Web Seals:
A Review of
Online Privacy Programs
A Joint Project of
The Office of the Information and Privacy Commissioner/Ontario
and
The Office of the Federal Privacy Commissioner of Australia
Ann Cavoukian, Ph.D.
Malcolm Crompton
Information and Privacy Commissioner
Ontario, Canada
Federal Privacy Commissioner
Australia
Information and Privacy
Commissioner/Ontario
22nd International Conference on Privacy and Personal Data Protection
Venice, September 2000
This publication also is available on the websites of the Offices of the
Information and Privacy Commissioner/Ontario and the Federal Privacy
Commissioner of Australia.
Information and Privacy
Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario Canada M4W 1A8
416-326-3333
1-800-387-0073
Fax: 416-325-9195
TTY (Teletypewriter): 416-325-7539
Website: www.ipc.on.ca
Office of the
Federal Privacy Commissioner
Level 8 Piccadilly Tower
133 Castlereagh Street
Sydney NSW 2000 Australia
+61 2 9284 9600
Fax: +61 2 9284 9666
TTY (Teletypewriter): 1-800-620-241
Website: www.privacy.gov.au
Executive Summary
Electronic commerce is often viewed as contributing to the development of a global economy – a
world without borders. However, the reality is that all economic activity takes places within a given
jurisdiction with a unique set of laws and regulations governing commercial transactions. While the
buyer and seller may be located in different places, the sale itself takes place in one jurisdiction. This
geographic separation often results in disputes over which jurisdiction takes precedence (the buyer’s
or the seller’s) and can lead to difficulties in enforcement of contracts. In an effort to promote the
growth and development of e-commerce, companies have sought ways to promote consumer
confidence and trust.
It should be noted, however, that building consumer confidence in the world of e-commerce is no
small matter. Virtually every major public interest survey over the last several years has shown that
privacy is the No. 1 concern for people using the Internet, and the primary reason why most people
continue to shop in traditional bricks-and-mortar stores rather than going online. Enforcing
consumer protections during transactions between parties in different legal jurisdictions is a
complicated undertaking. The issue is further exacerbated when it comes to the handling of personal
information, especially in countries which have little or no legal protections in the area of privacy.
In many jurisdictions, people have the force of law to protect them, both in general consumer affairs
and in the protection of their privacy. However, while many nations lack rigorous privacy
protection legislation, the issue is most acute in the United States, which is the leading force behind
electronic commerce. To address online privacy concerns, a number of organizations have
developed Web seals designed to let their participants publicize that they adhere to certain privacy
policies and practices. Yet without objective standards on which to evaluate these seals, their relative
merits remain open to debate. The public requires a greater degree of certainty regarding the claims
that a company, especially one unknown to them, bearing a Web privacy seal will in fact protect one’s
privacy.
The subject of Web privacy seals was raised in September 1999 at the 21st Conference of
International Data Protection Commissioners. The Commissioners also recognized the benefits of
acting in unison to address online data protection issues, in light of the global nature of the Web.
It was felt that a preliminary assessment of the major Web seal programs would be a useful
contribution to the global debate over online privacy. Two Data Protection Commissioners, one
from Ontario, Canada and one from Australia, undertook to do the work on the project while a small
group of other Commissioners from Europe and Asia provided informal advice as the project
proceeded. The Commissioners believed that by evaluating Web seals, the expertise of the privacy
community could assist in the development and possibly the promotion of Web seals, thereby
advancing the promotion of privacy efforts around the world.
i
The objectives for evaluating Web seal programs were threefold. First, to assess the privacy, dispute
resolution and compliance standards of the major Web seals. Second, to engage in open discussions
with the seal programs to identify ways in which to enhance their overall privacy framework, as well
as their dispute resolution and compliance and enforcement mechanisms. Third, to undertake a
practical demonstration of co-operative effort between Privacy Commissioners representing different jurisdictions and legislative frameworks, in an effort to advance online privacy initiatives at a
global level.
Methodology
The Web seal project evaluated the three leading online privacy seals: BBBOnLine, TRUSTe and
WebTrust. The review is detailed and quite complex. The project identified three key components
for an effective online seal program:
• sufficient privacy principles to which participating Web sites must adhere;
• a sound method for resolving disputes between consumers and Web sites; and
• a robust mechanism for ensuring that “sealed” Web sites complied with the seal’s standards.
We believe the three seal organizations are to be commended for their efforts. This project is
intended to highlight the strengths and weaknesses of each different approach. The work that each
seal has put into its respective projects, in the areas noted above, is considerable and we welcome
their efforts in attempting to develop an objective standard for fostering trust and consumer
confidence.
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, an
internationally-recognized code of fair information practices, was selected as the standard to
evaluate the seals’ privacy principles. The OECD Guidelines contain overlapping and cumulative
principles that outline responsible information handling practices designed to protect the privacy
of data subjects. Adherence to all of the practices in their totality is necessary in order to achieve full
informational privacy. To evaluate the dispute resolution mechanisms of each seal program, the
Australian Benchmark for Industry-based Customer Dispute Resolution Schemes was selected as
the standard. It reflects well established and internationally recognized standards for dispute
resolution. This project also reviewed the seals’ compliance and enforcement mechanisms.
ii
Results
The paper evaluates each seal program and includes highlights of correspondence with the seal
organizations regarding our assessment. The evaluations conclude that, at the time of our review,
each of the three seals addressed privacy protection, dispute resolution and compliance to varying
degrees, although none of them completely satisfactorily. Regarding privacy standards, out of eight
possible marks, the scores awarded were: BBBOnLine 6.25; TRUSTe 6.375 and; WebTrust 6.0.
In the dispute resolution section, out of a total possible six points, the scores awarded were:
BBBOnLine 5.05; TRUSTe 4.65; and WebTrust 4.58. The paper also contains a review of the
compliance and enforcement components of the three seal programs.
At the time of our review, each of the seals had its own strengths. BBBOnLine offered the most
customer-friendly dispute resolution system, while WebTrust offered the most rigorous compliance regime. In terms of privacy principles, while TRUSTe scored the highest in our assessment, it
is clear that none of the seals required their participants to meet all of the OECD principles. This is
a point of concern. Nonetheless, seals are playing a valuable educational role in promoting privacy
awareness in the minds of both consumers and businesses alike. This educational role is, in our view,
both positive and beneficial.
Conclusion
The future role that Web seals might play in e-commerce is unclear. Seals are only in their early stages
of development and will likely evolve and improve over time. They could come into their own as
a powerful facilitator of globalization of consumer transactions if they are able to provide acceptable
and enforceable privacy protection across multiple jurisdictions. Objective assessments of the extent
to which seals provide true privacy protection, dispute resolution and enforcement, may be a crucial
factor in determining the degree and speed with which they become more accepted by consumers.
Such assessment could assist consumers and business in differentiating between the competing
claims put forward by various seal providers.
