TRUSTe Program Requirements
General Web Privacy Program Requirements
Children's Privacy Seal Program Requirements
eHealth Privacy Seal Program Requirements
EU Safe Harbor Privacy Seal Program Requirements
(New!) Email Privacy Seal Program Requirements
ALL TRUSTe®-licensed sites must provide:
User controls, including:
- An email unsubscribe function
- An opt-out function limiting the sharing of personally identifiable information (PII) with outside parties
- Access management permitting users to update stored PII or have it changed by the Licensee
Security measures, ensuring:
- Secured Socket Layers (SSLs), or other comparable technology, that encrypts pages collecting sensitive information such as credit card numbers
A complaint resolution process, providing:
- Comprehensive contact information for appropriate Web site employees
- A link to the TRUSTe Watchdog site for third-party dispute resolution
A privacy statement, including the following disclosures:
- What PII is collected and how it will be used
- Identity of the party collecting PII
- Whether PII is shared with third parties
- The use of any tracking technology
- Whether PII is supplemented with information from other sources
- Choice options available to consumers
- How consumers can access PII they have provided
- That there are security measures in place
- Procedures for filing and addressing consumer complaints
In addition, the privacy statement must:
- Be linked from the home page and from every page where PII is collected
- Bear the TRUSTe "Click to Verify" link so consumers know whether the company is a TRUSTe licensee or not
Specific Seal Program Requirements
TRUSTe's Children's Privacy Seal, eHealth Privacy Seal, and EU Safe Harbor Seal have additional requirements to the general Web Privacy Seal:
User controls for parents, including:
- Verifiable parental consent for collection, use or sharing of children's personal information
- Parental access to personal information collected from their child online
- Ability to require that the site stop collecting personal information from the child
Prohibited practices include:
- Using games, prizes, or other enticements to encourage children to divulge more personal information than is reasonably necessary for an online activity
- Allowing children to publicly distribute personal information in the Web site through avenues such as message boards or chat rooms
- Conditioning access to the site on a child's providing more personal information than is reasonably necessary
A privacy statement, including the following:
- A procedure for exercising parental consent, choice and access to children's personal information
- Disclosure of the names, addresses, telephone numbers and email addresses of all parties collecting or maintaining children's personal information on the site
- Disclosure of any sharing of children's personal information with third parties, including with whom and why
User controls, including:
- Explicit consent or opt-in for use of personal health information, for purposes other than the purpose for which it was collected
- A process by which individuals can opt out of online directories
Accountability practices, including:
- Agreements that hold partners to the same or higher standards of privacy for personal health information
A privacy statement, including the following disclosures:
- Any passive tracking mechanisms, like cookies, that link personal health information
- Whether personal health information is shared with third parties, and if so, descriptions of those parties and how they will use the information
- Whether the site supplements personal health information with data from other sources
User controls, including:
- Ability to limit sharing of personal information with third parties
- Ability to correct, amend or delete personal information collected within 30 days, or notification of a timeline in which to do so
The email privacy seal certifies the email practices of website owners and ensure that you will only get the email you ask for from our sealholders, and that your email address will not be shared with anyone without your consent.
TRUSTe Email Privacy Sealholders are all required to provide:
User controls, including:
- Consent for receiving any commercial or promotional email
- An affirmative opt-in function for sharing of personally identifiable information (PII) with outside parties
- Access management permitting users to update stored PII or have it changed by the Licensee
Disclosures on any page collecting email (and in the privacy statement) regarding:
- The nature of email messages to be sent
- If receiving commercial or promotional email is a condition of receiving a service
- Any sharing of email addresses with third parties other than service providers
An Unsubscribe must be included in all commercial or promotional email messages, that is:
- Clear, conspicuous, and easily understood.
- Easy to use -- As close to a ‘one-click’ process, such as selecting a URL, as possible.
- Effective within 10 days
- Functional for 30 days following the sending of the message
- Unsubscribe requests must never expire
- Flexible in processing requests via alternate media (telephone, email or mail)
A complaint resolution process, providing:
- Comprehensive contact information for appropriate Web site employees
- A link to the TRUSTe Watchdog site for third-party dispute resolution
Mail infrastructure and technology accountability:
- To reliably process bounces and other replies, bounces may not exceed 10% of all messages sent
- Outbound email servers must have valid reverse DNS entries
- Creation and maintenance of standard role email accounts including abuse and postmaster
- Must register with abuse.net and maintain accurate Whois database information
- Due diligence to ensure that clear and conspicuous notice was provided, and relevant consent obtained, If email addresses were obtained from a third party
