Privacy Certification Gets Tougher

Companies that wish to display the Truste seal on their Web site--assuring a level of privacy protection--must demonstrate an increased level of privacy protection for customer data.

Truste is an organization composed of online-privacy advocates and companies, including AOL Time Warner, Intuit, and Microsoft. Its global privacy-certification program allows companies that are in accordance with the group's consumer protection policies to display the Truste seal.

Room for Improvement

Although the new requirements are an improvement on previous certification guidelines, some privacy advocates are still skeptical. Truste and its member companies are really just playing catch-up to recent Federal Trade Commission rulings, says Chris Hoofnagle, legislative counsel at the Electronic Privacy Information Center.

Recently, the FTC has taken action in several cases to emphasize the need for online security and privacy. It accused Microsoft of misrepresenting aspects of its Passport service. It chided Eli Lilly for lax security practices that compromised consumer data, and criticized American Student List for improperly selling information collected from high school students. According to Hoofnagle, all those motions have raised the bar on consumer online-privacy protections.

Those rulings, more than Truste's guidelines or those of other seal organizations, create what Hoofnagle calls a "common law of privacy" on which future enforcement actions can be taken by organizations like the FTC.

Seeking Advice

Less clear is where chief security officers should look for reliable information on best practices to protect customer and employee data collected on their own Web sites.

Hoofnagle recommends that CSOs look to the Organization for Economic Cooperation and Development's privacy guidelines and statements about fair information practices. Canada's online consumer protection laws could also serve as a good guide. Both are strong and comprehensive.

While the FTC says it supports the work of seal programs like Truste, it doesn't endorse any particular program.

"The FTC hasn't taken a position on the specific policies of an organization. We do not comment on the specifics of seal programs," says Toby Levin, an FTC attorney.

However, CSOs who abide by the precepts of a seal program are likely to stay in good stead on the privacy front, as Levin acknowledges that the certification requirements of programs like Truste often exceed what is required by law.