In the end, Data Protection Commissioners have a number of tools at their disposal to protect the
privacy of their citizens: legal instruments, technical standards, public education, expert consultation and moral suasion. By working together, Commissioners can extend the reach of their offices
and provide benefits to consumers beyond their individual borders. It is up to the global community
of Commissioners to work together to advance the uniform goal of privacy protection – this joint
project is only one small indication of what can be done.
iii
Table of Contents
1. Background................................................................................................. 1
1.1 Why Online Privacy Seals? ..................................................................................... 2
2. Objective of the Web Seals Project ............................................................... 3
2.1 Seals Selected for Review ....................................................................................... 3
3. Methodology .............................................................................................. 6
4. Assessment of the Seal Programs ................................................................. 7
4.1 Privacy Principles .................................................................................................. 7
4.1.1 Selection of the OECD Guidelines as the standard ..................................... 7
4.1.2 Template for analysis ................................................................................ 7
4.1.3 BBBOnLine ........................................................................................... 10
4.1.4 TRUSTe................................................................................................. 16
4.1.5 WebTrust ............................................................................................... 21
4.1.6 Conclusions........................................................................................... 23
4.2 Dispute Resolution .............................................................................................. 25
4.2.1 Selection of the standard for dispute resolution assessment ...................... 25
4.2.2 Basis for seal assessment ......................................................................... 26
4.2.3 Description of dispute resolution mechanisms ......................................... 26
4.2.4 Assessment results .................................................................................. 29
4.2.5 Summary of dispute resolution assessment results ................................... 34
4.3 Compliance/Enforcement .................................................................................... 34
4.3.1 Need for compliance and enforcement .................................................... 34
4.3.2 Comparison of the functions .................................................................. 35
4.3.3 Next steps ............................................................................................. 35
5. Results ....................................................................................................... 37
5.1
5.2
5.3
5.4
Summary of assessment of the seals ...................................................................... 37
Effectiveness of seals as a tool online users can use to protect their personal data .... 37
The future of this project ..................................................................................... 39
Concluding remarks ............................................................................................ 42
Exhibit A – Comparison of BBBOnLine Privacy Seal with the OECD
Guidelines on the Protection of Privacy and Transborder Flows of
Personal Data ............................................................................................ 43
Exhibit B – Comparison of TRUSTe Program with the OECD Guidelines
on the Protection of Privacy and Transborder Flows of Personal Data ...... 60
Exhibit C – Comparison of WebTrust Principles and Criteria for Businessto-Consumer Electronic Commerce with the OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data ................. 74
Exhibit D – Australian federal government Benchmarks for Industry-Based
Customer Dispute Resolution Schemes ..................................................... 85
Exhibit E – Australian National Arbitration Forum Principles ...................... 93
Exhibit F – Compliance/Enforcement Activity of Privacy Seals ...................... 94
1. Background
At the 21st International Data Protection Commissioners’ Conference, held in September 1999 in
Hong Kong, the Commissioners agreed that there was a need to act in unison to address online data
protection issues. The recognition of the desirability for concerted, co-operative action was sparked
by a number of factors. The global nature of the World Wide Web (the Web), in the face of the local
jurisdiction of Data Protection Commissioners, highlighted the need for an international consensus
regarding issues of online privacy protection. Also, while the efforts of Commissioners have
significant impact in their respective jurisdictions, their individual effectiveness at the global level is
currently relatively limited. By acting in unison, Commissioners may have greater influence over the
online privacy debate and public opinion.
Commissioners focussed their attention on the rapidly developing area of online privacy seals. A
working group was established with a mandate to identify and assess options available to Privacy
Commissioners:
• to use standards and/or seals to improve the protection of personal information in their
jurisdictions, for example, by promoting or endorsing a particular seal; and
• to add value to standards or seals, for example, by participating in or contributing to their
development.
The Data Protection Commissioners recognized that the law is unable to keep up with the current
pace of technological change. Internet users are looking for means of assurance that their privacy
interests are being respected, or that redress is available should their personal information be
misused. Standards and/or seals could potentially assist in providing such assurance.
After reviewing potential options for examining standards and seals, the Privacy Commissioners of
Ontario (Ann Cavoukian) and Australia (Malcolm Crompton) decided to undertake an evaluation
of online privacy seals. A small group of other Commissioners from Europe and Asia provided
informal advice as the project proceeded. The assessment and its results, as well as conclusions
drawn and potential next steps, are the subject of this paper.
1
1.1 Why Online Privacy Seals?
The Commissioners identified the assessment of online privacy seals as a valuable project based on
a number of online realities:
• the exponential growth of the Internet and in business being conducted over the Internet;
• the global nature of the Internet and e-commerce means that consumers do not limit their
online activities to their local jurisdictions;
• the concern of online users about the release of their personal information to companies when
they shop online; and
• the increasing efforts of commercial and not-for-profit organizations to respond to the
public’s concerns about online privacy through seal programs.
The profile and potential importance of Web seals has been further heightened by the recently
announced Safe Harbor Agreement reached between the European Union and the United States.
The agreement identifies privacy self-regulatory organizations (such as Web seals) as acceptable
mechanisms for determining compliance with its privacy principles.
2
2. Objective of the Web Seals Project
The Commissioners identified the following objectives for this project:
• assess the privacy, dispute resolution and compliance/enforcement standards of the major
Web seal programs;
• engage in open discussions with the seal programs to identify ways to enhance their overall
privacy framework, as well as their dispute resolution and compliance/enforcement mechanisms;
• undertake a practical demonstration of co-operative effort between Privacy Commissioners
in order to advance online data protection efforts at a global level; and
• establish that Privacy Commissioners, representing a diversity of jurisdictions and legislative
frameworks, can work together to protect the privacy of personal information at a global level.
2.1 Seals Selected for Review
The Commissioners chose the three major privacy seal programs for review and assessment –
BBBOnLine, TRUSTe, and WebTrust. Although there is a growing number of seals available, these
programs were the most visible and most commonly used seals at the time of the assessment.
BBBOnLine
This program has been developed by the Council of Better Business Bureaus. According to
BBBOnLine, its privacy program features verification, monitoring and review, consumer dispute
resolution, a compliance seal, enforcement mechanisms and an educational component.
The BBBOnLine privacy program offers the following:
• awards a seal to businesses that post online privacy policies which meet the required “core”
principles, such as disclosure, choice and security;
• provides for the settlement of consumer disputes;
• monitors compliance by requiring participating companies to undertake, at least annually, an
assessment of their online privacy practices; and
• imposes specific consequences for non-compliance, such as seal withdrawal, negative publicity
and referral to government enforcement agencies.
As of August 1, 2000, 324 companies had been awarded the BBBOnLine seal.
3
TRUSTe
This program regards itself as an independent, non-profit initiative dedicated to building users’ trust
and confidence on the Internet. It has developed a third-party oversight seal program designed to
alleviate users’ concerns about online privacy, while meeting the business needs of licensed Web
sites. TRUSTe was originally founded by the Electronic Frontier Foundation and the CommerceNet
Consortium. The sponsors of the program include many of the world’s largest corporations, such
as AOL, Intel, Excite and Microsoft.
The seal is awarded to sites that adhere to TRUSTe’s established privacy policies of disclosure,
choice, access and security. Web sites that display this seal agree to comply with ongoing TRUSTe
oversight and alternative dispute resolution processes.
