time for the purpose of creating a profile that is typically used for targeted marketing purposes. FTC Self–Regulatory Principles for Online Behavioral Advertising Network Advertising Initiative (NAI) Principles Digital Advertising Alliance (DAA) Self– Regulatory and Multi– site Principles European Digital Advertising Alliance (EDAA) Self– certification Criteria TRUSTed Download Program Requirements TRUSTed Downloads Companies offering downloadable executable software. Fair Information Practice Principles OECD Guidelines Industry best practices` TRUSTed Smart Grid Privacy Program Requirements TRUSTed Smart Grid Companies seeking to access customer energy usage data [CEUD] that is collected by utilities via the utilities direct relationship with the customer or companies collecting energy data directly from customers through smart devices such as smart thermostats, smart appliances or home control systems. Future of Privacy Forum (FPF) Smart Grid Privacy Guidelines for Consumer Energy Data Regulatory Guidance from California State Public Utilities Commission
  • 13. TRUSTe Transparency Report 2013 13 B. TRUSTe Certification Process TRUSTe Certifications, with the exception of TRUSTed Websites Basic, follow a 5–step process as outlined below: ASSESS ADVISE • Gap Analysis of Client Practices with TRUSTe Certification Program Requirements and Policies • Issue Findings Report + Change Roadmap AWARD • Activate Hosted Seal & Validation Page MONITOR & CONTROL • Activate Dispute Resolution Service • Ongoing Guidance on New Regulations & Business Changes: Consultation + Education Seminars • Implement Optional Compliance Controls REMEDY • Client Implements Process & Policy Changes • Validate Changes • Data Collection & Usage Audit • Policy Review • Solution = Privacy Analysts + Technology Tools Step 1 — Assess TRUSTe privacy assessments are performed by a team of privacy analysts and consultants. All TRUSTe privacy certifications begin with a risk assessment of the client’s business and privacy practices, which differs, depending on the client’s business model, and the features/ functions and data privacy practices of the client’s website, app, or online service they want to certify. This includes a range of process information including what data is collected, how it is used, who it is shared with, etc. — along with a review of the companies stated privacy practices and policies. TRUSTe uses a combination of different methodologies to examine how the client collects, uses and shares personal data: a manual evaluation of the client’s practices, the client’s own attestations and interviews, and monitoring through TRUSTe’s proprietary technology. The extent to which we use one methodology over another is dependent on a client’s risk profile and nature of the property being assessed. Step 2 — Advise During the Advise step, TRUSTe issues a Findings Report to the client with recommendations on changes they need to make to their data privacy management practices and privacy policies. Nearly all clients must make changes to their existing data collection and usage practices or privacy policy to qualify for TRUSTe certification. In 2013, approximately 8% of applicants for the TRUSTed Website certification did not complete the certification process for reasons such as a shift in priorities, changes in business model, or inability or unwillingness to make the changes required under TRUSTe’s Privacy Program Requirements.
  • 14. TRUSTe Transparency Report 2013 14 Step 3 — Remedy During the Remedy step, the client implements TRUSTe’s recommendations into their product or service. TRUSTe also confirms that the certified property has a privacy policy that accurately represents how the client is collecting and using personal information. We also confirm that mechanisms for access, redress, security and enforcement are provided in a way that consistently meet consumers’ and business’ expectations. Step 4 — Award The Award phase commences once the client has implemented TRUSTe’s recommendations and is awarded the TRUSTe seal. Step 5 — Monitor and Control Once the seal is awarded, TRUSTe monitors ongoing compliance through proprietary technology — such as our Website Monitoring service — as well as our consumer dispute resolution process. In some cases, we may initiate an investigation based on the results of our technological monitoring; we may also initiate an investigation based on a regulator inquiry, media report or information contained in a consumer complaint. For more details please see the Consumer Dispute Resolution and Enforcement sections, below. TRUSTe evaluates whether our clients continue to meet our Program Requirements through an annual review process. In addition, if the client notifies TRUSTe of a change or TRUSTe detects a change e.g. through technological monitoring, outside the ‘annual’ re–certification cycle, the change will be evaluated by TRUSTe, regardless of whether it is time for the client’s annual review or not. TRUSTe’s approach to privacy certification can differ based on the complexity of the client’s business and privacy practices. TRUSTe works with clients of all sizes to provide cost–effective, scalable, privacy solutions that work across different types of business models. In this way, we aim to promote strong privacy practices across all aspects of the online ecosystem. While certification represents an assessment from a specific point in time, our monitoring solutions help provide clients a holistic view of first and third party activity on their online properties. This is crucial, because when left unmanaged, tracking code on websites can lead to the degradation of website performance (slow loading time, lower search engine rankings), or data leakage with the potential loss or revenue from the unauthorized targeting and retargeting of a website’s valuable site users — in addition to privacy compliance challenges. The TRUSTe Website Monitoring Service provides stand–alone reporting to customers and is also used in TRUSTe certifications and privacy assessments. In 2013, TRUSTe’s Monitoring Service performed over 172,000 website scans on over 18 million web pages. TRUSTe uses and provides access to a variety of technology based monitoring services and compliance controls to help clients ensure compliance with the broad range of existing and emerging global privacy requirements. These include our Website Monitoring Service, TRUSTed Ads OBA Preference Management Controls, and TRUSTed Consent Manager Controls for addressing the EU Cookie Directive. C. Consumer Dispute Resolution Consumer Dispute Resolution is a key component of TRUSTe’s privacy management solutions that helps us monitor compliance, while keeping clients accountable for their privacy practices. We have provided excerpts from our 2013 consumer dispute resolution survey in Appendix C to this report.
