TRUSTe Transparency Report 2013

TRUSTe TRANSPARENCY REPORT: 2013

TRUSTe Inc.835 Market Street, Suite 800

San Francisco, CA 94103

888.878.7830www.truste.com

Published May 2014

TRUSTe Transparency Report 2013 2

Contents

Letter from our CEO �� 3

2013: Year in Review �� 5

TRUSTe Data Privacy Management SolutionsI) Privacy Assessments ��6

II) Privacy Certifications �� 7A. TRUSTed Websites and TRUSTed Websites Basic ......................................................................................... 7

B. TRUSTed Cloud .................................................................................................................................................................. 7

C. TRUSTed Apps and Mobile Sites .............................................................................................................................. 7

D. TRUSTed Data .................................................................................................................................................................... 8

E. TRUSTed Smart Grid ....................................................................................................................................................... 8

F. APEC Privacy ....................................................................................................................................................................... 8

G. Children’s Privacy ............................................................................................................................................................. 9

H. EU Safe Harbor .................................................................................................................................................................. 9

I. EDAA ......................................................................................................................................................................................... 9

III) Monitoring Services & Compliance Controls ��9A. Website Monitoring ......................................................................................................................................................... 9

B. TRUSTed Ads .................................................................................................................................................................... 10

C. TRUSTed Consent Manager ...................................................................................................................................... 10

TRUSTe Certification Operations ReviewA. TRUSTe Certification Program Requirements ................................................................................................. 11

B. TRUSTe Certification Process ...................................................................................................................................13

C. Consumer Dispute Resolution ...................................................................................................................................14

TRUSTe Privacy Research and Education Series��18

AppendicesAppendix A — TRUSTe Privacy Program Requirements �� 20

Appendix B — TRUSTe EU Safe Harbor Assessment Program (2009–2013) �� 20

Appendix C — TRUSTe Children's Privacy Program (2009–2013) �� 20

Appendix D — TRUSTe Consumer Dispute Resolution (2009–2013) ��21

Appendix E — Consumer Feedback to the TRUSTe Dispute Resolution Process ��24


Letter from our CEOWe are pleased to provide you with TRUSTe’s 2013 Transparency Report, describing how our data privacy management platform helped companies power trust, drive engagement and ensure privacy compliance in 2013�

2013 was the year when revelations about US government surveillance programs, and the ensuing media coverage, forced privacy into the mainstream consciousness� Along with the public awareness and outrage, came concern from European regulators about data transfers between Europe and the US� Even though privacy was ultimately excluded from trans–atlantic trade talks, concerns over international data transfers persist — as seen with the ongoing negotiations to revise the US–EU Safe Harbor Agreement�

And yet, recent TRUSTe research shows that consumers remain more concerned with data collection by business than government surveillance�1 Certainly, this is one of the reasons why privacy has become an even bigger business concern in 2013�

For many companies, a significant challenge is that privacy, like technology, is constantly changing — further complicating compliance obligations across multiple jurisdictions�

In 2013, regulatory action and industry efforts drove many of the changes in the data privacy landscape� The FTC issued a comprehensive update to its Children’s Online Privacy Protection Act (COPPA) rules resulting in significant changes to TRUSTe’s Children's Privacy Program� The Department of Commerce’s NTIA division conducted a stakeholder proceeding that TRUSTe and others participated in which resulted in a standard for mobile privacy transparency� California passed several updates to its online privacy laws including new requirements around Do Not Track disclosures and advertising to minors� The Digital Advertising Alliance issued guidelines to companies involved in targeting ads to consumers on their mobile devices�

TRUSTe continued to monitor all of these developments in 2013 and incorporated the necessary requirements into our programs, while working with clients to help them achieve compliance with new standards� We sustained our focus on technology including the development of advanced monitoring services and compliance controls such as our Website Monitoring Service, TRUSTed Ads OBA Preference Management Controls, and TRUSTed Consent Manager� These technologies help provide clients a comprehensive view of first and third party activity on their online properties at any given time and in 2013, we performed over 172,000 website scans on over 18 million web pages�

We continued to see growth in our certification business, helping over 7,600 online properties safely collect and use personal information in compliance with TRUSTe’s Program Requirements� Also in 2013, our Consumer Dispute Resolution Service processed over 8,700 consumer complaints�

We continued our involvement in the development of global privacy frameworks in 2013, most notably the Asia–Pacific Economic Co–operation (APEC) Cross Border Privacy Rules (“CBPR System,") which has been approved by all 21 APEC Economies including China, Japan, Korea and the United States� TRUSTe was approved as the first–ever APEC Accountability Agent in June 2013 allowing us to certify companies under TRUSTe’s APEC Privacy Program, which is based on the APEC–CBPR System�

As speculation continued around proposed data protection rules in Europe, TRUSTe worked with clients to address today’s compliance challenges in the EU� This included helping clients comply with different standards for notice, consent, and control under the laws enacted in response to the EU’s Cookie Directive� We also worked with the European Digital Advertising Alliance (EDAA) to become an approved provider under the EDAA Trust Seal Certification

1 See: TRUSTe Research Reveals More Consumers Concerned about Business Data Collection than Government Surveillance, available at: http://www.truste.com/about-TRUSTe/press-room/news_us_truste_reveals_consumers_more_concerned_about_data_collection


Program� And together with Promontory Financial, we developed a BCR Management Program, designed to help businesses prepare for approval of their Binding Corporate Rules or BCRs�

Finally, in 2013, we re–affirmed our commitment to privacy research and education with the launch of a new ‘Powering Trust’ event series in the US and the UK� At these events, we shared findings from our latest independent research into consumer attitudes to privacy and what this means for businesses� Now in its fifth year, this research series offers a valuable barometer of consumer confidence, business impact and recommended business practices�

