The FTC recently settled a charge with True Ultimate Standards Everywhere, Inc. (“TRUSTe”) alleging that the internet privacy certification company deceived consumers about its recertification program, as well as misrepresented itself as a non-profit entity when, in fact, it had converted to a for-profit company. TRUSTe is a well-known internet privacy watchdog. Its seal is recognized as connoting a safe place for a consumer to conduct an on-line transaction. As set forth on TRUSTe’s website “[i]f you see a TRUSTe seal on that policy, you can be confident that website is transparent about its privacy practices and respects your online privacy. And if you have a privacy concern with any site that displays our privacy seal, TRUSTe will help you resolve them promptly.”
According to the FTC complaint, TRUSTe misrepresented the frequency of TRUSTe seal recertification. Specifically, the complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertification over 1,000 times, despite making statements that companies holding TRUSTe Certified Privacy Seals were recertified annually. FTC also alleged that in the time since TRUSTe converted from a not-for-profit to a for-profit company, it did not require its customers to update references to TRUSTe’s nonprofit status on their websites.
The terms of the TRUSTe consent decree are not modest. In avoiding a court battle, TRUSTe has accepted a laundry list of terms from the FTC. It agrees not to misrepresent its certification procedures or the time periods for recertification. It also agrees to be transparent about its for-profit status.
In keeping with a trend in FTC consent decrees, much of the meat in the order is in the future regulatory oversight TRUSTe can expect from FTC. TRUSTe agreed, in its role as a COPPA safe harbor, to provide detailed information about its COPPA-related activities in its annual filing to the FTC, as well as maintaining comprehensive records about its COPPA safe harbor activities for ten years. These requirements will likely bring with them significant cost and administrative burden. On top of the reporting and other requirements, TRUSTe will also pay a $200,000.00 penalty.
This consent decree is another in a line of FTC settlements that (1) target alleged misrepresentations to consumers about their privacy; (2) come with heavy reporting and follow up administrative burdens entangling the company with the FTC for years to come; and (3) also carry a significant financial penalty.
The lesson? Check your privacy policies, notices and other representations to consumers and employees. Are they 100% accurate? That is, are you doing what the policies say you are doing? If not, it’s time to amend your policies (or your practices) before the FTC knocks on your door.