Add to collection(s) Add to saved
  1. Business
  2. Finance

Federal Trade Commission Announces Settlement with TRUSTe

Federal Trade Commission Announces
Settlement with TRUSTe
Over Privacy Seal Program
November 20, 2014
On November 17, 2014, the Federal Trade Commission (FTC) announced a settlement with True Ultimate Standards Everywhere (TRUSTe)
resolving allegations that TRUSTe failed to conduct annual recertifications for its privacy seal program and perpetuated a misrepresentation
that it was a non-profit entity.1 The FTC alleged that these practices were deceptive and in violation of Section 5 of the FTC Act. The settlement
is noteworthy not only because TRUSTe is a well-known provider of privacy certifications, but also because the complaint involves a “means
and instrumentalities” claim and the settlement includes a $200,000 disgorgement, which are both rare for a Section 5 privacy case.
Background
TRUSTe provides privacy seals to companies that meet its privacy certification requirements in areas such as mobile apps, websites, cloud
storage, Children’s Online Privacy Protection Act (COPPA), and the U.S.-EU Safe Harbor Framework.2 In order to maintain a certification,
companies must correctly display applicable TRUSTe seals on their websites and mobile applications and undergo annual recertifications by
TRUSTe. An annual recertification includes a review of the company’s privacy policy, validation of seal requirements, changes in the company
ownership or business model, and compliance with third-party program requirements, such as COPPA or Safe Harbor. Companies must also
include a statement provided by TRUSTe in their privacy policy that describes TRUSTe and its mission. TRUSTe was founded as a non-profit
corporation but transitioned to a for-profit company on July 3, 2008.
In its first claim, the FTC alleged that it found over 1,000 instances between 2006 and January 2013 in which TRUSTe did not conduct annual
recertification reviews of companies displaying a TRUSTe privacy seal, even though TRUSTe’s certification programs required such reviews. The
FTC alleged that TRUSTe’s failure to conduct the reviews made its statements regarding the required recertifications false or misleading, and
thus a violation of Section 5 of the FTC Act.3 On the same day that the FTC announced the settlement, TRUSTe CEO Chris Babel published a
blog post noting that the 1,000 instances represent less than 10 percent of the total number of annual reviews that the company was
scheduled to conduct during the time in question.4
In its second claim, the FTC alleged that TRUSTe furnished the “means and instrumentalities” for companies it certified to misrepresent
TRUSTe’s non-profit status. The mission statement TRUSTe provided to its clients prior to July 3, 2008, accurately stated that TRUSTe was a
non-profit company. After TRUSTe became a for-profit company, however, it allegedly recertified some of its clients even though their privacy
policies still described TRUSTe as a non-profit. The FTC alleged that by providing the language describing TRUSTe as a non-profit and
continuing to certify clients using that language, TRUSTe furnished the means and instrumentalities for the commission of deceptive acts or
practices in violation of Section 5.
Settlement
In the FTC Settlement,5 TRUSTe agreed to:
•
•
•
•
•
not misrepresent the steps it takes to certify a company’s privacy practices;
not misrepresent the frequency of its recertifications;
not misrepresent its corporate status;
not misrepresent the extent to which a company participates in one of TRUSTe’s compliance programs;
not provide companies the means and instrumentalities with which to make, directly or by implication, any misrepresentations about
TRUSTe’s certification processes, compliance programs, or its corporate status;
1
Press Release, FTC, “TRUSTe Settles FTC Charges It Deceived Consumers Through Its Privacy Seal Program,” November 17, 2014, http://www.ftc.gov/news-events/pressreleases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its.
2
Privacy Certifications, TRUSTe.com, http://www.truste.com/products-and-services/enterprise-privacy/certifications.
3
Complaint, In the Matter of True Ultimate Standards Everywhere, Inc., FTC No. 1323219 (Nov. 17, 2014), available at
http://www.ftc.gov/system/files/documents/cases/141117trustecmpt.pdf.
4
Chris Babel, “TRUSTe’s Agreement with the FTC,” TRUSTe Blog, November 17, 2014, http://www.truste.com/blog/2014/11/17/truste-ftc/.
5
Agreement Contain Consent Order, In the Matter of True Ultimate Standards Everywhere, Inc., FTC No. 1323219, November 17, 2014, available at
http://www.ftc.gov/system/files/documents/cases/141117trusteagree.pdf.
Continued on page 2...
AUSTIN
BEIJING
BRUSSELS
HONG KONG
LOS ANGELES
NEW YORK
PALO ALTO
SAN DIEGO
SAN FRANCISCO
SEATTLE
SHANGHAI
WASHINGTON, DC
WILMINGTON, DE
Federal Trade Commission Announces Settlement . . .
Continued from page 1...
