The Federal Trade Commission announced that it settled charges with privacy certification body True Ultimate Standards Everywhere, Inc., popularly known as TRUSTe, regarding allegations that the organization deceived consumers with false and misleading statements relating to the privacy assessment and certification services it provides online businesses, mobile apps and similar operators. The FTC also alleged TRUSTe was deceptive in allowing itself to be characterized as a non-profit by its certified clients, even after TRUSTe began operating for-profit in 2008. Under a proposed settlement, TRUSTe will pay the FTC $200,000, refrain from future misrepresentations, and take on a decade’s worth of FTC reporting obligations.
TRUSTe provides (among other things) privacy assessment and certification services, which are used in the online and mobile-app ecosystems to assure consumers (and regulators) that certified companies’ practices satisfy various privacy standards, including the Children’s Online Privacy Protection Act (COPPA) and U.S-E.U. Safe Harbor Framework. Companies that satisfy TRUSTe’s Program Requirements may display TRUSTe Privacy Seals on their website(s) or app(s). TRUSTe tests and verifies its clients’ compliance with the Program Requirements via scanning technology, client interviews, document collection, and manual testing and review of client websites and mobile apps. Under this regime, TRUSTe, represents to the marketplace that businesses displaying its click-to-verify Certified Privacy Seals have a “commitment to privacy protection, instilling confidence and trust in users.”
Yet according to the FTC, from 2006 until early 2013, TRUSTe failed in over 1,000 cases to conduct annual recertification reviews that are integral to its Program Requirements. The recertifications are intended to review privacy sealholders annually to identify (for example) any material changes to their privacy policies, including new or expanded collection/uses of personal information; changes in company ownership or business model; and compliance with external third-party program requirements, like COPPA or the Safe Harbor. Further, the FTC claimed, TRUSTe recertified companies even if they continued to erroneously state in privacy policies that TRUSTe was a non-profit after it became for-profit in July 2008. Such recertifications, according to the FTC, furnished “means and instrumentalities” necessary to deceive third parties on TRUSTe’s non-profit/for-profit status.
While the FTC unanimously approved the settlement, Commissioner Maureen Ohlhausen filed a partial dissent taking issue with the “means and instrumentalities” charge. Commissioner Ohlhausen noted that liability for deception via means and instrumentalities requires “that the party itself must make a misrepresentation,” or “passes on a false or misleading representation with knowledge or reason to expect that consumers may possibly be deceived as a result.” The dissent noted that TRUSTe stopped requiring clients to list it as a non-profit after July 2008, and instead alerted clients to the change, actively encouraging them to update their privacy policies accordingly. And while TRUSTe did recertify clients that inaccurately listed it as a non-profit, TRUSTe truthfully represented its for-profit nature by “clearly communicat[ing] its for-profit status to clients” and requesting that they update their privacy policies. But the Chairwoman and other Commissioners were not persuaded, finding TRUSTe “could have elected simply not to recertify the companies in question until the misrepresentation was cured.”
In any event, the enforcement action against TRUSTe demonstrates that even those “entrusted” with assuring privacy compliance by others must themselves remain accurate and forthright in their public representations. As part of the proposed settlement, TRUSTe will pay $200,000 to the U.S. Treasury as disgorgement, and is prohibited from misrepresenting both its recertification processes and its for-profit status in the future. For the next 10 years, TRUSTe must also provide records and annual reports to the FTC regarding its COPPA certification program. In the annual reports, TRUSTe must declare the number of Certified Privacy Seals issued to participants in any COPPA safe harbor program, and explain the mechanisms of how TRUSTe assesses new and renewal applicants seeking membership. Each of these provisions represents an increase in reporting requirements laid out under the COPPA rule for safe harbor programs.