  • 15. TRUSTe Transparency Report 2013 15 The TRUSTe Consumer Dispute Resolution process begins with a consumer complaint filed with TRUSTe, against a TRUSTe client. After TRUSTe receives a consumer complaint, we initiate an investigation. A TRUSTe investigation may also be initiated after a TRUSTe scan, a media report, regulator inquiry or information obtained through other credible sources. Once TRUSTe has reviewed the complaint, we respond to the consumer within our published timeframe of 10 business days. The nature and duration of the investigation needed can vary widely depending on the nature of the issue. TRUSTe quickly checks those issues that can be immediately verified. If our findings do not verify what the consumer alleged, we inform the consumer and/or request more information if needed. The client ordinarily has 10 business days to provide a written response for the consumer. For more urgent issues, such as security vulnerabilities, we may also escalate to the client via phone, and generally expect responses more quickly, especially if we are able to verify the problem. The diagram below illustrates the TRUSTe consumer dispute resolution and enforcement process: Consumer Complaint Media Report Regulator Inquiry TRUSTe Scan TRUSTe Investigation Notification Lack of ComplianceCompliance TRUSTe Requests to Cure Issue Formal Enforcement Suspend Certification Request to Cure Termination Referral to Appropriate Agency Appropriate Confidentiality Opportunity to Cure
  • 16. TRUSTe Transparency Report 2013 16 Consumer disputes in 2013 In 2013, TRUSTe handled 8,729 Dispute Resolution complaints, most of which were from consumers. The diagram below illustrates how these complaints were classified and ultimately resolved by TRUSTe: Evaluate Disputes Closed on Procedural Grounds 3,453 Eligible for Further Analysis 5,276 72.7% Resolved by consumer education, or courtesy forwards by TRUSTe 5.8% Required issue– specific research and/or data changes by the site Required changes by the client to their disclosures, Privacy Statement and/or privacy practices 0.9% 20.4% Other (e.g. open or reopened9, trademark report, action taken independently by company, out of scope with no courtesy forward) Related to companies deactivated from TRUSTe’s program (e.g. suspended or terminated) 0.2% 8,729 DR Complaints The majority of complaints were resolved without requiring formal enforcement measures by TRUSTe. About 40% of total consumer complaints were closed by TRUSTe on “procedural grounds.” Such procedural grounds may include complaints that fail to state a comprehensible issue or even a complete word (e.g. random typing such as “xyxyxy”). In other examples, the consumer complaint did not give TRUSTe permission to pass identifying information to the site in question, or provided an invalid e–mail address, impeding investigation of that complaint. Of the remaining 2013 complaints not closed on procedural grounds: • 72.7% — were resolved by consumer education, or courtesy forwards by TRUSTe (non– privacy issues). • 5.8%– required issue–specific research and/or data changes by the site (e.g. unsubscribe the user, close the account, remove unauthorized profile). • 0.9% — required changes by the client to their disclosures, privacy statement and/ or privacy practices (including complaints by different consumers about the same underlying issues).