Thanks for taking the time to read our 2013 Transparency Report, and to learn more about TRUSTe and our business�

Sincerely,

Chris Babel, CEO


2013: Year in Review

In 2013:

• TRUSTe certified 7,610 online properties representing approximately 5,000 clients�• Our Consumer Dispute Resolution Service processed 8,729 consumer complaints�• And, our Website Monitoring Solution completed over 172,000 website scans identifying

and scoring privacy risk for over 19,000 third party trackers�

A chart illustrating the number of TRUSTe certified properties is provided below:

TRUSTe Certified Properties (2009 — 2013)

# o

f W

eb &

Mo

bile

Pro

per

ties

0

2000

4000

6000

8000

1000

3000

5000

7000

9000

1. Figures include data for all TRUSTe Certified Properties, including TRUSTed Websites, TRUSTed Websites Basic, TRUSTed Cloud, TRUSTed Mobile Apps, TRUSTed Mobile Websites, TRUSTed Data, Children’s Privacy, APEC Privacy, EDAA and TRUSTed Smart Grid.

2. For details on TRUSTe’s EU Safe Harbor Assessment Program, see Appendix B.3. For details on TRUSTe’s Children’s Privacy Program, see Appendix C.4. In 2013, TRUSTe certified approximately 1,200 fewer properties under its

TRUSTed Websites Basic o�ering and approximately 1,000 more properties under its Websites, Cloud, Children’s Privacy and other certifications.

2009

1723

2010

3657

2011

5455

2012

7809

2013

7610


TRUSTe Data Privacy Management Solutions

TRUSTe offers a comprehensive set of data privacy management solutions helping companies safely collect and use customer information across their web, mobile, cloud, and advertising channels�

Our products are delivered via our Data Privacy Management Platform and include privacy assessments, privacy certifications, monitoring services, and compliance controls�

WEB ADS

CLOUD MOBILE

DATA

Data Privacy Management Platform

CONTROLCERTIFY MONITORASSESS

Powering Trust

I) Privacy Assessments

While TRUSTe is often known for its certification services and the TRUSTe “Certified Privacy” Seal, companies also engage TRUSTe to perform privacy impact and readiness assessments� This is often an example of “privacy by design” in action, as many of these assessments are conducted by companies who want to address privacy questions for a new product or service they plan to launch�

The goal of a TRUSTe privacy assessment is identify the “gap” between the client’s business practices and the relevant privacy standards� Clients may opt to pursue TRUSTe certification after the assessment is complete�

Examples of the types of assessments TRUSTe performed in 2013 include:

• Alignment of privacy program with the requirements of COPPA• EU Safe Harbor readiness assessment• Readiness assessment for transfers of HR data under EU Safe Harbor• Privacy impact assessments for new and existing products• Assessing privacy impact of mobile and location services • Assessing privacy impact of advertising practices


II) Privacy CertificationsTRUSTe offers a range of privacy certifications addressing platform specific privacy considerations (e�g�, web, mobile, app, cloud), consumer specific privacy considerations (e�g�, children), and geographic specific privacy considerations (e�g�, EU, Asia Pacific)� Descriptions of our certification offerings are provided below:

A. TRUSTed Websites2 and TRUSTed Websites BasicBoth TRUSTed Websites and TRUSTed Websites Basic are based on the same set of TRUSTe Privacy Program Requirements, and are represented by the same TRUSTe seal� The main difference between the two programs is that TRUSTed Websites is a more customizable privacy solution, while TRUSTed Websites Basic is a more automated solution�3

In TRUSTe’s experience, privacy risk does not always correlate to company size; a very small business can have incredibly complex data collection and management practices, while very large companies can sometimes have very simple data collection and use practices� However, for small and medium sized clients with low–risk business practices, TRUSTed Websites Basic might be the right solution�

B. TRUSTed Cloud4

TRUSTe launched its TRUSTed Cloud certification in March 2011� This program certifies the privacy practices of “Service Providers” which are companies that process data on behalf of another entity� TRUSTe reviews and assesses the privacy practices of data collected through the Service Provider’s platform or service portal, focusing on how the Service Provider manages and processes the data collected on behalf of its clients� Areas of assessment include: collection limitation and use, and data management processes such as sub–processor vetting, security, and data retention policies�

C. TRUSTed Apps and Mobile Sites5

TRUSTed Apps, a mobile certification program, was launched in November 2010 and provides certification for both mobile applications and mobile–optimized web sites�

This program recognizes that the mobile context provides additional privacy and transparency challenges not faced in the traditional web environment�

A particular focus for our mobile certification program is the collection of geo–location data� TRUSTe classifies this information as sensitive data that requires the user’s express consent prior to collection, and must be encrypted during transmission� Understanding how a mobile application uses such sensitive data requires enhanced certification procedures�

We also provide clients certified under this program with a customized short notice privacy statement, optimized for viewing on a mobile device� This short notice includes the disclosures consumers care about most in the mobile context: whether geo–location data is collected, what types of tracking take place, and what kind of data is shared with third parties�

2 More details on TRUSTed Websites are at: http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-websites

3 TRUSTed Websites Basic features our automated Privacy Policy Generator - an innovative TRUSTe technology that evaluates businesses against TRUSTe’s Privacy Program Requirements while providing a cost-effective, privacy solution. TRUSTe’s Privacy Policy Generator scans a prospective client’s website and based on this information and other client input, generates a privacy policy that is hosted by TRUSTe. The same features that strengthen TRUSTe’s custom privacy certification back TRUSTed Websites Basic – clients must contractually agree to abide by the TRUSTe-generated privacy policy and submit to our consumer dispute resolution process.

