Privacy Seal Company TRUSTe Settles FTC Charges of Lax Recertification Practices

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

Nov. 21 — Longtime online privacy certification provider TRUSTe Inc. has agreed to settle Federal Trade Commission allegations that it deceived consumers by saying that it conducted annual recertifications when it failed to do so and misrepresented its status as a nonprofit entity, the FTC said Nov. 17.

The San Francisco-based company, which is formally known as True Ultimate Standards Everywhere Inc., has agreed to pay $200,000 as part of the proposed no-fault settlement with the FTC. The pact would also prohibit the company from making misrepresentations about its certification process or its corporate status.

“TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” FTC Chairwoman Edith Ramirez said in the FTC's statement. “Self-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.”

“At TRUSTe we take very seriously the role we play in the privacy ecosystem and our commitment to supporting our customers,” Chris Babel, chief executive officer of TRUSTe, said in a Nov. 17 blog post. “And if we fall short, we admit it, we address the issue, and we move forward.”

“The FTC did not find any issues with TRUSTe’s privacy practices, but there were two processes that needed to be fixed—and we have addressed both,” Babel said.

“Given the FTC settlement, TRUSTe is likely to ensure it is especially rigorous going forward,” Alan Charles Raul, a partner at Sidley Austin LLP in Washington and lead global coordinator of the firm's Privacy, Data Security and Information Law practice, told Bloomberg BNA Nov. 20.

Certified Privacy Seals

According to the FTC's administrative complaint, TRUSTe offers “Certified Privacy Seals” for display on clients' websites and mobile applications.

In order to display these seals, clients must meet certain requirements of TRUSTe's consumer privacy programs, such as transparent company practices and consumer choice concerning the collection and use of consumers' personal information. One program certifies compliance with the Children's Online Privacy Protection Act, 5 U.S.C. §§ 6501–6505. Another certifies compliance with the U.S.-EU Safe Harbor Program, which allows U.S. companies to transfer the personal information of EU citizens outside of the European Economic Area.

The FTC alleged that, despite TRUSTe's representations that it annually recertifies all companies displaying a Certified Privacy Seal, TRUSTe failed to conduct annual recertifications for all companies holding its privacy seals between 2006 and January 2013. “In over 1,000 instances, TRUSTe conducted no annual review of the company's compliance with applicable Program Requirements,” the complaint said.

In addition, TRUSTe has recertified some clients who still have privacy policies that describe TRUSTe as a nonprofit entity, even though it has been a for-profit entity since July 2008, the commission alleged.

The FTC alleged that these actions constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

The failure of the company to complete the annual reviews of certifications from 2006 until January 2013 for those who had signed up for multi-year agreements “represents less than 10% of the total number of annual reviews we were scheduled to conduct during that time,” Babel said in his blog post.

APEC Implications?

TRUSTe is the only “accountability agent” who is able to certify compliance with the Asia-Pacific Economic Cooperation's Cross Border Privacy Rules System. The system is based on approval of a company's privacy practices by an independent auditor with government regulators in participating economies acting as an enforcement backstop.

In July 2012, the U.S. became the first formal participant in the CBPR system and named the FTC as its backstop regulator.

But “TRUSTe’s APEC Privacy certification program was not the subject of the allegations in the complaint,” Ramirez, along with FTC Commissioners Julie Brill and Terrell McSweeny, said in a footnote in a statement expressing their “strong support” for both the administrative complaint and the consent order.

“While the FTC investigation appears not to have focused on TRUSTe's actions as U.S. accountability agent for the APEC framework, presumably TRUSTe will be vetting their APEC-certifying clients particularly carefully from now on,” Raul told Bloomberg BNA. “If nothing else, the FTC's action against TRUSTe suggests the enforcer is awake at the switch.”

“We are proud to serve as an Accountability Agent for the APEC CBPR System and we don't expect this will impact the program or our role,” TRUSTe CEO Babel told Bloomberg BNA Nov. 21.

Settlement Terms

The proposed consent order would prohibit TRUSTe from misrepresenting:

• steps taken to certify or recertify a company's privacy practices;

• the frequency with which it conducts such evaluations of a company's privacy practices;

• its corporate status; and

• the extent to which any person or entity participates in its privacy programs.

Under the proposed consent order, TRUSTe couldn't provide other organizations the means to make such representations, such as through incorrect model privacy policy language.

The pact would also impose additional requirements on TRUSTe in its position as a safe harbor program under the FTC's COPPA Rule, 16 C.F.R. pt. 312. For 10 years, the organization would be required to provide detailed information about its COPPA-related activities in its annual report to the FTC and would also have to maintain comprehensive records about its COPPA safe harbor program activities.

“Each of these provisions represents an increase in the reporting requirements laid out under the COPPA rule for safe harbor programs,” the FTC said in its statement.

Comments on the proposed settlement are due by Dec. 20.

Partial Dissent From Ohlhausen

FTC Commissioner Maureen K. Ohlhausen issued a statement partially dissenting from the FTC's action against TRUSTe.

Ohlhausen supported the first count of the administrative complaint dealing with TRUSTe's annual certifications “because of TRUSTe’s unique position of consumer trust as a third party certifier.” However, she dissented from the second count, which addresses TRUSTe's corporate status, because she didn't support the theory that TRUSTe's recertification of inaccurate privacy policies gave its clients the “means and instrumentalities” to deceive.

“Because TRUSTe accurately represented its non-profit status to its clients, TRUSTe cannot be primarily liable for deceiving consumers under a means and instrumentalities theory,” Ohlhausen said. At most, TRUSTe's actions concerning its corporate status constituted aiding and abetting, she said.

But Ramirez, Brill and McSweeny said in their statement that “TRUSTe’s recertification of these inaccurate privacy policies is the conduct we take aim at—it provided a stamp of approval of a false representation which TRUSTe’s clients then passed along to consumers via their websites. As such, TRUSTe provided its clients with the means and instrumentalities to deceive others.”

Attorneys from the FTC represented the commission. Morrison & Foerster LLP represented TRUSTe.

With assistance from Joyce E. Cutler in San Francisco

To contact the reporter on this story: Katie W. Johnson in Washington at

To contact the editor responsible for this story: Barbara Yuill at

The proposed agreement containing consent order is available at

The proposed administrative complaint is available at

TRUSTe's blog post is available at

Ohlhausen's partial dissent is available at

The supporting statement of Ramirez, Brill and McSweeny is available at


Request Bloomberg Law: Privacy & Data Security