TRUSTe’s goals are to provide:
• online consumers with control over their personal information;
• Web publishers with a standardized, cost effective solution for both satisfying their business
model and addressing consumers’ anxiety over sharing personal information; and
• government regulators with demonstrable evidence that the industry can successfully selfregulate.
TRUSTe has awarded more than 1,000 seals to qualifying companies. It is reportedly displayed on
all the Internet’s portal sites, 15 of the top 20 sites, and approximately half of the top 100 sites.
WebTrust
This seal was developed jointly by the American Institute of Certified Public Accountants (AICPA)
and the Canadian Institute of Chartered Accountants (CICA). It is offered by specially trained and
licensed Certified Public Accountants (CPAs) in the United States, Canada, Hong Kong, Australia
and a growing number of European countries. WebTrust claims to be part of a global effort by the
accounting profession to bring effective e-commerce solutions to the Internet to protect businesses
and consumers when shopping online.
The WebTrust seal of assurance is placed directly onto the Web site of the qualifying online business,
indicating that the business is in compliance with WebTrust principles and criteria. WebTrust
requires CPAs to conduct an independent examination of the site and all its business practices and
procedures. The licensed CPA awards a seal to an online business only if it passes the examination.
4
According to WebTrust, the three fundamental areas of its principles and criteria reviewed by the
CPA are:
• Business Practices and Information Privacy — to ensure that the site properly discloses its
business practices for such matters as order processing, product returns, information
collection, payment processing, product delivery and complaint resolution.
• Transaction Integrity — to ensure that the business can deliver on its sales promises by
delivering what was ordered at the agreed-upon price in the requested timeframe.
• Security — to ensure that the site maintains effective controls and practices to address privacy
and security matters such as: encryption of private customer information, protection of
information once it reaches the site; requests for customer permission to use personal
information; prevention of virus transmission, and customer approval before the site stores,
alters or copies information on the customer’s computer.
As of August 1, 2000, a total of 28 Web sites had been awarded WebTrust seals.
5
3. Methodology
This joint project was undertaken as a one-year pilot, with the goal of reporting back to the 22nd
International Data Protection Commissioners’ Conference in September 2000. The Australian and
Ontario Commissioners identified three key components for an effective online seal program,
namely:
• sufficient privacy principles to which participating Web sites must adhere;
• an effective method for resolving disputes between consumers and Web sites; and
• a robust mechanism for ensuring that sealed Web sites comply with the standards set.
As discussed below in Section 4 of this paper, each of the seal programs was reviewed in these three
areas. It is important to note that our intent was not to come up with a score for the seal programs
that definitively claimed that one was better than another. The first purpose of this evaluation was
to create a diagnostic tool to help us understand what was and was not covered by the seals. The
second, and more important purpose, was to provide a means to initiate a dialogue with the seal
programs. By providing them with our initial analysis, and asking for their comments, we began
what we hoped to be an ongoing process of mutual education and information exchange. We
wanted to be sure that we understood their programs fully and that they understood our concerns.
Readers of this paper may be surprised by the level of detail and complexity. By necessity, a thorough
and fair analysis requires a clause-by-clause examination of the minutia of the three seals’ policies.
We rather have erred on being overly inclusive in our analysis than to have our work dismissed for
being superficial. That being said, this level of review is not intended to find fault in the smallest detail
but rather to illustrate the degree of comprehensiveness of the seal policies.
The three seal programs are to be commended for their efforts. Our review is not intended to
diminish the value of the work that the seals have put into their projects but rather to highlight the
strengths and weaknesses of each different approach. Each organization is to be commended for its
efforts in developing an objective standard for fostering trust and consumer confidence.
The next section of this paper details the assessment process that has been undertaken and the
dialogue that has occurred with the seal programs as of August 1, 2000. Following that, we offer
some conclusions and recommendations as to potential next steps.
6
4. Assessment of the Seal Programs
4.1 Privacy Principles
4.1.1 Selection of the OECD Guidelines as the standard
The first step in this project was to identify an appropriate standard against which to evaluate the
privacy principles of the seals. We believed the obvious choice was the OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data <http://www.oecd.org//dsti/sti/it/
secur/prod/PRIV-EN.HTM>.
Evaluating the online seal programs against the OECD Guidelines appealed to us for several reasons.
Given the borderless nature of the online world and e-commerce, and the popularity of American
sites for users in all jurisdictions, an internationally-recognized privacy standard seemed to be the
most appropriate measure against which to compare the seals’ privacy principles. In addition, the
OECD Guidelines form the basis of data protection schemes around the world.
The OECD Guidelines contain overlapping and cumulative principles that outline responsible
information handling practices designed to protect the privacy of data subjects. We believe
adherence to all of the practices is necessary in order to achieve full informational privacy.
4.1.2 Template for analysis
The June 26, 1998 edition of Privacy Times, reported that Robert Gellman, a well known authority
on privacy, had developed a scale for evaluating online privacy initiatives against the OECD
Guidelines. Using his scale, a point was assigned to each principle, allowing for a perfect score of
eight.
We decided to modify Mr. Gellman’s general rating scheme somewhat. Most of the OECD
principles contain several components, each of which we believed must be reflected by the seal
programs in order to be considered equivalent.
The marking scheme outlined below was developed as a way to ensure that we were consistent in
our approach and, more importantly, to ensure that all aspects of the OECD principles were
considered. Each OECD principle was divided into its component parts, with separate marks
allocated to each section. A total of one point was assigned to each principle as follows:
7
OECD Guidelines — Evaluation Criteria
Weighting
Collection Limitation Principle: There should be limits to the collection of personal data
and any such data should be obtained by lawful and fair means and, where appropriate,
with the knowledge or consent of the data subject.
• Limits to collection by lawful and fair means
• Knowledge or consent of data subject
.5
.5
Data Quality Principle: Personal data should be relevant to the purposes for which they
are to be used, and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.
• Relevant to purposes of use
• Accurate, complete and kept up-to-date
.5
.5
Purpose Specification Principle: The purposes for which personal data are collected should
be specified not later than at the time of data collection and the subsequent use limited to
the fulfilment of those purposes or such others as are not incompatible with those purposes
and as are specified on each occasion of change of purpose.
• Specify purposes to data subject not later than time of collection
• Uses limited to purposes or specified consistent purposes
.5
.5
Use Limitation Principle: Personal data should not be disclosed, made available or
otherwise used for purposes other than those specified in accordance with [Purpose
Specification Principle] except:
a) with the consent of the data subject; or
b) by the authority of law.
• Use and disclose in accordance with specified purposes
• Except with data subject consent or by authority of law
.5
.5
Security Safeguards Principle: Personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorised access, destruction, use, modification
or disclosure of data.
• Reasonable security safeguards
1
Openness Principle: There should be a general policy of openness about developments,
practices and policies with respect to personal data. Means should be readily available of
establishing the existence and nature of personal data, and the main purposes of their use,
as well as the identity and usual residence of the data controller.
• General policy of openness
• Ready means for data subject to know about personal information,
and purposes, including identity and location of data controller
8
.5
.5
OECD Guidelines — Evaluation Criteria
Weighting
Individual Participation Principle: An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the
data controller has data relating to him;
b) to have communicated to him data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and
to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data
erased rectified, completed or amended.