4 More details on TRUSTe’s Cloud Privacy Certification are at: http://www.truste.com/privacy_seals_and_services/enterprise_privacy/cloud-certification

5 More details on TRUSTe’s Mobile Privacy Solutions is at: http://www.truste.com/privacy_seals_and_services/enterprise_privacy/mobile_certification


D. TRUSTed Data6

The TRUSTed Data certification program was launched in May 2011 to address the data collection and use practices of companies that collect data across multiple unaffiliated web sites over time� These companies are known as third party data collectors — they collect data through websites or applications they do not own� By way of example, these types of companies would include ad networks, data aggregators, and demand side platforms (DSPs)�

The key components of TRUSTed Data certification are: understanding the types of data collection (including the types of technologies used), what type of data is collected both directly and from third party sources and the obligations associated with that data, how that data is used, and how consumers are able to exercise choice over the use of that data� For example, third party data collectors must obtain the consumer’s express consent prior to collecting sensitive data such as health information for targeted marketing�

E. TRUSTed Smart Grid7

The TRUSTed Smart Grid Privacy Program was launched in 2012 and is based on the Smart Grid Guidelines, a framework for smart grid privacy that was jointly developed by the Future of Privacy Forum8 and TRUSTe� Under this program, we assess and certify the privacy practices of third–party companies that access consumer energy usage data or “CEUD” to power “smart” services and products�

F. APEC Privacy9

TRUSTe has been working with APEC Member Economies10 since 2004, when this group formally approved the APEC Cross Border Privacy Rules (“CBPR”) System� The CBPR System represents the most widely accepted data protection standard, which has been endorsed by regulators in all 21 APEC Member Economies, including the United States� TRUSTe’s APEC Privacy Program is a comprehensive certification based on the specific requirements of the CBPR System�

TRUSTe was approved as the first accountability agent under the CBPR System in June 2013 In August 2013, IBM was certified under the TRUSTe APEC Privacy Program, followed by Merck (November 2013) and Yodlee (December 2013)�

TRUSTe advances the APEC–CBPR System by helping organizations be accountable and transparent in their data management practices� We work with companies to adopt uniform best practices, furthering “privacy interoperability” while also promoting the free flow of data among APEC Member countries� We also work directly with privacy enforcers and help them fulfill their APEC–CBPR mandate by providing consumer dispute resolution services, and working with companies to bring their data protection policies in line with the APEC–CBPR System�

6 More details on TRUSTed Data Collection is at: http://www.truste.com/privacy_seals_and_services/enterprise_privacy/data-collection-certification

7 More details on TRUSTed Smart Grid is at: http://www.truste.com/products-and-services/enterprise-privacy/TRUSTed-smart-grid

8 TRUSTe is a member of the Future of Privacy forum, a Washington, DC based think tank that seeks to advance responsible data practices. For more details visit: www.future of privacy.org

9 More details on TRUSTe’s APEC Privacy Program are at: http://www.truste.com/products-and-services/enterprise-privacy/apec-accountability

10 APEC has 21 members - referred to as “member economies” - which account for approximately 40 percent of the world’s population, approximately 55 percent of world GDP and about 44 percent of world trade. APEC’s 21 Member Economies are Australia; Brunei Darussalam; Canada; Chile; People’s Republic of China; Hong Kong, China; Indonesia; Japan; Republic of Korea; Malaysia; Mexico; New Zealand; Papua New Guinea; Peru; The Republic of the Philippines; The Russian Federation; Singapore; Chinese Taipei; Thailand; United States of America; Viet Nam.


G. Children’s Privacy11

TRUSTe’s Children’s Privacy Certification applies specifically to websites and apps that are fully or partially targeted towards children under the age of 13, and to general audience websites that knowingly collect personal information from children under 13�

TRUSTe’s Children’s Privacy program requirements are consistent with the requirements of the Children’s Privacy Protection Act or COPPA� In 2013, we made several significant updates to our Children’s Privacy Program based on amendments to the COPPA Rule which came into effect in July 2013�

H. EU Safe Harbor12

The TRUSTe EU Privacy Program helps companies prepare for self–certification under the US–EU and US–Swiss Safe Harbor Frameworks through an assessment, and by providing independent resolution of consumer disputes�

The TRUSTe EU Privacy Program is not a TRUSTe certification offering� Rather, TRUSTe’s Privacy Program Requirements are consistent with the requirements of the EU–US Safe Harbor Framework which requires companies to attest that their practices satisfy the Safe Harbor Principles of notice, choice, access, data integrity, onward transfer, security and enforcement� TRUSTe requires that all our EU Safe Harbor clients add a statement to their privacy policies regarding their compliance with the US–EU or US–Swiss Safe Harbor Frameworks as appropriate�

I. EDAA13

In 2013, TRUSTe became an approved provider under the EDAA Trust Seal Certification Program� This program reduces privacy risks for EU companies that act as a third party data collector across desktop environments� TRUSTe is responsible for independently assessing company compliance with the European Principles on OBA and issuing the EDAA Trust Seal to companies that can demonstrate they meet the standards required� Companies that successfully complete certification receive a detailed report outlining TRUSTe’s findings and are awarded the EDAA Trust Seal to easily demonstrate to regulators, potential partners, or consumers their compliance with privacy best practices in the EU for online data collection�

III) Monitoring Services & Compliance Controls

A. Website MonitoringIn 2012, TRUSTe launched its Website Monitoring service to help companies have a clear understanding of the tracking technologies used by both themselves (first party) and by others (third parties)� The capabilities of TRUSTe’s Website Monitoring technologies can also be used in certifications — in conjunction with cookie consent management, for monitoring DAA/EDAA OBA compliance, and as a standalone tool�

