Firms develop privacy seal of approval

That is the sentiment driving a budding privacy assurance program for Net and e-commerce sites called WebTrust.

The WebTrust "seal" was developed by the Canadian Institute of Chartered Accountants and the American Institute of Certified Public Accountants (AICPA), which has more than 330,000 members, including "Big Five" accounting firms such as PricewaterhouseCoopers.

Broader in scope than the better-known TRUSTe initiative, WebTrust is administered by accountants who do on-site audits of Net companies' e-commerce security systems, customer satisfaction records, transaction integrity, and compliance with privacy policies, such as not selling Net surfers' personal information without permission.

"We make sure that transaction security is up to snuff, and if a site is going to use consumers' private information, they have to get permission to do that and it has to be disclosed," said Anthony Pugliese, director of assurance services for AICPA.

The cost for a WebTrust seal will range from $5,000 to $100,000 per year depending on the site's amount of business. The accounting houses will then check in every 90 days to ensure that Net firms are up to compliance with all terms of the seal program. If not, a company's seal could be revoked.

But like all industry self-regulation plans, that penalty is only effective if consumers are trained to look for the seal and then refuse to do business with companies unless they carry it.

For now, only 18 sites carry the WebTrust seal, including E*Trade and Bell Canada. This week, WebTrust announced that it has signed agreements with the Institutes of Chartered Accountants in England, Wales, Scotland, and Ireland to offer the program.

"The onsite audit gives the customer third-party independent assurance. WebTrust is the only one that is this comprehensive," said Everett Johnson, a partner at Deloitte & Touche who set up E*Trade's seal and who chairs the AICPA WebTrust committee.

International partners will likely help spread the program, which has been slow to catch on. But a bigger boost could come from the heightened concerns this week about Wintel users' privacy, as well as a looming conflict over how U.S. businesses safeguard European citizens' data.

This week also marked the beginning of a sweep to monitor sites' privacy policies, which is being conducted by professor Mary Culnan of Georgetown University's McDonough School of Business, who will submit her report to the Federal Trade Commission.

Many sites, especially online storefronts, gather shoppers' names, addresses, credit card numbers, and a wide range of sensitive data that people want kept under lock and key. To stave off new laws, the Net industry has scrambled to adopt adequate consumer data collection guidelines.

"We think it's good to have a wide range of these seal programs out there that have consumer trust backgrounds," said Ari Schwartz, a policy analyst for the Center for Democracy and Technology. "But we have to worry about the general baseline for Net companies that aren't involved and how they can be brought in line."

In general, major Web sites have privacy programs, but industry programs have hardly been adopted across the Net. And TRUSTe is the only seal that is fully up and running. The Better Business Bureau Online has promised to launch its eagerly awaited program by next week.

WebTrust's program is not 100 percent complete, either. For example, WebTrust is still hammering out its final consumer redress policy. So far, the plan is that companies have a plan for accepting consumer complaints, and WebTrust may step in with an arbitration system for consumers who don't feel they got adequate redress.

Ernst & Young and TRUSTe today released a white paper calling for on-site, third-party verification for sites that collect extremely sensitive personal information.

But WebTrust already does that and is banking on firms' faith in their accountants to expand participation.

"We think information technology is a leading area that CPAs need to get involved in," Pugliese said. "Based on all the skill sets we possess, we are independent and objective. We can provide the best yardstick for privacy."