• Data subject able to know data controller has personal information
• Data communicated in reasonable time and manner, and in
intelligible form
• Reasons for denial of access
• Ability to challenge and correct
.25
.25
.25
.25
Accountability Principle: A data controller should be accountable for complying with
measures which give effect to the principles stated above.
• Data controller accountable for compliance with principles
1
For each seal program, we followed a basic methodology:
• Our evaluations were based solely on information that was publicly available on the seal
programs’ Web sites. In November 1999, we logged onto the three seal programs sites and
reviewed all the pages and documents we thought provided information on the seals’ privacy
requirements for business participants.
• Using the above template, we created a separate chart for each seal that contained the relevant
sections of text from the material available from the Web sites. We quoted the seal programs
text so as not to misrepresent their statements. We attempted to include any statements we
thought relevant to specific OECD principles. Our intent was to include as much information
as was available to us at the time.
• To determine if the seals covered all/some/none of the individual provisions of the OECD
principles, we compared those fair information practices against the stated requirements of
the seal programs. We attempted to be as broad in our interpretations as possible.
9
It is important to acknowledge, at the outset, that there were a number of limitations using this
methodology. First, a quantitative assessment such as this does not necessarily reflect the full merits
of a seal program. For example, it does not capture the fact that some seals stress business and
consumer education, which we agree is extremely important and beneficial.
Also, it would be incorrect to assume that just because a reference to a particular facet of the OECD
Guidelines was not included by a seal, that the opposite was true. For example, if there was no stated
requirement to only collect personal information by lawful and fair means, it would have been
misleading to interpret this omission to mean that the use of unlawful and unfair means were
acceptable.
4.1.3 BBBOnLine
At the time of our review, one of BBBOnLine’s threshold standards was that an applicant’s site or
online service must be directed at United States or Canadian residents. We felt this supported our
selection of the OECD Guidelines as the standard for our review. Canada’s new Personal
Information Protection and Electronic Documents Act, which was being debated at that time,
codifies the Canadian Standards Association’s Model Code for the Protection of Personal
Information, which in turn is based on the OECD Guidelines.
To arrive at our assessment of BBBOnLine’s Privacy Seal, we reviewed the following Web pages and
documents:
• About Seals <http:www.bbbonline.org/about/about_seals.htm>, 11/4/99;
• BBBOnLine Privacy Program <http://www.bbbonline.org/businesses/privacy.index.html>,
11/15/99
• Eligibility Criteria for BBBOnLine Privacy Seal <http://www.bbbonline.org/businesses/
privacy/eligibility.html>, 11/4/99;
• BBBOnLine Privacy Program documents in Adobe PDF format [11/4/99];
• How the Privacy Program Works <http://www.bbbonline.org/businesses/privacy/selfregulation.html>, 11/4/99;
• BBBOnLine Privacy Program Participation Agreement in Adobe PDF format [11/2/99];
• BBBOnLine Privacy Program Dispute Resolution Process in Adobe PDF format [11/2/99];
and
• Benefits of Participation; <http://www.bbbonline.org/businesses/privacy/benefits.html>,
11/4/99;
• How Much Will it Cost? <http://www.bbbonline.org/businesses/privacy/cost.html>,
11/4/99;
10
• How to Apply for the Privacy Seal (A Step by Step Guide) <http://www.bbbonline.org/
businesses/privacy/guide.html>, 11/4/99;
• Sample Privacy Notice: Introduction <http://www.bbbonline.org/businesses/privacy/
sample.html>, 11/4/99;
• BBBOnLine Privacy Seal Application <https:/www/bbbonline.org/database/papp/papp/cfm>,
11/4/99;
• Standards for BBBOnLine Reliability Program Participation <http://www.bbbonline.org/
businesses/reliability/standards.html>, 11/4/99; and
• BBBOnLine Privacy Policy Assessment Questionnaire, including Help notes,
<http://www.bbbonline.org/businesses/privacy/assess-html.html>, 11/4/99.
Following the methodology outlined above, we initially gave the BBBOnLine Privacy Seal six out
of eight possible points (see Exhibit A for our analysis). For reasons outlined below, this has now
been revised to 6.25. In November 1999, we did not find standards or requirements that explicitly
addressed:
• limiting the collection of personal data to lawful and fair means;
• requiring personal data to be relevant to the purposes for which they are to be used;
• giving the data subject the right to have data related to him communicated in a reasonable time
and manner, without excessive costs, and in an intelligible form;
• giving the data subject the right to be given the reasons for a denial of access.
We also thought that the restrictions on “use” should be stronger. While a requirement for the site
to limit its use of data to the purposes for which it was collected or “related uses or transfers” may
be inferred from statements under the Choice and Consent section of the Privacy Policy Assessment
Questionnaire, it did not appear to be explicitly stated anywhere. We believed this created a potential
weakness in the BBBOnLine Privacy Seal relating to both the purpose specification and use
limitation principles of the OECD Guidelines. However, we did acknowledge the existence of the
requirement to restrict the use of information transferred to third parties, as specified in the eligibility
criteria.
Prior to a meeting between Malcolm Crompton and Gary Laden, Director of BBBOnLine Privacy
Program, and Russell Bodoff, Senior Vice President and Chief Operating Officer, on April 13, 2000,
we sent BBBOnLine a copy of our assessment of its Privacy Seal. We asked BBBOnLine to indicate
if, in its view, our evaluation was fair and accurate, or had we missed any critical information. We
also asked if BBBOnLine was open to the idea of changing its eligibility criteria and program
participation agreement to explicitly cover all aspects of the OECD Guidelines.
11
At the April 13, 2000 meeting, BBBOnLine indicated that its seal program had to evolve
continuously in order to keep pace with developments, and that it welcomed our comments. At that
time, its focus was on ensuring that its Privacy Seal was compliant with the Safe Harbor Agreement
and the American Children’s Online Privacy Protection Act. BBBOnLine thought that the changes
it was making to its seal program as a result of these initiatives may address some of our concerns.
BBBOnLine also said that it supported our “co-operative model” and welcomed our input.
On July 25, 2000, Mr. Laden provided us with some “preliminary feedback” on our review of
BBBOnLine’s standards for its Privacy Seal, as follows:
Limiting the collection of data by lawful and fair means
BBBOnLine noted that a Web site collecting data in violation of the law would not hold a
BBBOnLine Privacy Seal, as one of its eligibility requirements is that “seal participants must be
engaged in activity that is legal.” According to the company, by definition, a Web site collecting data
in violation of the law would not be able to hold the BBBOnLine seal. Due to this requirement,
BBBOnLine maintained that consumers interacting with an approved site always would be in the
position of preventing the use of their data in an unfair or unlawful manner. Mr. Laden asked us for
clarification as to why BBBOnLine’s threshold standard did not adequately address this part of the
Collection Limitation Principle of the OECD Guidelines.