  • 17. TRUSTe Transparency Report 2013 17 • 20.4% — fell into other categories such as that fall outside the scope of TRUSTe’s authority under our privacy program, (e.g. billing/transactional issues, requests for feature enhancements). TRUSTe typically suggests that the consumer contact the site directly in these instances. • 0.2% — were against companies that had been deactivated from TRUSTe’s program. D. Enforcement TRUSTe certification is supplemented by enforcement of our Privacy Program Requirements and our Consumer Dispute Resolution Process. Because TRUSTe privacy certification is completely voluntary, our challenge is to preserve the incentives for companies to certify and self–regulate their privacy practices within a voluntary framework, while also remaining true to our mission. To address this challenge, TRUSTe must ensure that appropriate confidentiality and adequate procedural safeguards, including the opportunity to cure, are part of the Enforcement process. The term “enforcement” has a specific meaning within the context of TRUSTe certification. Enforcement is when TRUSTe provides formal notice to a client that they have violated one or more program requirements, resulting in either Suspension or Termination of the client’s relationship with TRUSTe if the violation is not “cured” within the time allotted, usually 20 business days. The TRUSTe enforcement process usually begins with an internal compliance investigation. TRUSTe may initiate this investigation based on results of our technological monitoring, on information contained in a consumer complaint, news or press reports, regulator inquiry, or reports from other credible sources. If a violation is found, our investigations have one of three possible outcomes:15 • An agreement between TRUSTe and the client over the privacy complaint — resulting in client resolution that addresses the consumer concern or request. • A disagreement — triggers a notice of formal enforcement, resulting in the client’s suspension or notice of intent to terminate for cause if the matter is not cured. • A failure to implement the required cure — resulting in the client’s termination from TRUSTe’s program and, in extreme cases, publication and/or referral to an appropriate authority.15 The table below details TRUSTe’s enforcement actions from 2009 — 2013: Year Formal Enforcement Actions Outcome 2009 7 enforcement actions 4 resulted in termination for cause, and 3 additional suspensions were cured. 2010 3 enforcement actions 2 resulted in terminations for cause; the third involved a suspension that turned into termination for cause in 2011. 2011 11 enforcement actions 10 resulted in terminations for cause, one involved a suspension that was cured. 2012 9 enforcement actions 3 resulted in termination for cause, 5 suspensions were cured, and 1 company previously suspended is working on curing the issue. 2013 23 enforcement actions 11 resulted in termination for cause, 11 enforcement actions (e.g. suspensions) were cured, and 1 suspended company is working on curing the issue. 15 One of our prior FTC referrals was ClassicCloseouts in 2008; TRUSTe assisted the FTC with the investigation, and the agency brought action for permanent injunction and relief against the site, ultimately obtaining a $2.08 million settlement to provide redress for consumers. See Merchandiser Who Illegally Charged Consumers' Accounts Settles with FTC, available at: http://www.ftc.gov/opa/2011/01/classicclose.shtm.
  • 18. TRUSTe Transparency Report 2013 18 TRUSTe Privacy Research and Education Series Privacy Research In addition to our privacy management solutions, TRUSTe provides consumers and businesses with important information and research about important regulatory developments and key privacy trends. In 2013 we also significantly increased our research investment, publishing 6 separate research reports into consumer attitudes regarding data privacy and company practices for managing consumer privacy. We partnered with Harris Interactive and IPSOS Mori to conduct most of the projects. The research is used to help educate businesses on the importance of addressing privacy to build consumer trust and drive engagement across all of their products and marketing / advertising programs. A list of our research is provided below and copies can be found at www.truste.com/resources. Topic Date Scope Consumer Confidence Index — (Report and Infographic) Jan 2013 US Consumer Confidence Index — (Report and Infographic) Jan 2013 UK Website Monitoring — Travel Edition (Infographic) July 2013 US, EU Consumer Privacy — Advertising Edition (Report and Infographic) Sept 2013 US Consumer Privacy — Advertising Edition (Report and Infographic) Sept 2013 UK Consumer Privacy — Mobile Edition (Report and Infographic) Sept 2013 US Consumer Privacy — Mobile Edition (Report and Infographic) Sept 2013 UK
