Back to www.cdt.org                    
  IMAGE MAP
CDT's data privacy page
Considering Consumer Privacy

A Safe Harbor Approach To Privacy: TRUSTe Recommendations

Rebecca Richards, Director of Compliance and Policy
TRUSTe

A Safe Harbor Approach To Privacy: TRUSTe Recommendations [pdf]

This white paper articulates TRUSTe's recommendations for a safe harbor mechanism to protect consumer privacy. TRUSTe's mission enabling individuals and organizations to establish trusting relationships based on respect for personal information throughout the network world has been achieved through the enforcement of the fair information practices of notice, choice, access, security and redress. TRUSTe, a privacy seal and certification program founded in 1997, provides these recommendations to policymakers based on its experience with well over 3,000 companies over the last five years.

TRUSTe has long articulated a public policy for privacy protection that incorporates the strength of government oversight, the discipline of industry self-governance and the innovation of privacy-enhancing technology. A smart, focused approach to legislation that provides a framework for safe harbor may be the best way of ensuring this policy balance.

Our recommendations are presented in four sections:

TRUSTe views itself not only as an advocate for consumer protection, but also as a resource for policymakers who wish to understand the complexities of privacy issues.

Overview

As the U.S. Congress and state legislatures consider legislation on privacy, it is vitally important that the focus remain on providing strong protection for consumers. Notwithstanding the implementation difficulties (see below), the primary challenge in legislating privacy practices is ensuring that businesses view the law as a baseline of acceptable practices. The law must provide a floor of protection, not a ceiling.

The concept of a safe harbor within legislation is a self-regulatory regime that, if adhered to, will (1) place a company in compliance with the regulation; and (2) function as a defense in any enforcement action. An effective safe harbor works best when a seal program acts as a first line of defense. From an implementation perspective, safe harbors respond quickly to consumer complaints and send the industry a strong message about appropriate practices.

The second line of defense the government picks up where voluntary self-governing bodies leave off. For companies who refuse to abide by voluntary standards or demonstrate a repeated pattern of privacy violation, government oversight is a strong deterrent. For example, government intervention in combination with self-governance has been particularly effective in protecting privacy during the recent attempts on the part of Internet companies in bankruptcy proceedings to sell consumer data as part of their corporate assets.

Given the global and dynamic nature of the Internet and other data-gathering technologies, neither self-governance nor government oversight can do it alone. Government is ill-equipped to handle the daily complaints in a timely manner it may take the EU Data Protection Authorities 12-24 months to resolve a case and self-governing bodies are voluntary. Drawing on self governance and government oversight together through the framework of a safe harbor can be extremely effective given the global and ever-changing nature of the Internet and other data gathering technology.

TRUSTe has two safe harbor programs: 1) the Children's Online Privacy Protection Act (COPPA) Safe Harbor as developed by the Federal Trade Commission (FTC); and 2) the European Union Safe Harbor negotiated and established by the U.S. Department of Commerce. These two safe harbor programs adopt different approaches to implementing privacy guidelines/legislation. The successes and shortcomings of safe harbor programs experienced by consumers and industry provides valuable information to public policymakers seeking to integrate elements of these programs and to improve upon them.

Recommendations for Safe Harbors

Safe harbors implemented through seal programs provide a means for government to set baseline practices, monitor participant compliance, and resolve consumer disputes. Based on its experience with safe harbors, TRUSTe has found first that these programs must be sufficiently flexible to respond to market and technology changes. Second, the deliberations and the procedures of a seal program must be fully transparent, to ensure that consumers both understand and trust the protections. Finally, a seal program must offer to industry clear incentives that encourage participation.

Recommendations for Implementing an Effective Safe Harbor:

  1. Create a flexible system that allows safe harbor programs to respond to business model changes.
    • Allow appropriate government agencies to recognize safe harbors based upon general principles, dispute resolution and enforcement procedures.
    • Develop principles that regulate the use of technology rather than technology itself. This will have the net effect of addressing the issues without slowing down innovation or possibly outlawing empowering technology (such as cookies).
  2. Create incentives for companies to join seal programs/safe harbor.
    • Include specific language to highlight that by joining a safe harbor, government regulators will assume that companies are compliant with the statute. This provides companies with the incentive of decreased compliance costs and less legal liability.
    • Levy fines on companies that violate the statute, but reduce significantly or eliminate the fines for safe harbor participants.
  3. Provide for strong enforcement action for both the seal programs and the appropriate federal agency when a company is out of compliance with the safe harbor program or the law.
    • Create a mechanism for transferring information between the safe harbor programs and the appropriate federal agency enforcing the law.
    • Create a standard by which the appropriate federal agency may step in if there is imminent danger to a consumer or group of individuals before the safe harbor program has completed its investigation.
    • Create strong legal protections against defamation suits filed by companies that are found not in compliance with a seal program.
  4. Increase consumer awareness of safe harbor programs.
    • Federally fund consumer education initiatives to brand safe harbors.