We recognize that this is a matter of fine tuning, however, we believe that our distinction between
a business engaging in a lawful business activity, and a business collecting personal information in
a lawful and fair means is more than merely a matter of semantics. A company may be involved in
a legitimate business but still may collect personal information (knowingly or unknowingly) in a
manner that may violate privacy legislation, or that is misleading or deceptive, thereby not
permitting data subjects to exercise their rights in an effective manner.
One of the stated benefits of participating in the BBBOnLine privacy program is that the seal lets
consumers know that the business “follows ethical practices in the treatment of personally
identifiable information.” Given that the purpose of a privacy seal is to establish a framework of
responsibility for the entity collecting, using and disclosing personal information, we strongly
encourage BBBOnLine to place an explicit onus on its participants to collect personal information
only by lawful and fair means, and to disclose that obligation as part of their privacy policies.
Personal data should be relevant to purposes of use
Mr. Laden noted that BBBOnLine’s assessment process requires organizations to “take reasonable
steps to assure that the individually identifiable information and prospect information they collect
is accurate, complete, and timely for the purposes for which it is used.” We acknowledged this
requirement in our initial assessment, which is why we gave BBBOnLine partial marks for the Data
Quality Principle.
12
However, we believe that accuracy, completeness and timeliness are different from relevancy. It is
not enough just to ensure that all the facts pertaining to a transaction are accurate. A central tenet
of informational privacy is that the collection, use and disclosure of personal information be limited
to only that which is necessary and relevant to a legitimate business function.
A determination of relevancy is critical to limiting the collection of information. As Privacy
Commissioners, we believe that the collection limitation is the first line of defence against privacy
intrusions. Accordingly, we would encourage BBBOnLine to include a requirement for its
participants to collect, use and disclose only that personal information which is relevant to the stated
purpose(s).
This places an obligation on businesses to evaluate the bearing or impact that the collection, use or
disclosure of personal data would have on a transaction. Ideally, if a piece of personal information
was not absolutely required to complete a transaction, it should not be used. Alternatively, the
purpose(s) of the optional data should be clearly defined and identified to the data subject prior to
collection, use or disclosure.
It should not be left solely up to consumers to determine relevancy and then opt-in or out of the
collection, use or disclosure of their personal information. We believe that responsibility should be
placed on seal participants to clearly inform data subjects of the necessity and relevancy of each piece
of personal information to be collected.
Pursuant to the Purpose Specification and Use Limitation Principles of the OECD Guidelines, we
would like to see BBBOnLine more explicitly require its participants to limit the use of personal
information to the defined purpose(s) for which it was collected. We acknowledge that this is
addressed somewhat by statements under the Choice and Consent provisions. However, we do not
think a requirement to provide “individuals the opportunity to opt-out or otherwise prohibit
unrelated uses of individually identifiable information about them” is sufficient. Again, we do not
believe it is enough just to provide the data subject with a choice regarding unrelated uses. We would
prefer to see an explicit obligation placed on the business to limit its use of personal information to
the purpose(s) identified.
Data subject’s right to have related data communicated in a reasonable time and manner,
without excessive costs, and in an intelligible form
In its response to our evaluation, BBBOnLine indicated that its assessment process requires that data
subject access be provided not just to correct, but also to review related data. It also requires that any
limits on frequency or cost be “reasonable” (e.g., frequency limits of more than one year or fees of
more than $15 U.S. would not be considered reasonable). We agree that this constitutes reasonable
time and without excessive cost and, following Mr. Laden’s letter, reviewed our analysis to see why
we had omitted this provision in our November assessment. We have amended our assessment to
correct our initial oversight.
13
At the time of our review, BBBOnLine’s Eligibility Criteria required a seal participant to “... provide
individuals with access to individually identifiable information collected from them online if such
information is retrievable in the ordinary course of business and providing access does not impose
an unreasonable burden.”
We gave BBBOnLine full marks for the parts of the Individual Participation Principle relating to the
data subject’s ability to know what information the data controller has on him or her. However, we
did not initially give BBBOnLine marks for provisions relating to participants’ obligation to
communicate with the data subject in a reasonable time and manner, without excessive charge and
in an intelligible manner.
In the Access section of the Privacy Policy Assessment Questionnaire, Question G-4 asks the
applicant to describe the mechanism(s) the organization has in place to make available to individuals,
upon reasonable request, the individually identifiable information or prospect information it
maintains with respect to the individual.
The G-4 Help window currently states:
An organization must establish a mechanism whereby, upon request and proper
identification of the individual, it makes available to the individual the individually
identifiable information or prospect information it maintains with respect to the
individual. The information subject to this requirement tends to be, but is not limited to,
(i) account or application information, for example, name, address, and level of service
subscribed to, and (ii) billing information and similar data about transactions conducted
online, for example, date and amount of purchase, and credit card account used.
If an organization can not make information that it maintains available because it can not
retrieve the information in the ordinary course of business, it must provide the
individual with a reference to the provisions in its privacy notice that discuss the type of
data collected, how it is used, and appropriate choices related to that data, or provide the
individual with materials on these matters that are at least as complete as the information
provided in the privacy notice.
Organizations have substantial flexibility in deciding how best to make the individually
identifiable information or prospect information available to the individual. For example,
an organization may choose the form in which it discloses this information to the
individual. Monthly statements from banks and credit card companies are examples of
appropriate mechanisms to satisfy this disclosure obligation, even though they may
reveal more than the individually identifiable information that the individual submitted
to the organization online. The organization also determines the reasonable terms under
which it will make such information available such as limits on frequency and the
imposition of fees. Frequency limits that require intervals of more than a year between
requests and/or fees of more than $15 for a response to an annual request would not be
reasonable except in extraordinary circumstances.
14
For reasons unknown, at the time of our review in November, we reviewed only the first paragraph
of the Help text. As a consequence, we did not consider the remaining information in our November
analysis.
We appreciate BBBOnLine bringing this omission to our attention (which highlights the benefits of
ongoing exchange of information). The additional information indicates that BBBOnLine does
indeed require its participants to communicate in a reasonable time and manner, and to set
reasonable terms regarding timing and fees. Marks should have been awarded in this category and
now have been.
Ideally, a right to challenge an organization’s determination of what constitutes “the ordinary course
of business” or “unreasonable burden” would give the data subject greater input into this process.
Reasons for denial of access
According to BBBOnLine, there is only one possible reason that a BBBOnLine seal holder could
deny access and that would be when data cannot be retrieved in the ordinary course of business,
otherwise access must be granted. BBBOnLine states that in such a case, the requester must be
provided with a reference to the provisions of the privacy policy that discuss the types of data
collected, how they are used, and appropriate choices related to that data, or with materials on these
matters that are at least as complete as the information provided in the privacy notice. “Since there
are no other acceptable reasons for denial, this does not become an issue for our seal holders.”
At the time of our review, BBBOnLine’s eligibility criteria required a seal participant to “establish
effective and easy to use mechanisms to permit individuals access to correct inaccurate factual
information.” Accordingly, we gave BBBOnLine full marks for the parts of the Individual Participation Principle relating to the data subject’s ability to challenge and correct. However, the fact that
we did not review the full text of G-4 Help means that the requirement to provide the requester with
the information described above was omitted in our analysis. Again, we have amended our
assessment following receipt of Mr. Laden’s letter.