When left unmanaged, tracking code on websites can lead to risk of privacy violations with unauthorized third parties tracking the website’s customers� This in turn can result in the degradation of website performance (slow loading time, lower search engine rankings) or even data leakage with potential revenue loss through unauthorized targeting and retargeting of valuable site users�

11 More details on TRUSTe’s Childrens Privacy Certification are at: http://www.truste.com/products-and-services/enterprise-privacy/coppa

12 More details on how TRUSTe can help you comply with the EU-US Safe Harbor framework are at: http://www.truste.com/privacy_seals_and_services/enterprise_privacy/eu_safe_harbor_seal

13 More details on the EDAA Trust Seal are available at: http://www.truste.com/products-and-services/enterprise-privacy/edaa-cert


The Website Monitoring service helps address these concerns by bringing transparency to the process� The cloud–based service scans a website to identify a variety of trackers and clients can manage the depth and frequency of these website scans to provide optimal coverage� The results of these scans, as well as detailed reports of first and third party tracking activity, are available to clients through a self–service portal� Through this portal, clients have the ability to authorize known and approved third party data collectors and vendors, as well as get alerts to new trackers that appear on a website in subsequent scans� Finally, the results of a monitoring scan feed directly into compliance controls such as TRUSTe’s Consent Manager�

The TRUSTe Website Monitoring service first scans a website to identify trackers — such as cookies, flash cookies or locally stored objects (“LSOs”), web beacons/pixels, java scripts, local storage and E–tags� The tracker is then cross–referenced against TRUSTe’s extensive database of more than 19,000 tracking URLs corresponding to over 5,000 different business entities involved in third–party tracking activities� TRUSTe maintains information about all trackers we detect, and assigns each a Privacy Sensitivity Index (PSI) score� The PSI is based on the potential privacy risks associated with the tracker or third party deploying the tracker� Third parties are assigned a PSI score on a number factors including: likelihood to engage in online behavioral advertising (OBA), adherence to industry standards (DAA, NAI), privacy policies, consent mechanisms, and how/whether the client honors consumer opt–out preferences�

TRUSTe’s Website Monitoring service can also be configured to detect personal information (PII) collection on a website or online service� This can be useful when taking an inventory of an organization’s online data collection practices�

B. TRUSTed AdsIn 2011, TRUSTe became a DAA–approved Online Behavioral Advertising (OBA) compliance provider with its TRUSTed Ads product� TRUSTed Ads allows companies across the online advertising ecosystem — advertisers, agencies, networks, platforms, and publishers — to achieve reliable, scalable, and cost–effective compliance with the DAA’s Self–Regulatory Program� In 2013, TRUSTe was also approved under the EDAA, a program set up to meet self–regulatory requirements for OBA in the European Union�

In 2013 alone, TRUSTe served the DAA icon on almost a half trillion online ads�

C. TRUSTed Consent ManagerThe TRUSTed Consent Manager was developed to help companies comply with certain amendments to the 2002 e–privacy directive (known informally as the “cookie directive”) that require “informed consent” before accessing or storing data on a consumer’s computer or other device� TRUSTed Consent Manager allows companies to collect informed consent from consumers regarding accessing or storing data on the user’s computer or other device in the form of cookies or other trackers, through a customizable, consumer–friendly interface that informs users about the use of cookies and options for controlling if and how cookies are used�


TRUSTe Certification Operations ReviewA. TRUSTe Certification Program Requirements TRUSTe offers different certification programs depending on the organization’s privacy practices� Our Certification Program Requirements are built upon TRUSTe’s core privacy principle of Transparency, Choice, and Accountability, global privacy rules and regulations (such as the APEC–CBPR System) and industry best practices�

The table below lists TRUSTe’s certification programs and identifies them by the specific regulatory or industry guidelines upon which they are based�14

TRUSTe Program Requirements

TRUSTe Certification

Programs

Business Practices Certified

Program Requirements

FoundationPrivacy Program Requirements

TRUSTed Websites

TRUSTed Email

TRUSTed Mobile Sites and Apps

Companies that have a direct relationship with the consumer and are considered “first party” or “data controllers”

Fair Information Practice Principles (FIPPs)

US–EU and US–Swiss Safe Harbor Frameworks�14

Asia Pacific Economic Council (APEC) Cross Border Privacy Rules

OECD Guidelines

CalOPPA

CTIA Guidelines

CAN–SPAM

FTC Self–Regulatory Principles for Online Behavioral Advertising (OBA)

APEC Privacy Requirements

APEC Privacy Program

Companies transferring data within APEC Member Economies and want to be certified under the APEC–CBPR standard

APEC–CBPR System

Children’s Privacy Program Requirements

Children’s Privacy Companies that collect personal information from children under age 13 or offer online services targeting children under age 13�

Children’s Online Privacy Protection Act (COPPA)

14 TRUSTe’s Privacy Program Requirements align with the US-EU and US-Swiss Safe Harbor Framework. Clients assessed under this program will need to take the additional step of self-registration with the Department of Commerce to achieve Safe Harbor status.