• undertake additional reporting obligations for ten years as part of its existing annual reporting requirements for its COPPA safe harbor
program; and
• maintain detailed reports for ten years on assessments conducted on new and existing applicants for its COPPA safe harbor program,
including the frequency of the assessments, documents related to consumer complaints alleging violations of the COPPA program by
TRUSTe or a participant, documents related to records of disciplinary actions taken against participants in the COPPA program, and
documents related to approvals of COPPA program participants’ use of verifiable parental consent mechanisms.
Among other administrative requirements in the settlement, TRUSTe also agreed to pay $200,000 to the U.S. Treasury as disgorgement.
Implications
Companies certified by TRUSTe should ensure that they have removed all references to TRUSTe’s prior non-profit status from their privacy
policies. The settlement also serves as a general reminder that statements made in a company’s privacy policy must be accurate.
The settlement is also significant because it includes two issues not typically found in FTC Section 5 privacy cases. First, the settlement
requires TRUSTe to pay $200,000 in disgorgement, which is an unusual form of relief in a pure Section 5 privacy case. The FTC does have the
authority to obtain civil penalties in certain privacy cases—those involving violations of the Fair Credit Reporting Act, the COPPA Rule, or an
existing FTC order. Disgorgement and redress, however, are more common in the FTC’s traditional fraud cases. The inclusion of disgorgement in
this settlement may signal that the FTC will begin seeking monetary relief in addition to injunctive relief in future privacy settlements.
Second, not all of the FTC commissioners agreed upon the inclusion of a “means and instrumentalities” claim against TRUSTe. Commissioner
Maureen Ohlhausen dissented from the FTC’s second claim, stating that for a company to “be liable of deception under means and
instrumentalities [the company] itself must make a misrepresentation.”6 Commissioner Ohlhausen argued that TRUSTe did not make the
statements regarding its non-profit status, and at most aided and abetted its clients’ actions by not requiring clients to update the inaccurate
statements. Chairwoman Ramirez and Commissioners Brill and McSweeny disagreed with Commissioner Ohlhausen’s argument, stating that
TRUSTe’s recertification of the inaccurate privacy policies is consistent with previous FTC cases, In the Matter of Shell Oil Co.7 and FTC v.
Magui Publishers,8 because TRUSTe “place[d] the means of deception in the hands” of its clients. The distinction between making a claim
under “means and instrumentalities” versus “aiding and abetting” is significant because, as noted by Commissioner Ohlhausen, the FTC “may
well be precluded from bringing Section 5 cases under an aiding and abetting theory.”9 In any event, the FTC’s inclusion of a “means and
instrumentalities” claim in its complaint may reflect an increased willingness by the FTC to consider a broader range of legal theories when
bringing future privacy cases. As a result, companies should ensure the accuracy of not only their own privacy representations, but also
representations that others may be making with their assistance.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks relating to consumer protection and privacy compliance. For more
information, please contact Lydia Parnes, Michael Rubin, Tracy Shapiro, Maggie Lassack, Eddie Holman, or another member of the firm’s
privacy and data protection practice.
6
Partial Dissent of Commissioner Maureen K. Ohlhausen, In the Matter of True Ultimate Standards Everywhere, Inc., November 17, 2014,
http://www.ftc.gov/system/files/documents/public_statements/599081/141117trustedisstmtmko.pdf (hereinafter Ohlhausen Dissent).
7
128 F.T.C. 749 (1999).
8
No. 89-3818RSWL(GX), 1991 WL 90895 (C.D. Cal. Mar. 28, 1991), aff’d 9 F.3d 1551 (9th Cir. 1993).
9
Ohlhausen Dissent, supra note 6 (quoting In the Matter of Shell Oil Co., 128 F.T.C. 749, *19 (1999)(Swindle Dissent)).
This WSGR Alert was sent to our clients and interested parties via email on November 20, 2014.
To receive future WSGR Alerts and newsletters via email, please contact Marketing at wsgr_resource@wsgr.com and ask to be added to our mailing list.
This communication is provided as a service to our clients and friends and is for informational purposes only. It is not intended to create an attorney-client relationship or
constitute an advertisement, a solicitation, or professional advice as to any particular situation.
650 Page Mill Road | Palo Alto, CA 94304-1050 | Tel: (650) 493-9300 | Fax: (650) 493-6811 | email: wsgr_resource@wsgr.com | www.wsgr.com
© 2014 Wilson Sonsini Goodrich & Rosati, Professional Corporation
All rights reserved.
AUSTIN
BEIJING
BRUSSELS
HONG KONG
LOS ANGELES
NEW YORK
PALO ALTO
SAN DIEGO
SAN FRANCISCO
SEATTLE
SHANGHAI
WASHINGTON, DC
WILMINGTON, DE
Related documents
What is “personal information”
What is “personal information”
Chapter 8 Operational Data Tools
Chapter 8 Operational Data Tools
Scavenger Hunt
Scavenger Hunt
Download