Truste tightens requirements for its seal of approval

Computerworld - WASHINGTON -- A leading privacy seal group, Truste, has toughened its privacy seal licensing requirements as well as its ability to monitor the privacy practices of Web sites that display its seal.
One key change requires businesses to adhere to user preferences for no less than 12 months before changing them. The intent is to give customers certainty that their privacy practices won't change soon after they choose them.
Another licensing change closes a loophole that allowed a small number of companies to share personal data to third-party marketing firms without giving customers the ability to opt-out of that data sharing.
Truste is also using technology developed by Watchfire Corp. in Waltham, Mass., that uses automated agents, Web crawlers, to examine Web sites' privacy practices for compliance to their privacy policies. Truste officials believe they will learn of possible problems earlier than they would through annual reviews.
Fran Maier, executive director of San Francisco-based Truste, said the licensing changes, as well as the monitoring effort, "are really sending the message that we take enforcement compliance seriously, that we have teeth."
Truste "has been steadily raising its standards," said Ari Schwartz, associate director for the Center for Democracy and Technology in Washington. All Truste initially required of companies was that they follow their privacy policies. But that left companies free to treat customer information as they saw fit, he said.
"I think companies that commit to this are raising the bar for the industry," said Schwartz, adding that the changes aren't a substitute for privacy legislation. "We still need a baseline law."
Esther Dyson, the chairwoman of EDventure Holdings, who served as chairwoman of the Electronic Frontier Foundation at the time it co-founded Truste, said in an e-mail interview the changes are "a good step in the right direction. I think they mean Truste is putting everyone on notice -- members included -- that it realizes it needs to use its teeth in order for people to believe they are there. In the long run, its members want it to have credibility too."
Truste's license requires that people be able to opt out on third-party information-sharing, but the licensing change sets some limits on how that works. Companies are required to provide consumers with a choice to opt out before sharing their personal information, unless the entity is part of third-party service relationship, such as the shipper for a retailer.
But some companies defined their primary service relationships as marketing and used that as a vehicle to share customer data with anyone. "It wasn't something that we were necessarily allowing before, but we found a loophole that we had to close," said Maier.
Mike Weider, founder and chairman of Watchfire, said the company's systems will check a Web site and look for potential compliance problems. For instance, a company's privacy policy may say it doesn't have third-party cookies. But sometimes when new forms and programs are added to a Web site, a third-party cookie may be unintentionally added, too.
One corporate user said seal programs can help companies in two significant ways.
Mel Peterson, chief privacy officer at consumer giant Procter & Gamble Co. in Cincinnati, uses the Better Business Bureau privacy seal program. Going through the process of applying for a seal is "a good way for a company to get up to speed quickly on what needs to be done" in privacy compliance.
But Peterson said there is a "significant subset" of consumers who do put some weight behind seeing an independent seal.