Analysis of Safe Harbors the TRUSTe Experience at One Year

What the TRUSTe Safe Harbors Offer Business

The TRUSTe Safe Harbor programs provide licensees with guidance on how to implement privacy practices that comply with regulations (COPPA) or principles (EU Safe Harbor). Our extensive experience in working with businesses and with government agencies the Federal Trade Commission, the Department of Commerce and the European Commission serves as a valuable resource for TRUSTe Safe Harbor participants developing or modifying their data practices and privacy policies.

We find that many of our Safe Harbor program participants, in addition to using the services of lawyers and other counsel, rely upon the program for counsel and practical advice. Small and medium sized companies often rely upon TRUSTe's services in large part because they are less expensive than on-going legal counsel and they provide clear direction for implementing acceptable privacy practices.

In a 2002 Harris Survey, over 90% of consumers stated they would do more business with an organization whose practices were verified by a third party. The TRUSTe seal offers businesses an easy way to demonstrate this to consumers. It also gives companies a means to demonstrate to government that it is in compliance with the law or principles.

TRUSTe's ongoing monitoring efforts uncover minor concerns that require modification of the privacy statement. In each instance, once brought to the company's attention, these matters are quickly resolved.

What TRUSTe Safe Harbors Offer Consumers

The TRUSTe seal offers consumers an easily recognized guidepost indicating that a company is complying with a given law or set of principles. It provides additional assurances to the consumer that the company is having its practices verified by a third party.

Consumer dispute resolution is one of the most important services offered by TRUSTe Safe Harbor programs. The dispute resolution process can help identify real consumer concerns and give consumers a means of communicating those concerns to the company in question. The process provides a means for the company and the disaffected customer to rebuild a damaged relationship. Interestingly, however, overall TRUSTe finds that companies in the Safe Harbor programs receive fewer complaints from consumers. One reason may be that these organizations are diligent in ensuring that they remain in compliance with the program principles.

Children's Online Privacy Protection Act Safe Harbor

The FTC certifies all COPPA Safe Harbor programs through a lengthy and complicated process. The Safe Harbor and the FTC work closely together on this iterative process to ensure that the program is fully compliant with the COPPA regulations.

Companies are not required to join a Safe Harbor program and, because the FTC requires that seal programs largely echo the requirements of the statute, organizations have little incentive to join the Safe Harbor rather than comply directly with the rule.

Benefits

Drawbacks

EU Safe Harbor

An organization's participation in the EU Safe Harbor is premised on its self-certification of compliance with the Department of Commerce. The FTC or other appropriate federal agency has oversight in cases of non-compliance. The organization self-certifying must verify either internally or through a third party that its privacy practices and privacy statement are in compliance with the Safe Harbor principles. The organization is then required to participate in a third party dispute resolution program to ensure complaints are handled appropriately.

TRUSTe offers two services relating to the EU Safe Harbor:

  1. For Web sites, TRUSTe provides verification and third party dispute resolution; and
  2. For organizations that collect information through sources other than the Web, TRUSTe provides third party dispute resolution.

Benefits

Drawbacks

Conclusion

On the basis of its experience developing and implementing Safe harbor programs, TRUSTe has concluded that it is possible to create a safe harbor that provides the incentives necessary to have industry use them and to protect consumers' rights to take action against companies when their personal information is misused. Granting safe harbor status to approved privacy seal programs will increase the effectiveness and efficiency of any online privacy legislation for the following reasons:

To fulfill the goals of providing effective and efficient privacy protection, a safe harbor provision should include:


Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam
Navigation bar
Our Mission / Get Involved / Staff / Publications / Links / Search CDT / Jobs / Action!
Previous Headlines | Legislative Tracking | CDT's Privacy Policy
  The Center For Democracy & Technology
1634 Eye Street NW, Suite 1100
Washington, DC 20006
(v) 202.637.9800
(f) 202.637.0968
Contact CDT

Copyright © 2005 by Center for Democracy and Technology.
The content throughout this Web site that originates with CDT can be freely copied and used as long as you make no substantive changes and clearly give us credit. Details.

CDT Mission Get Involved Staff Policy Posts Resource Library Search the Site Jobs Take Action