  • 19. TRUSTe Transparency Report 2013 19 Privacy Education TRUSTe authors a wide range of educational resources for both clients and other members of the broader privacy community to stay abreast of new and changing developments in the world of privacy. In 2013 we had over 1,500 professionals attend 15 live webcasts and 3 workshops on a range of privacy topics including APEC, BCRs, COPPA, DAA, and the EU Cookie Directive. Hundreds of additional individuals downloaded recordings of these broadcasts. All of these resources are made available at no charge. The table below summarizes our 2013 educational webinar series. Topic Date Mobile App Privacy Legal Enforcement Begins — Are Your Apps Compliant? Feb Overview of the EDAA Program Mar COPPA Rule Update — Implications and Next Steps for Your Business (Clients Only) Mar COPPA Rule Update — Implications and Next Steps for Your Business Apr EU Cookie Directive — Is Your Business Compliant? Apr Overview of BCRs May Understanding FTC Rules on Children Online Privacy Protection Act (COPPA) Jun Overview of the APEC Privacy Framework Jul Understanding the State of EU Cookie Directive Jul Powering Trust in the Advertising Ecosystem — NYC Sep Powering Trust in the Advertising Ecosystem — San Francisco Sep How to Be Proactive in Monitoring Your Compliance with the DAA Principles Sep Overview of the DAA Mobile Privacy Principles Sep How to Ensure your Websites and Apps Address Emerging Data Privacy Challenges Oct Powering Trust in the Advertising Ecosystem — London Oct Impacts to the Advertising Ecosystem through Privacy & Device Recognition Nov The California Data Privacy Landscape — The New Regulatory Updates that Impact Your Online Business Nov What is the Future of the EU–US Safe Harbor Agreement? Nov
  • 20. TRUSTe Transparency Report 2013 20 TRUSTe Privacy Program Requirements A link to TRUSTe’s privacy program requirements is available at: http://www.truste.com/privacy–program–requirements/home Appendix A TRUSTe EU Safe Harbor Assessment Program (2009 — 2013) Appendix B TRUSTe Children’s Privacy Program (2009 — 2013) Appendix C EU Safe Harbor Assessment Program — Number of Properties Certified 2009 213 2010 344 2011 445 2012 611 2013 674 100 200 300 400 500 600 700 0 Children’s Privacy Program — Number of Properties Certified 2009 2010 2011 2012 2013 100 50 0 21 37 55 68 77
  • 21. TRUSTe Transparency Report 2013 21 Appendix D TRUSTe Consumer Dispute Resolution Data 1. Consumer Dispute Resolution Volume (2007–2013)Overall Complaints 2009 2010 2011 2012 2013 2000 4000 6000 8000 10000 9031 7719 8646 9699 8729 EU Complaints 2009 2010 2011 2012 2013 2000 4000 6000 8000 10000 1231 881 879 656 437 2. Consumer Complaints Organized by Type (2013) TRUSTe categorizes Consumer Dispute Resolution complaints by the type of complaint alleged. When filing a complaint, consumers self–select the category for their complaint based on options provided via a pull–down menu. In situations where TRUSTe does not receive additional information that clearly indicates that a different category is more appropriate, we generally leave the category as the consumer identified it. Many complaints turn out to be consumer requests for service assistance from the client or incomprehensible complaints with random typing, or complaints that do not involve privacy practices. The vast majority of complaints do not indicate a violation of TRUSTe’s Privacy Program Requirements.
  • 22. TRUSTe Transparency Report 2013 22 2013 Complaints by Type (Overall): 1842 1912 1321 731 651 509 509 310 296 161 154 123 116 40 35 13 5 1 Monetary / Billing / Transactional Undefined (incl. random typing) Help with Features / Functionality Account Access / Creation (incl. forgotten passwd) Can't Change / Remove Personal Info Account Hacked / Disabled Unable to Unsubscribe Unable to Contact Participating Site Abuse by Another User Shared Personal Info with Unauthorized Third Party Received Unauthorized E-Mail Other Unauthorized Profile With My Information Website Security Vulnerability Inaccurate Privacy Disclosure Targeted Advertising Privacy Settings Not Working Children's Information (Under 13) Overall Complaints 2013 Complaints by Type (EU): 70 66 52 48 44 36 30 24 20 18 14 6 5 2 2 Monetary / Billing / Transactional Undefined (incl. random typing) Help with Features / Functionality Account Access / Creation (incl. forgotten passwd) Can't Change / Remove Personal Info Account Hacked / Disabled Unable to Unsubscribe Unable to Contact Participating Site Abuse by Another User Shared Personal Info with Unauthorized Third Party Received Unauthorized E-Mail Other Unauthorized Profile With My Information Inaccurate Privacy Disclosure Privacy Settings Not Working EU Complaints
  • 23. TRUSTe Transparency Report 2013 23 2013 Complaints by Resolution (Overall): 3496 1361 1065 1007 518 459 340 135 117 90 52 49 18 13 8 1 Consumer Education by TRUSTe No Action Required (e.g. for random typing) Out of Scope, no Forward No Consumer Response Duplicate Complaint Permission Not Granted by Consumer Out of Scope, with Forward Response Obtained but No Changes Required PII Removed, Account Closed or Credentials Validated Consumer Withdrawal of Complaint Unsubscribed Changes Required to PS, Site, or Practices Invalid Complainant E-Mail Address Action Taken Without TRUSTe Involvement Licensee Deactivated Irreproducible Overall Resolution 2013 Complaints by Resolution (EU): 202 64 51 49 17 11 10 10 9 5 5 3 1 Consumer Education by TRUSTe No Action Required (e.g. for random typing) Out of Scope, no Forward No Consumer Response Duplicate Complaint Permission Not Granted by Consumer Out of Scope, with Forward Response Obtained but No Changes Required PII Removed, Account Closed or Credentials Validated Consumer Withdrawal of Complaint Unsubscribed Changes Required to PS, Site, or Practices Invalid Complainant E-Mail Address EU Resolution