However, on a general level, we would still prefer that an organization be required to do more than
just refer the data subject to the provisions of the privacy policy. We would encourage BBBOnLine
to require its participants to more fully explain the reasons for denial of access in a timely and
understandable manner; to provide data subjects with an opportunity to prepare a “statement of
disagreement” and have it, along with the reasons for denial, attached or linked to the data in
question, if their challenge is unresolved; and to provide a fair opportunity for the data subject to
challenge the decision. An explanation about how data subjects could avail themselves of BBBOnLine’s
dispute resolution process also should be linked to this provision.
15
While acknowledging our oversight, we think it illustrates a general problem we had with
BBBOnLine’s Web site. We found it very difficult to access all the relevant information. If we missed
some very instructive information, we think others will as well. To help applicants and participants
to more easily understand the requirements of the Privacy Seal program, we encourage BBBOnLine
to examine the effectiveness of making some critical information only accessible through its Help
Windows. We think the addition of an alternate access method would be most useful.
Next steps
In his July 25 letter, Mr. Laden noted that BBBOnLine is “a dynamic, not static, program that will
continue to strive to improve the services that it offers.” He indicated that BBBOnLine was in the
process of implementing a new self-assessment tool that will incorporate a number of additional
requirements, including requirements to be consistent with the new European Union-United States
Safe Harbor Agreement. He thought that this new assessment tool would “likely address a number
of the issues” we had raised.
As of the time of writing, we are awaiting receipt of BBBOnLine’s new assessment tool, which is
scheduled for release in late September 2000. BBBOnLine has stated that it welcomes our feedback
and that it would like to learn from our assessment. It recognizes that we all need to “co-operate
effectively to get the most out of our respective efforts.” To date, both Commissioners have been
very pleased with the responses received from BBBOnLine, and look forward to continuing to
working together.
4.1.4 TRUSTe
In April 2000, a TRUSTe press release indicated that Nielsen/NetRatings had rated its trustmark the
most visible symbol on the Internet.
To arrive at our assessment of TRUSTe’s privacy requirements for its Web seal, we reviewed the
following Web pages and documents:
• How the TRUSTe Program Works <http://www.truste.org/webpublishers/pub_how.html>,
11/3/99;
• How to Join the TRUSTe Program <http://www.truste.org/webpublishers/pub_join.html>,
11/3/99;
• TRUSTe Program Principles for Web Publishers <http://www.truste.org/webpublishers/
pub_principles.html>, 11/3/99;
• TRUSTe Oversight for Web Publishers <http://www.truste.org/webpublishers/
pub_oversight.html>, 11/3/99;
16
• Frequently Asked Questions <http://www.truste.org/webpublishers/pub_faqs.html>,
11/3/99;
• Privacy Central <http://www.truste.org/webpublishers/pub_privacy.html>, 11/3/99;
• Resolution Process for Web Publishers <http://www.truste.org/webpublishers/
pub_recourse.html>, 11/3/99;
• Privacy Statement Wizard <http://www.truste.org/wizard>, 11/3/99; and
• TRUSTe License Agreement Rev 5.0 <http://www.truste.org/webpublishers/
pub_agreement.html>, 11/3/99.
After reviewing this information, we compared the privacy standards of the TRUSTe Trustmark
against the OECD Guidelines (see Exhibit B). We gave TRUSTe 6.375 out of a possible eight marks.
In the privacy principles, licensing agreement, and other data provided on TRUSTe’s Web site, we
did not find standards or requirements explicitly:
• limiting the collection of personal data to lawful and fair means;
• requiring personal data to be relevant to the purposes for which they are to be used;
• giving the data subject the right to have data related to him communicated in a reasonable time
and manner, without excessive costs, and in an intelligible form;
• giving the data subject the right to be given the reasons for any denial of access.
We also thought the requirements regarding a data subject’s right to know what information a data
controller had about him or her a little ambiguous. TRUSTe’s program principle required the
posting of a privacy statement, and we acknowledged that such a statement would enable a data
subject to know, generally, what personal information a Web site had. However, we did not see a
provision for the data controller to respond to specific requests for information by the data subject.
Also, we thought the program requirement of 3G of Schedule A of the license agreement, relating
to information collection and use practices, did not explicitly require access. To us, the wording
seemed to give the impression that such access was optional.
Prior to an April 19, 2000 meeting between Malcolm Crompton and Bob Lewin, Executive Director
and CEO of TRUSTe, we sent Paula Bruening, Director of Compliance and Policy, our evaluation
and asked for comments. On April 17, Ms Bruening replied, disagreeing with our assessment, and
providing specific responses to each of our concerns, as follows:
17
Limiting the collection of personal data to lawful and fair means
From our review, we did not find any requirements relating to this portion of the Collection
Limitation Principles of the OECD Guidelines. Accordingly, we did not give TRUSTe any marks in
this area. Ms Bruening wrote:
We must disagree with this appraisal.
While the TRUSTe license agreement does not explicitly state this requirement, the
TRUSTe self assessment sheet, integral to the TRUSTe program and required of every
TRUSTe licensee, enables TRUSTe to review data collection methods and assure that
individuals are not subject to practices that would deceive them into supplying
information. The self assessment sheet, a 16 page document that must be attested to and
signed by an officer of the company, asks specific questions about a company’s data
practices and policies, and its personnel policies as they relate to data collection and
privacy. It allows TRUSTe to assure that the privacy statement accurately reflects the
company’s actual data practices. As such, the company’s failure to abide by its posted
policy by engaging in unlawful or unfair collection practices would place it outside the
bounds of its license agreement with TRUSTe and subject it to sanction.
For these reasons, we believe that the TRUSTe program does incorporate these criteria
for data collection. The TRUSTe program in its implementation does require that data
collection is carried out by fair and lawful means, and we therefore disagree with your
assignment of a score of 0.
We did not review the self assessment sheet as part of our assessment. At the time of our review, as
now, such a document does not appear to be publicly available on TRUSTe’s Web site. We have
contacted TRUSTe and asked for a copy of this document so we may more fully understand the
privacy requirements of the TRUSTe trustmark.
Requiring personal data to be relevant to the purposes for which they are to be used
Again, we did not give TRUSTe any marks for this provision of the Data Quality Principle.
Ms Bruening’s response stated:
We disagree with this score.
At this time, TRUSTe relies upon its requirements for robust notice and meaningful
choice to enable individuals to make sound decisions about the reasonableness of a
company’s request for information. Clear, concise notice allows individuals to understand what information is being required of them, for what purpose, and how that
information may subsequently be used. When notice is well-stated, individuals may
18
draw their own conclusions about the relevance of the data being required to the
purposes for which it may be used, and can act accordingly by exercising choice. This
approach is not only critical to the goal of empowering individuals to exercise control
over their data, it also is fundamental to an effective approach to privacy protection.
We disagree with your quantitative assessment of TRUSTe’s incorporation of this
principle in its program. We believe the program provides an adequate process whereby
a company provides consumers with sufficient information to determine the relevancy
of the personal data to the purpose for which it is to be used.