TRUSTe Program Requirements

TRUSTe Certification

Programs

Business Practices Certified

Program Requirements

FoundationCloud Privacy Program Requirements

TRUSTed Cloud Companies or Service Providers that process data in the cloud on behalf of another entity�

Fair Information Practice Principles

US—EU and US— Swiss Safe Harbor Frameworks

APEC—CBPR System

OCED Guidelines

Cloud Security Alliance Guidelines (CSA)

EDAA EDAA Trust Seal Certification

Companies operating in the EU and engaged in data collection as third parties

EDAA Self–certification Criteria

TRUSTed Data Program Requirements

TRUSTed Data Companies, often referred to as “third parties” that collect data over multiple unaffiliated sites over time for the purpose of creating a profile that is typically used for targeted marketing purposes�

FTC Self–Regulatory Principles for Online Behavioral Advertising

Network Advertising Initiative (NAI) Principles

Digital Advertising Alliance (DAA) Self–Regulatory and Multi–site Principles

European Digital Advertising Alliance (EDAA) Self–certification Criteria

TRUSTed Download Program Requirements

TRUSTed Downloads

Companies offering downloadable executable software�

Fair Information Practice Principles

OECD Guidelines

Industry best practices̀

TRUSTed Smart Grid Privacy Program Requirements

TRUSTed Smart Grid

Companies seeking to access customer energy usage data [CEUD] that is collected by utilities via the utilities direct relationship with the customer or companies collecting energy data directly from customers through smart devices such as smart thermostats, smart appliances or home control systems�

Future of Privacy Forum (FPF) Smart Grid Privacy Guidelines for Consumer Energy Data

Regulatory Guidance from California State Public Utilities Commission


B. TRUSTe Certification ProcessTRUSTe Certifications, with the exception of TRUSTed Websites Basic, follow a 5–step process as outlined below:

ASSESS

ADVISE• Gap Analysis of Client Practices

with TRUSTe Certification Program Requirements and Policies

• Issue Findings Report + Change Roadmap

AWARD• Activate Hosted Seal &

Validation Page

MONITOR & CONTROL• Activate Dispute Resolution

Service

• Ongoing Guidance on New Regulations & Business Changes: Consultation + Education Seminars

• Implement Optional Compliance Controls

REMEDY• Client Implements Process

& Policy Changes

• Validate Changes

• Data Collection & Usage Audit

• Policy Review

• Solution = Privacy Analysts + Technology Tools

Step 1 — Assess

TRUSTe privacy assessments are performed by a team of privacy analysts and consultants�

All TRUSTe privacy certifications begin with a risk assessment of the client’s business and privacy practices, which differs, depending on the client’s business model, and the features/ functions and data privacy practices of the client’s website, app, or online service they want to certify� This includes a range of process information including what data is collected, how it is used, who it is shared with, etc� — along with a review of the companies stated privacy practices and policies� TRUSTe uses a combination of different methodologies to examine how the client collects, uses and shares personal data: a manual evaluation of the client’s practices, the client’s own attestations and interviews, and monitoring through TRUSTe’s proprietary technology� The extent to which we use one methodology over another is dependent on a client’s risk profile and nature of the property being assessed�

Step 2 — Advise

During the Advise step, TRUSTe issues a Findings Report to the client with recommendations on changes they need to make to their data privacy management practices and privacy policies� Nearly all clients must make changes to their existing data collection and usage practices or privacy policy to qualify for TRUSTe certification� In 2013, approximately 8% of applicants for the TRUSTed Website certification did not complete the certification process for reasons such as a shift in priorities, changes in business model, or inability or unwillingness to make the changes required under TRUSTe’s Privacy Program Requirements�


Step 3 — Remedy

During the Remedy step, the client implements TRUSTe’s recommendations into their product or service� TRUSTe also confirms that the certified property has a privacy policy that accurately represents how the client is collecting and using personal information� We also confirm that mechanisms for access, redress, security and enforcement are provided in a way that consistently meet consumers’ and business’ expectations�

Step 4 — Award

The Award phase commences once the client has implemented TRUSTe’s recommendations and is awarded the TRUSTe seal�

Step 5 — Monitor and Control

Once the seal is awarded, TRUSTe monitors ongoing compliance through proprietary technology — such as our Website Monitoring service — as well as our consumer dispute resolution process� In some cases, we may initiate an investigation based on the results of our technological monitoring; we may also initiate an investigation based on a regulator inquiry, media report or information contained in a consumer complaint� For more details please see the Consumer Dispute Resolution and Enforcement sections, below�

TRUSTe evaluates whether our clients continue to meet our Program Requirements through an annual review process� In addition, if the client notifies TRUSTe of a change or TRUSTe detects a change e�g� through technological monitoring, outside the ‘annual’ re–certification cycle, the change will be evaluated by TRUSTe, regardless of whether it is time for the client’s annual review or not�

TRUSTe’s approach to privacy certification can differ based on the complexity of the client’s business and privacy practices� TRUSTe works with clients of all sizes to provide cost–effective, scalable, privacy solutions that work across different types of business models� In this way, we aim to promote strong privacy practices across all aspects of the online ecosystem�

While certification represents an assessment from a specific point in time, our monitoring solutions help provide clients a holistic view of first and third party activity on their online properties� This is crucial, because when left unmanaged, tracking code on websites can lead to the degradation of website performance (slow loading time, lower search engine rankings), or data leakage with the potential loss or revenue from the unauthorized targeting and retargeting of a website’s valuable site users — in addition to privacy compliance challenges�

The TRUSTe Website Monitoring Service provides stand–alone reporting to customers and is also used in TRUSTe certifications and privacy assessments� In 2013, TRUSTe’s Monitoring Service performed over 172,000 website scans on over 18 million web pages�

TRUSTe uses and provides access to a variety of technology based monitoring services and compliance controls to help clients ensure compliance with the broad range of existing and emerging global privacy requirements� These include our Website Monitoring Service, TRUSTed Ads OBA Preference Management Controls, and TRUSTed Consent Manager Controls for addressing the EU Cookie Directive�

C. Consumer Dispute ResolutionConsumer Dispute Resolution is a key component of TRUSTe’s privacy management solutions that helps us monitor compliance, while keeping clients accountable for their privacy practices�

We have provided excerpts from our 2013 consumer dispute resolution survey in Appendix C to this report�


The TRUSTe Consumer Dispute Resolution process begins with a consumer complaint filed with TRUSTe, against a TRUSTe client� After TRUSTe receives a consumer complaint, we initiate an investigation� A TRUSTe investigation may also be initiated after a TRUSTe scan, a media report, regulator inquiry or information obtained through other credible sources�

Once TRUSTe has reviewed the complaint, we respond to the consumer within our published timeframe of 10 business days� The nature and duration of the investigation needed can vary widely depending on the nature of the issue� TRUSTe quickly checks those issues that can be immediately verified� If our findings do not verify what the consumer alleged, we inform the consumer and/or request more information if needed�

The client ordinarily has 10 business days to provide a written response for the consumer� For more urgent issues, such as security vulnerabilities, we may also escalate to the client via phone, and generally expect responses more quickly, especially if we are able to verify the problem�

The diagram below illustrates the TRUSTe consumer dispute resolution and enforcement process:

Consumer Complaint

Media Report

Regulator Inquiry

TRUSTe ScanTRUSTe

Investigation

Notification

Lack of ComplianceCompliance

TRUSTe Requests to Cure Issue

Formal Enforcement

Suspend Certification Request to Cure

Termination Referral to Appropriate Agency

AppropriateConfidentiality

Opportunityto Cure


Consumer disputes in 2013

In 2013, TRUSTe handled 8,729 Dispute Resolution complaints, most of which were from consumers� The diagram below illustrates how these complaints were classified and ultimately resolved by TRUSTe:

Evaluate Disputes

Closed on Procedural Grounds

3,453

Eligible forFurther Analysis

5,276

72.7%Resolved by consumereducation, orcourtesy forwardsby TRUSTe

5.8%Required issue–specific researchand/or data changesby the site

Required changes bythe client to theirdisclosures, PrivacyStatement and/orprivacy practices

0.9% 20.4%Other (e.g. open orreopened9, trademarkreport, action takenindependently bycompany, out of scope with nocourtesy forward)

Related to companiesdeactivated fromTRUSTe’s program(e.g. suspended or terminated)

0.2%

8,729DR Complaints

The majority of complaints were resolved without requiring formal enforcement measures by TRUSTe�

About 40% of total consumer complaints were closed by TRUSTe on “procedural grounds�” Such procedural grounds may include complaints that fail to state a comprehensible issue or even a complete word (e�g� random typing such as “xyxyxy”)� In other examples, the consumer complaint did not give TRUSTe permission to pass identifying information to the site in question, or provided an invalid e–mail address, impeding investigation of that complaint�

Of the remaining 2013 complaints not closed on procedural grounds:

• 72�7% — were resolved by consumer education, or courtesy forwards by TRUSTe (non–privacy issues)�

• 5�8%– required issue–specific research and/or data changes by the site (e�g� unsubscribe the user, close the account, remove unauthorized profile)�

• 0�9% — required changes by the client to their disclosures, privacy statement and/or privacy practices (including complaints by different consumers about the same underlying issues)�


• 20�4% — fell into other categories such as that fall outside the scope of TRUSTe’s authority under our privacy program, (e�g� billing/transactional issues, requests for feature enhancements)� TRUSTe typically suggests that the consumer contact the site directly in these instances�

• 0�2% — were against companies that had been deactivated from TRUSTe’s program�

D. Enforcement

TRUSTe certification is supplemented by enforcement of our Privacy Program Requirements and our Consumer Dispute Resolution Process� Because TRUSTe privacy certification is completely voluntary, our challenge is to preserve the incentives for companies to certify and self–regulate their privacy practices within a voluntary framework, while also remaining true to our mission� To address this challenge, TRUSTe must ensure that appropriate confidentiality and adequate procedural safeguards, including the opportunity to cure, are part of the Enforcement process�

The term “enforcement” has a specific meaning within the context of TRUSTe certification� Enforcement is when TRUSTe provides formal notice to a client that they have violated one or more program requirements, resulting in either Suspension or Termination of the client’s relationship with TRUSTe if the violation is not “cured” within the time allotted, usually 20 business days�

The TRUSTe enforcement process usually begins with an internal compliance investigation� TRUSTe may initiate this investigation based on results of our technological monitoring, on information contained in a consumer complaint, news or press reports, regulator inquiry, or reports from other credible sources�

If a violation is found, our investigations have one of three possible outcomes:15

• An agreement between TRUSTe and the client over the privacy complaint — resulting in client resolution that addresses the consumer concern or request�

• A disagreement — triggers a notice of formal enforcement, resulting in the client’s suspension or notice of intent to terminate for cause if the matter is not cured�

• A failure to implement the required cure — resulting in the client’s termination from TRUSTe’s program and, in extreme cases, publication and/or referral to an appropriate authority�15

The table below details TRUSTe’s enforcement actions from 2009 — 2013:

Year Formal Enforcement Actions

Outcome

2009 7 enforcement actions 4 resulted in termination for cause, and 3 additional suspensions were cured�

2010 3 enforcement actions 2 resulted in terminations for cause; the third involved a suspension that turned into termination for cause in 2011�

2011 11 enforcement actions 10 resulted in terminations for cause, one involved a suspension that was cured�

2012 9 enforcement actions 3 resulted in termination for cause, 5 suspensions were cured, and 1 company previously suspended is working on curing the issue�

2013 23 enforcement actions 11 resulted in termination for cause, 11 enforcement actions (e�g� suspensions) were cured, and 1 suspended company is working on curing the issue�

15 One of our prior FTC referrals was ClassicCloseouts in 2008; TRUSTe assisted the FTC with the investigation, and the agency brought action for permanent injunction and relief against the site, ultimately obtaining a $2.08 million settlement to provide redress for consumers. See Merchandiser Who Illegally Charged Consumers' Accounts Settles with FTC, available at: http://www.ftc.gov/opa/2011/01/classicclose.shtm.