  • 24. TRUSTe Transparency Report 2013 24 You got it fixed when nobody else would I am more than satisfied with TRUSTe’s handling of this matter.I have spent many hours worried and lost much sleep sickened in the matter. They handled it quickly and professionally, unlike Facebook.I thank God that they advocated on my behalf and was fair in doing so. Smooth and easy process. My experience with TRUSTe’s process was great! The process was quick and clear, and helped me in resolving my complaint. Amazing. Successful. Appreciated. Overall it was positive. My issue was resolved so I am happy. I was very pleased TRUSTe was able to resolve my compliant and get the company to fix their website so it was in compliance with their privacy policy. Truste rocks exellent Overall, great job! very positive Perfect! I was VERY impressed! Generally, when possible, the process has been helpful in getting an issue escalated and the problem resolved. I appreciate that the program exists and allows users to control their information, which seems to be harder than it should be online. Thank you very much for your efforts! Maybe a faster response time from TRUSTe licensed company, thought it was already fast. It’s perfect. you did a great job Overall, the process is very good. Thank you for you fast reply! It is a great process. Only thing I can think of for improvement would be a direct contact via phone. Many thanks for caring about my complaint [...]. Thank you for your assistance and attention to detail. THANK YOU SO VERY MUCH. I FEEL SO MUCH BETTER NOW THAT THEY’VE BEEN REMOVED Thank you for getting back to me so quickly. ... I thank you so much for giving me the proper address, that’s more than they could do. Thank you for your prompt follow–up. Thanks for the response. I was able to access the [...] website from your information and resolved the matter. Thanks guys, keep doing the good work. My issue has been resoulved thank you for your help someone got back to me at last and, help me log in to my account Many thanks indeed for your support on this issue. I appreciate your care and concern. Thank you this issue has been resolved. Thank you Truste for your help! This problem has now been resolved by facebook. Thank you very much for your support. Thank you for responding so promptly. I thank you for your assistance you are truly reliable so my sincere gratitude to you Appendix E Consumer Feedback to the TRUSTe Dispute Resolution Process
  • 25. TRUSTe Transparency Report 2013 25 I’m sure it was through your contact with them that they “finally” decided to do something about it. Again, thank you for the help. Thanks again for your prompt response. Many thanks for your help. Hello, anyway, thanksso muchyourattending my complain, [...] I appreciate your feedback and availability. They canceled everthing. Thank you for responding for my complaint. Thank you for resolving this situation for me. thanks for stepping in. Thank you for your efforts on my behalf. I appreciate your time and understanding of my concern. Thank you so much. I appreciate the information you’ve provided. thank you very much for your help. Thank you for your diligence Thank you very much for your quick answer. wow, thank you for your persistance I appreciate your response. The fact that I was able to state that I had contacted you seemed to result in my first effective response from [...]. I appreciate and am impressed with the effort you have put into this matter. Thank you and so much appreciated. Thank you for all your help i truly appreiate it so much Thank you for your help and understanding, My issue was resolved I received a full refund and my membership was terminated. TRUSTe’s service was excellent. My issue has been resolved thanks for your help Thank you so much for your help. Glad to find you! I appreciate the continued follow up Thank you for the update. I am greatly in your debt. Dear TRUSTe, From the bottom of my heart thank you so very much...looking forward for my peace and quite life...godbless!!! Thank you for your kind reply and for your suggestions where to turn. Most valuable when you wonder whom to turn to in any situation as this. Much obliged. Thank you sincerely for your excellent feedback & response THANK U SOOOOO MUCH FOR ALL UR HELP :) Thank you for your good work, I will definately look for the TRUSTe certification in the future as you seem to stand behind your word. Much respect. I am happy with your intervention. I really appreciate your help. Thank you so much, TrustE for providing this service. Thank you very much for your prompt answer. In it is everything I was curious about, and the information seems logical in hindsight. Thanks you for your patience and persistence in this matter. Thank you for responding so quickly and with some detailed knowledge. Thank you for your assistance! [...] Thank you for your intervention! Thank you for your assistance and making sure this was done. I appreciate it. I deeply appreciate TRUSTe mediation, has been so helpful. Thank you so much. It is appreciated. [...] You are GREAT. Thank you for your response. You lead me to believe there may still yet be hope for the little guy in society.