As we indicated in our discussion of BBBOnLine’s Privacy Seal, we do not think it is appropriate for
the responsibility of determining relevancy to be left to the data subject alone. While individuals
obviously have a responsibility to become informed in order to appropriately exercise their choices,
we think that an obligation should be placed on privacy seal participants to identify the relevancy
of the personal information they collect, use and disclose to the stated purpose(s), and to make their
assessment known to consumers. Given that the purpose of a privacy seal is to define and enforce
responsible online business practices, we would encourage TRUSTe to include an explicit requirement regarding the relevancy of personal information to be collected, used and disclosed by its
licensees.
We believe that seal programs should encourage their participants to view the data subjects as the
owners of their own personal information. A business acts as a temporary custodian of the
individual’s personal information. As such, businesses have an obligation to ensure its protection
and to inform data subjects of their information handling practices.
Access
We gave TRUSTe partial marks for its provision relating to individuals being able to know what the
data controller has on them, and no marks for the requirements for the data controller to
communicate that data in a reasonable time and manner, without excessive charge and in an
intelligible form, and to give reasons for denial of access. Responding to our assessment of .375 out
of 1 for the Individual Participation Principle, Ms Bruening wrote:
TRUSTe’s access requirement is based upon the Federal Trade Commission and
Department of Commerce’s requirement for reasonable access as set forth in its
Elements of Effective Self Regulation for Protection of Privacy. As you know, the issue
of access has been the subject of significant debate, not only with the U.S. but also in the
U.S. negotiations with the European Union as it worked toward a mutually acceptable
safe harbor program. Because the best manner of implementation of this principle is an
issue that continues at this time to be debated, we cannot agree with your quantitative
appraisal of the TRUSTe program on these points at .375.
19
TRUSTe has taken first steps in providing access by requiring that companies provide
individuals with the opportunity to correct or amend information maintained about
them by a website. However, TRUSTe is looking forward to guidance from the FTC on
the question of access. While we are grateful for the opportunity to participate in the
FTC’s Advisory Committee on Online Access and Security and want to make a
meaningful contribution to the committee’s deliberations, we remain eager to learn the
FTC’s final decision on this issue. We look to the FTC to directly address the issues
raised in the OECD Guidelines and in your letter related to the time and manner of
access, the cost and form of access and the right of individuals to know the reasons for
denial of access.
When the FTC has completed its inquiry and made its decision about this issue, TRUSTe
will take immediate steps to implement the FTC’s findings. As it has in the past, TRUSTe
looks forward to evolving its program to closely track developing policy in this area.
Until that time, we believe it is inappropriate to evaluate the implementation of these
criteria in a quantitative manner.
We understand TRUSTe’s point about the quantitative manner of our initial assessment. As we
noted under Section 4.1.2 of this paper, we did not intend for the numbers to take on such weight.
We were hoping to flag areas of concern and possible omissions for our discussions with the seal
programs.
We also understand that TRUSTe, like the other seal programs operating in the United States, needs
to be guided by the Federal Trade Commission and the Safe Harbor Agreement. We fully recognize
there are requirements under legislation and international agreements that must be a priority for
American seal programs. We look forward to seeing how TRUSTe, and the other seals, respond to
these new developments.
Our choice of using the OECD Guidelines as the standard was in response to our recognition of the
global reality of the Internet, and the international nature of e-commerce. Ontario or Australian
residents do not restrict their surfing to Ontario or Australian Web sites. According to a survey from
Nielsen NetRatings, MSN and Yahoo! properties are the most popular destinations for Web surfers
around the world. MSN is the most popular site in the United Kingdom, New Zealand and Australia,
and is the second-most popular after Yahoo! in Singapore and Ireland.1 Microsoft Corporation
operates Canada’s most popular Web sites. In April 2000, more than 6.2 million Canadians visited
a Microsoft Internet property from their home computers, including Hotmail, MSN.ca,
Microsoft.com, and MSN Instant Messenger. Sites operated by America Online Inc. were the
second most popular among Canadians, while properties owned by Yahoo! Inc. (e.g., Yahoo.com,
Yahoo.ca and Geocities) ranked third.2
1
“NielsenNetRatings: MSN, Yahoo Top Global Traffic Ratings,” May 08 2000, <http://www.nua.ie/surveys/?f=VS&art_id=
905355764&rel=true>, 06/06/00.
2
David Akin, “Microsoft has Canada’s pet Web sites: Media Metrix Survey,” Financial Post, May 25, 2000, p. C9.
20
We believe that improving online privacy in all jurisdictions directly impacts the privacy of residents
in our jurisdictions. Our comparison of the requirements of TRUSTe’s Trustmark against the
OECD Guidelines – internationally accepted fair information practices – illuminates areas where we,
as Privacy Commissioners, would encourage greater privacy protection.
Next steps
In her letter of April 17, Ms Bruening indicated that:
… the TRUSTe program is an evolutionary one. As the debate about privacy moves
forward, TRUSTe acts to respond to the demands of consumers, government and
industry, while at the same time maintaining a practical, viable program that works for
consumers and business.
We acknowledge the continued evolution of the TRUSTe program. As an example, we think the
Resource Guide, with its Model Privacy Statement and a Site Co-ordinator’s Guide, is a useful
addition to the TRUSTe Web site. We look forward to being part of the debate that moves privacy
forward, and to an ongoing working relationship with TRUSTe, however that may be defined in the
future.
4.1.5 WebTrust
Of all the privacy seal programs WebTrust has the most established international presence. Germany
has joined England, France, Scotland, Ireland and Wales in the European Union in offering the
WebTrust seal. WebTrust is also available in Australia, Canada and Puerto Rico, in addition to the
United States where it originated.
The Office of the Information and Privacy Commissioner/Ontario (IPC/O) had an established
working relationship with WebTrust prior to the beginning of this review. In March 1999, the
IPC/O provided WebTrust with its comments on Version 1.1 of the AICPA/CICA WebTrust
Principles and Criteria for Business-to-Consumer Electronic Commerce and WebTrust Principles
and Criteria with Proposed Privacy Additions (Preliminary Draft #5).
On November 15, 1999, the CICA announced that WebTrust Principles and Criteria, Version 2.0
had just been released. We requested and received a copy of the full AICPA/CICA WebTrust
Principles and Criteria for Business-to-Consumer Electronic Commerce, dated October 15, 1999,
Version 2.0, from Bryan Walker, Principal, Studies & Standards, The Canadian Institute of
Chartered Accountants. In addition to that document, which was also available on the AICPA Web
site, we looked at:
21
• The CPA WebTrust Seal means greater consumer confidence <http://www.cpawebtrust.org/
developer/dlvp_content.html>, 11/16/99;
• The CPA WebTrust Program: What it does, how it works <http://www.cpawebtrust.org/
developer/program/dlvp_prog_over.html>, 11/16/99;
• The thinking behind the CPA WebTrust Program <http://www.cpawebtrust.org/shared/
details/det-over.html>, 11/16/99;
• The CPA WebTrust Seal means greater security <http://www.cpawebtrust.org/shared/eval/
eval.html>, 11/16/99; and
• About WebTrust Services <http://www.cica.ca/cica/cicawebsite.nsf/public/
SPASWebTrust.html>, 11/16/99.