TRUSTe Privacy Research and Education Series

Privacy ResearchIn addition to our privacy management solutions, TRUSTe provides consumers and businesses with important information and research about important regulatory developments and key privacy trends�

In 2013 we also significantly increased our research investment, publishing 6 separate research reports into consumer attitudes regarding data privacy and company practices for managing consumer privacy� We partnered with Harris Interactive and IPSOS Mori to conduct most of the projects� The research is used to help educate businesses on the importance of addressing privacy to build consumer trust and drive engagement across all of their products and marketing / advertising programs�

A list of our research is provided below and copies can be found at www�truste�com/resources�

Topic Date ScopeConsumer Confidence Index — (Report and Infographic) Jan 2013 US

Consumer Confidence Index — (Report and Infographic) Jan 2013 UK

Website Monitoring — Travel Edition (Infographic) July 2013 US, EU

Consumer Privacy — Advertising Edition (Report and Infographic)

Sept 2013 US

Consumer Privacy — Advertising Edition (Report and Infographic)

Sept 2013 UK

Consumer Privacy — Mobile Edition (Report and Infographic) Sept 2013 US

Consumer Privacy — Mobile Edition (Report and Infographic) Sept 2013 UK


Privacy EducationTRUSTe authors a wide range of educational resources for both clients and other members of the broader privacy community to stay abreast of new and changing developments in the world of privacy� In 2013 we had over 1,500 professionals attend 15 live webcasts and 3 workshops on a range of privacy topics including APEC, BCRs, COPPA, DAA, and the EU Cookie Directive� Hundreds of additional individuals downloaded recordings of these broadcasts� All of these resources are made available at no charge� The table below summarizes our 2013 educational webinar series�

Topic DateMobile App Privacy Legal Enforcement Begins — Are Your Apps Compliant?

Feb

Overview of the EDAA Program Mar

COPPA Rule Update — Implications and Next Steps for Your Business (Clients Only)

Mar

COPPA Rule Update — Implications and Next Steps for Your Business Apr

EU Cookie Directive — Is Your Business Compliant? Apr

Overview of BCRs May

Understanding FTC Rules on Children Online Privacy Protection Act (COPPA)

Jun

Overview of the APEC Privacy Framework Jul

Understanding the State of EU Cookie Directive Jul

Powering Trust in the Advertising Ecosystem — NYC Sep

Powering Trust in the Advertising Ecosystem — San Francisco Sep

How to Be Proactive in Monitoring Your Compliance with the DAA Principles

Sep

Overview of the DAA Mobile Privacy Principles Sep

How to Ensure your Websites and Apps Address Emerging Data Privacy Challenges

Oct

Powering Trust in the Advertising Ecosystem — London Oct

Impacts to the Advertising Ecosystem through Privacy & Device Recognition

Nov

The California Data Privacy Landscape — The New Regulatory Updates that Impact Your Online Business

Nov

What is the Future of the EU–US Safe Harbor Agreement? Nov


TRUSTe Privacy Program RequirementsA link to TRUSTe’s privacy program requirements is available at:

http://www.truste.com/privacy–program–requirements/home

Appendix A

TRUSTe EU Safe Harbor Assessment Program (2009 — 2013)

Appendix B

TRUSTe Children’s Privacy Program (2009 — 2013)

Appendix C

EU Safe Harbor Assessment Program — Number of Properties Certified

2009

213

2010

344

2011

445

2012

611

2013

674

100

200

300

400

500

600

700

0

Children’s Privacy Program — Number of Properties Certified

2009 2010 2011 2012 2013

100

50

0

21

37

55

6877


Appendix DTRUSTe Consumer Dispute Resolution Data

1. Consumer Dispute Resolution Volume (2007–2013)Overall Complaints

2009 2010 2011 2012 2013

2000

4000

6000

8000

10000

9031

7719

8646

9699

8729

EU Complaints

2009 2010 2011 2012 2013

2000

4000

6000

8000

10000

1231881 879 656 437

2. Consumer Complaints Organized by Type (2013)

TRUSTe categorizes Consumer Dispute Resolution complaints by the type of complaint alleged� When filing a complaint, consumers self–select the category for their complaint based on options provided via a pull–down menu� In situations where TRUSTe does not receive additional information that clearly indicates that a different category is more appropriate, we generally leave the category as the consumer identified it�

Many complaints turn out to be consumer requests for service assistance from the client or incomprehensible complaints with random typing, or complaints that do not involve privacy practices� The vast majority of complaints do not indicate a violation of TRUSTe’s Privacy Program Requirements�


2013 Complaints by Type (Overall):

1842

1912

1321

731

651

509

509

310

296

161

154

123

116

40

35

13

5

1

Monetary / Billing / Transactional

Undefined (incl. random typing)

Help with Features / Functionality

Account Access / Creation (incl. forgotten passwd)

Can't Change / Remove Personal Info

Account Hacked / Disabled

Unable to Unsubscribe

Unable to Contact Participating Site

Abuse by Another User

Shared Personal Info with Unauthorized Third Party

Received Unauthorized E-Mail

Other

Unauthorized Profile With My Information

Website Security Vulnerability

Inaccurate Privacy Disclosure

Targeted Advertising

Privacy Settings Not Working

Children's Information (Under 13)

Overall Complaints

2013 Complaints by Type (EU):

70

66

52

48

44

36

30

24

20

18

14

6

5

2

2

Monetary / Billing / Transactional

Undefined (incl. random typing)

Help with Features / Functionality

Account Access / Creation (incl. forgotten passwd)

