CNET también está disponible en español.

Ir a español

Don't show this again

Internet

TRUSTe marks down privacy labels

The online privacy and e-commerce advocacy group is overhauling its "trustmarks" program designed to let surfers know how Web sites will use their personal information.

    The online privacy and e-commerce advocacy group, TRUSTe, is overhauling its "trustmarks" program, which is designed to let surfers know how Web sites will use their personal information.

    When TRUSTe (formerly eTRUST) unveiled its program in June, there were three trustmarks sites could use to inform visitors of their privacy policy and data collection practices. A mark labeled "No Exchange" indicated that no personally identifiable information would be collected by the site; "One-to-One" meant the site itself would collect and use personal data but not share it with others; and "3rd Party" notified users that the Web site may give personal data to others.

    However, TRUSTe now has abandoned the three marks in exchange for one simple label, similar to the "Good Housekeeping seal of approval."

    The change comes after the group faced tough questions regarding the effectiveness of the self-regulatory program during the Federal Trade Commission's summer workshop about Net privacy concerns.

    TRUSTe also is hoping that the shift to a less complex system will lead to the widespread use of its mark. Like many self-regulatory efforts in this area, the overall goal is to build consumer confidence in the online marketplace--and avert regulation--by increasing disclosure of personal data collection practices.

    "It's hard enough to brand one mark, not to mention two or three," Susan Scott, executive director for TRUSTe, told CNET's NEWS.COM. "The vast majority of Web sites don't even have a privacy policy, so this may be how we get them to take this baby step forward."

    Another aim of the alteration is to make it easier for consumers to recognize the mark. That way, surfers will be more inclined to access a site's privacy policy via its trustmark. "It would take too long to teach them what the three marks mean," Scott added. "We were getting caught up in our own world and not thinking about what this meant to 'Joe America.'"

    But TRUSTe says it's not abandoning the principles behind the original trustmarks. When a surfer goes to a "TRUSTed" site, the mark should be on the home page. It may also appear every place a site requests a user's name, sex, income, address, or a slew of other personal details.

    Upon clicking on the mark, the user is taken to the company's privacy policy page, which is hosted by TRUSTe. The policy will still indicate which of the three categories a site falls under in its data collection practices. Licensed TRUSTe members also must disclose whether they have an opt-out policy, meaning a visitor doesn't have to forfeit certain information in order to receive the site's services or content.

    During the FTC workshop, former commissioner Christine Varney criticized parts of the TRUSTe requirements for being too weak. She pushed the group to require that licensed sites offer an opt-out feature, for example.

    TRUSTe argued that if its prerequisites are too stringent, companies might be reluctant to sign on. For now, surfers' market choices should raise the bar, Scott contended. But TRUSTe's strategy is to add new requirements in time, and companies will have to adhere to them when renewing their TRUSTe license.

    "Privacy is not just black and white; it is a value that has different meaning to different people. We want people to be able to make an informed decision about who they do business with," Scott said. "The trustmark is helping to build a relationship between the customer and the Web site."

    Companies that sign a contract agreeing to TRUSTe's policies must pay an annual fee to renew their mark. The fee ranges from $500 per year for companies with under $10 million in annual revenue to $5,000 per year for those with more than $100 million in annual revenue. TRUSTe also audits the sites once a year and responds to consumer complaints of noncompliance.

    In some cases, the group visits sites and submits "unique identifiers" as personal information. Then the data is tracked to see if it is used for purposes outside of the sites' privacy policy. A discovered violation is considered a broken contract, so TRUSTe could sue or simply drop the site from the program.

    Those who have signed up to use the trustmarks and/or promote them to customers include Excite, Netcom, Lands' End, Wired, and high-tech firms AT&T, CyberCash, IBM, Tandem, Oracle, and Netscape Communications.

    TRUSTe isn't the only group trying to ward off new laws regarding the online collection of personal data. Other programs or technologies are also pushing their proposals.

    Netscape, Firefly Network, VeriSign, and other leading Net technology providers have proposed the Open Profiling Standard (OPS), which would let users store personal data on their PC hard drives and then decide whether to disclose that data to individual Web sites they visit.

    Not everyone considers OPS a privacy protection system. At the FTC workshop, some privacy advocates slammed the OPS as a "privacy extractor" that actually entices consumers to give up more information.

    Other organizations use Web site seals to ensure surfers that a company is legitimate, besides pledging certain privacy protections. For example, the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants yesterday launched the CPA WebTrust. Sites that use the seal must describe their e-commerce transaction security measures and guarantee that customers' personal data will not be passed on to third parties.

    "Unlike other services, CPA WebTrust is the only offering that combines privacy, security, and sound business practices--the only one that provides independent third-party verification by a CPA with the report available to anyone who clicks on the CPA WebTrust seal," said Everett Johnson, chairman of the AICPA's Electronic Commerce Task Force.