Rebecca Richards, Director of Compliance and Policy
This white paper articulates TRUSTe's recommendations for a safe harbor mechanism to protect consumer privacy. TRUSTe's mission Ð enabling individuals and organizations to establish trusting relationships based on respect for personal information throughout the network world Ð has been achieved through the enforcement of the fair information practices of notice, choice, access, security and redress. TRUSTe, a privacy seal and certification program founded in 1997, provides these recommendations to policymakers based on its experience with well over 3,000 companies over the last five years.
TRUSTe has long articulated a public policy for privacy protection that incorporates the strength of government oversight, the discipline of industry self-governance and the innovation of privacy-enhancing technology. A smart, focused approach to legislation that provides a framework for safe harbor may be the best way of ensuring this policy balance.
Our recommendations are presented in four sections:
TRUSTe views itself not only as an advocate for consumer protection, but also as a resource for policymakers who wish to understand the complexities of privacy issues.
As the U.S. Congress and state legislatures consider legislation on privacy, it is vitally important that the focus remain on providing strong protection for consumers. Notwithstanding the implementation difficulties (see below), the primary challenge in legislating privacy practices is ensuring that businesses view the law as a baseline of acceptable practices. The law must provide a floor of protection, not a ceiling.
The concept of a safe harbor within legislation is a self-regulatory regime that, if adhered to, will (1) place a company in compliance with the regulation; and (2) function as a defense in any enforcement action. An effective safe harbor works best when a seal program acts as a first line of defense. From an implementation perspective, safe harbors respond quickly to consumer complaints and send the industry a strong message about appropriate practices.
The second line of defense Ð the government Ð picks up where voluntary self-governing bodies leave off. For companies who refuse to abide by voluntary standards or demonstrate a repeated pattern of privacy violation, government oversight is a strong deterrent. For example, government intervention in combination with self-governance has been particularly effective in protecting privacy during the recent attempts on the part of Internet companies in bankruptcy proceedings to sell consumer data as part of their corporate assets.
Given the global and dynamic nature of the Internet and other data-gathering technologies, neither self-governance nor government oversight can do it alone. Government is ill-equipped to handle the daily complaints in a timely manner Ð it may take the EU Data Protection Authorities 12-24 months to resolve a case Ð and self-governing bodies are voluntary. Drawing on self governance and government oversight together through the framework of a safe harbor can be extremely effective given the global and ever-changing nature of the Internet and other data gathering technology.
TRUSTe has two safe harbor programs: 1) the Children's Online Privacy Protection Act (
COPPA) Safe Harbor as developed by the Federal Trade Commission (
FTC); and 2) the European Union Safe Harbor negotiated and established by the U.S. Department of Commerce. These two safe harbor programs adopt different approaches to implementing privacy guidelines/legislation. The successes and shortcomings of safe harbor programs experienced by consumers and industry provides valuable information to public policymakers seeking to integrate elements of these programs and to improve upon them.
Safe harbors implemented through seal programs provide a means for government to set baseline practices, monitor participant compliance, and resolve consumer disputes. Based on its experience with safe harbors, TRUSTe has found first that these programs must be sufficiently flexible to respond to market and technology changes. Second, the deliberations and the procedures of a seal program must be fully transparent, to ensure that consumers both understand and trust the protections. Finally, a seal program must offer to industry clear incentives that encourage participation.
The TRUSTe Safe Harbor programs provide licensees with guidance on how to implement privacy practices that comply with regulations (COPPA) or principles (EU Safe Harbor). Our extensive experience in working with businesses and with government agencies Ð the Federal Trade Commission, the Department of Commerce and the European Commission Ð serves as a valuable resource for TRUSTe Safe Harbor participants developing or modifying their data practices and privacy policies.
We find that many of our Safe Harbor program participants, in addition to using the services of lawyers and other counsel, rely upon the program for counsel and practical advice. Small and medium sized companies often rely upon TRUSTe's services in large part because they are less expensive than on-going legal counsel and they provide clear direction for implementing acceptable privacy practices.
In a 2002 Harris Survey, over 90% of consumers stated they would do more business with an organization whose practices were verified by a third party. The TRUSTe seal offers businesses an easy way to demonstrate this to consumers. It also gives companies a means to demonstrate to government that it is in compliance with the law or principles.
TRUSTe's ongoing monitoring efforts uncover minor concerns that require modification of the privacy statement. In each instance, once brought to the company's attention, these matters are quickly resolved.
The TRUSTe seal offers consumers an easily recognized guidepost indicating that a company is complying with a given law or set of principles. It provides additional assurances to the consumer that the company is having its practices verified by a third party.
Consumer dispute resolution is one of the most important services offered by TRUSTe Safe Harbor programs. The dispute resolution process can help identify real consumer concerns and give consumers a means of communicating those concerns to the company in question. The process provides a means for the company and the disaffected customer to rebuild a damaged relationship. Interestingly, however, overall TRUSTe finds that companies in the Safe Harbor programs receive fewer complaints from consumers. One reason may be that these organizations are diligent in ensuring that they remain in compliance with the program principles.
The FTC certifies all COPPA Safe Harbor programs through a lengthy and complicated process. The Safe Harbor and the FTC work closely together on this iterative process to ensure that the program is fully compliant with the COPPA regulations.
Companies are not required to join a Safe Harbor program and, because the FTC requires that seal programs largely echo the requirements of the statute, organizations have little incentive to join the Safe Harbor rather than comply directly with the rule.
An organization's participation in the EU Safe Harbor is premised on its self-certification of compliance with the Department of Commerce. The FTC or other appropriate federal agency has oversight in cases of non-compliance. The organization self-certifying must verify either internally or through a third party that its privacy practices and privacy statement are in compliance with the Safe Harbor principles. The organization is then required to participate in a third party dispute resolution program to ensure complaints are handled appropriately.
TRUSTe offers two services relating to the EU Safe Harbor:
On the basis of its experience developing and implementing Safe harbor programs, TRUSTe has concluded that it is possible to create a safe harbor that provides the incentives necessary to have industry use them and to protect consumers' rights to take action against companies when their personal information is misused. Granting safe harbor status to approved privacy seal programs will increase the effectiveness and efficiency of any online privacy legislation for the following reasons:
To fulfill the goals of providing effective and efficient privacy protection, a safe harbor provision should include:
|Free Speech | Data Privacy | Government Surveillance | Cryptography | Domain Names | International | Bandwidth | Security | Internet Standards, Technology and Policy Project | Terrorism | Authentication | Right to Know | Spam|
Our Mission /
Get Involved /
Search CDT /
The Center For Democracy & Technology|
1634 Eye Street NW, Suite 1100
Washington, DC 20006
Copyright © 2005 by Center for Democracy and Technology.