Can't Change / Remove Personal Info

Account Hacked / Disabled

Unable to Unsubscribe

Unable to Contact Participating Site

Abuse by Another User

Shared Personal Info with Unauthorized Third Party

Received Unauthorized E-Mail

Other

Unauthorized Profile With My Information

Inaccurate Privacy Disclosure

Privacy Settings Not Working

EU Complaints


2013 Complaints by Resolution (Overall):

3496

1361

1065

1007

518

459

340

135

117

90

52

49

18

13

8

1

Consumer Education by TRUSTe

No Action Required (e.g. for random typing)

Out of Scope, no Forward

No Consumer Response

Duplicate Complaint

Permission Not Granted by Consumer

Out of Scope, with Forward

Response Obtained but No Changes Required

PII Removed, Account Closed or Credentials Validated

Consumer Withdrawal of Complaint

Unsubscribed

Changes Required to PS, Site, or Practices

Invalid Complainant E-Mail Address

Action Taken Without TRUSTe Involvement

Licensee Deactivated

Irreproducible

Overall Resolution

2013 Complaints by Resolution (EU):

202

64

51

49

17

11

10

10

9

5

5

3

1

Consumer Education by TRUSTe

No Action Required (e.g. for random typing)

Out of Scope, no Forward

No Consumer Response

Duplicate Complaint

Permission Not Granted by Consumer

Out of Scope, with Forward

Response Obtained but No Changes Required

PII Removed, Account Closed or Credentials Validated

Consumer Withdrawal of Complaint

Unsubscribed

Changes Required to PS, Site, or Practices

Invalid Complainant E-Mail Address

EU Resolution


You got it fixed when nobody else would

I am more than satisfied with TRUSTe’s handling of this matter.I have spent many hours worried and lost much sleep sickened in the matter. They handled it quickly and professionally, unlike Facebook.I thank God that they advocated on my behalf and was fair in doing so.

Smooth and easy process.

My experience with TRUSTe’s process was great! The process was quick and clear, and helped me in resolving my complaint.

Amazing. Successful. Appreciated.

Overall it was positive. My issue was resolved so I am happy.

I was very pleased TRUSTe was able to resolve my compliant and get the company to fix their website so it was in compliance with their privacy policy.

Truste rocks

exellent

Overall, great job!

very positive

Perfect! I was VERY impressed!

Generally, when possible, the process has been helpful in getting an issue escalated and the problem resolved. I appreciate that the program exists and allows users to control their information, which seems to be harder than it should be online.

Thank you very much for your efforts!

Maybe a faster response time from TRUSTe licensed company, thought it was already fast.

It’s perfect.

you did a great job

Overall, the process is very good.

Thank you for you fast reply!

It is a great process. Only thing I can think of for improvement would be a direct contact via phone.

Many thanks for caring about my complaint [...].

Thank you for your assistance and attention to detail.

THANK YOU SO VERY MUCH. I FEEL SO MUCH BETTER NOW THAT THEY’VE BEEN REMOVED

Thank you for getting back to me so quickly. ... I thank you so much for giving me the proper address, that’s more than they could do.

Thank you for your prompt follow–up.

Thanks for the response. I was able to access the [...] website from your information and resolved the matter.

Thanks guys, keep doing the good work.

My issue has been resoulved thank you for your help someone got back to me at last and, help me log in to my account

Many thanks indeed for your support on this issue.

I appreciate your care and concern.

Thank you this issue has been resolved.

Thank you Truste for your help!

This problem has now been resolved by facebook. Thank you very much for your support.

Thank you for responding so promptly.

I thank you for your assistance you are truly reliable so my sincere gratitude to you

Appendix EConsumer Feedback to the TRUSTe Dispute Resolution Process


I’m sure it was through your contact with them that they “finally” decided to do something about it. Again, thank you for the help.

Thanks again for your prompt response.

Many thanks for your help.

Hello, anyway, thanksso muchyourattending my complain, [...]

I appreciate your feedback and availability.

They canceled everthing. Thank you for responding for my complaint.

Thank you for resolving this situation for me.

thanks for stepping in.

Thank you for your efforts on my behalf.

I appreciate your time and understanding of my concern.

Thank you so much. I appreciate the information you’ve provided.

thank you very much for your help.

Thank you for your diligence

Thank you very much for your quick answer.

wow, thank you for your persistance

I appreciate your response. The fact that I was able to state that I had contacted you seemed to result in my first effective response from [...].

I appreciate and am impressed with the effort you have put into this matter.

Thank you and so much appreciated.

Thank you for all your help i truly appreiate it so much

Thank you for your help and understanding,

My issue was resolved I received a full refund and my membership was terminated. TRUSTe’s service was excellent.

My issue has been resolved thanks for your help

Thank you so much for your help. Glad to find you!

I appreciate the continued follow up

Thank you for the update. I am greatly in your debt.

Dear TRUSTe, From the bottom of my heart thank you so very much...looking forward for my peace and quite life...godbless!!!

Thank you for your kind reply and for your suggestions where to turn. Most valuable when you wonder whom to turn to in any situation as this. Much obliged.

Thank you sincerely for your excellent feedback & response

THANK U SOOOOO MUCH FOR ALL UR HELP :)

Thank you for your good work, I will definately look for the TRUSTe certification in the future as you seem to stand behind your word. Much respect.

I am happy with your intervention.

I really appreciate your help.

Thank you so much, TrustE for providing this service.

Thank you very much for your prompt answer. In it is everything I was curious about, and the information seems logical in hindsight.

Thanks you for your patience and persistence in this matter.

Thank you for responding so quickly and with some detailed knowledge.

Thank you for your assistance! [...] Thank you for your intervention!

Thank you for your assistance and making sure this was done. I appreciate it.

I deeply appreciate TRUSTe mediation, has been so helpful.

Thank you so much. It is appreciated. [...] You are GREAT.

Thank you for your response. You lead me to believe there may still yet be hope for the little guy in society.