After reviewing the principles and criteria, and comparing them against the OECD Guidelines, we
gave WebTrust six out of eight (see Exhibit C for our assessment). Like the other two seal programs,
we did not find explicit standards or requirements:
• limiting the collection of personal data to lawful and fair means;
• requiring personal data to be relevant to the purposes for which they are to be used;
• giving the data subject the right to have data related to him communicated in a reasonable time
and manner, without excessive costs, and in an intelligible form;
• giving the data subject the right to be given the reasons for denial of access.
We also thought that the requirements regarding use and disclosure in accordance with specified
purposes under the Use Limitation Principle, and the provision of data controller contact information
under the Openness Principle, should have been stronger.
On November 24, 1999, the Australian Privacy Commissioner gave a presentation entitled
The New Privacy Legislation and How it Affects Seal Providers, at a roundtable on Electronic
Commerce Seals of Assurance. That presentation outlined our assessment of the three privacy seal
programs. Attending that talk was Michael Nugent, Director Professional Services, The Institute of
Chartered Accountants in Australia. This began an ongoing dialogue between Malcolm Crompton
and Mr. Nugent that culminated in a meeting in February 2000. Representing WebTrust at that
meeting were Mr. Nugent, Brian Hollingworth, Director, Global Risk Management Solutions,
PriceWaterhouse Coopers, and Dean Kingsley, Partner, Enterprise Risk Services, Deloitte Touche
Tohmatsu.
22
At that meeting, Mr. Crompton outlined the objectives of the Privacy Commissioners’ seal project
and provided WebTrust with a copy of our full analysis. WebTrust agreed to contact its North
American counterpart to ensure a consistent global approach, to review our analysis, and to provide
us with an indication of its position regarding revising their privacy criteria.
On March 23, Mr. Nugent advised the Australian Commissioner that the U.S./Canadian WebTrust
Task Force had “agreed in principle to make appropriate changes to the Principles and Criteria that
address the concerns raised by the comparison to the OECD Guidelines.” The specific wording of
the changes was to be worked out between Bryan Walker, CICA, and the IPC/O.
At the beginning of April, Mr. Crompton advised Mr. Nugent that the Privacy Commissioners of
Hong Kong, Berlin, Brandenburg, and British Columbia had “all endorsed the work” undertaken
by the Australian and Ontario Commissioners, and were expecting contact from WebTrust to
pursue this initiative.
On June 20, Mr. Walker and Gregory Shields, Director, Assurance Services Development, CICA,
met with representatives of the IPC/O. At that meeting, WebTrust indicated that the WebTrust
E-Commerce Task Force was in the process of revising its seal program to create a number of
separate modules (e.g., one for security, one for privacy, etc.). WebTrust also was revising its privacy
criteria. We reviewed our analysis of Version 2.0 with Mr. Walker. He committed to bringing our
concerns forward to his working group and providing the IPC/O with a draft of the revised privacy
criteria.
Next steps
WebTrust has indicated its willingness to continue to work with us on its privacy seal. As of the time
of writing, the Ontario and Australian Commissioners are reviewing the draft report on WebTrust’s
Program for On-Line Privacy, and will provide WebTrust with comments. As with the other seal
programs, we have been very pleased by the interest and responsiveness shown by WebTrust.
4.1.6 Conclusions
While the seal programs offered by BBBOnLine, TRUSTe and WebTrust are different in terms of
scope and costs, such differences are not reflected in the privacy standards. Our November snapshot
revealed that, at that time, they very closely parallelled one another in the privacy requirements they
had set for their privacy seals.
The above discussion indicates that there was also great consistency in the deficits we identified in
the three programs. Our most significant concern related to the lack of a requirement on seal
participants to restrict their use of personal information to that which was relevant and necessary
for the purposes for which the data was collected.
23
On the positive side, the three seals reflected the United States Federal Trade Commission’s 1998
four basic information practices:
• notice/awareness: Web sites should provide consumer notice of their information practices;
• choice/consent: Web sites should offer consumers choices as to how that information is used
beyond the use for which the information was provided;
• access/participation: Web sites should offer consumers reasonable access to that information
and an opportunity to correct inaccuracies; and
• security/integrity: Web sites should to take reasonable steps to protect the security and
integrity of that information.
From the time that we first started to follow the seal programs in 1998, until our review in late 1999,
we noted a number of improvements:
• BBBOnLine added a provision on accuracy, made some progress on placing limits on use, and
improved its requirements about contact information;
• TRUSTe added further provisions on data quality, limitations on use and disclosure, and
security; and
• WebTrust addressed the issue of accuracy of data, as well as specifying purposes, and added
an ability to challenge and correct information.
We clearly see that the seals’ evolutionary process is continuing. In response to the recent approval
of the Safe Harbor Agreement and to various market forces, the three seal programs are currently
working to revise and enhance their privacy requirements.
Realistically, we recognize it is these external pressures, rather than our evaluations, that is moving
the seal privacy agenda forward. Nonetheless, the seal programs have expressed interest in our
project, and have been receptive to our comments.
We believe the three seal programs have every intention of requiring compliance with fair
information practices from their participants. The area of ongoing discussion between us focusses
on what exactly constitutes appropriate fair information practices.
We have been most encouraged by our discussions with BBBOnLine, TRUSTe, and WebTrust, and
hope to continue our work together. As the purpose of the privacy seal programs is to elevate online
business practices, we think our review has served a useful purpose in identifying areas where Data
Protection Commissioners would like the standards and requirements of online privacy seals to be
enhanced.
24
It is particularly important to note that as seals move beyond the United States, as WebTrust is
attempting to do, the review and comments of the Commissioners will take on greater significance.
Rather than voluntary compliance with the OECD Guidelines, it will be essential for the seals to be
in compliance with the privacy provisions of the legislative schemes in our various jurisdictions.
Hopefully, our joint project will have started to build working relationships of value to all of us in
the future.
4.2 Dispute Resolution
4.2.1 Selection of the standard for dispute resolution assessment
Around the world, there is a substantial level of agreement about the attributes of a satisfactory
customer dispute resolution scheme. So, while there are a large number of different sets of standards
for such schemes, they have much in common. The themes of fairness, accessibility, independence
and accountability regularly appear. Therefore, we thought there was a measure of latitude in the
choice of a particular standard for this exercise.
The Australian federal government’s Benchmarks for Industry-Based Customer Dispute Resolution Schemes well covers the common content of international dispute resolution standards. The
federal Minister for Customs and Consumer Affairs first released the Benchmarks in August 1997.
The Australian Privacy Amendment (Private Sector) Bill 2000 requires that the Australian Privacy
Commissioner approve any entity that wishes to be a code adjudicator for codes approved under
the Bill. The Australian Government has announced that the Benchmarks will be prescribed as the
standard to be met before such an approval can be given. This makes the Benchmarks particularly
relevant in the Australian context.
This study assesses the three seals against the Australian benchmarks. The benchmarks are
structured around six main principles – accessibility, independence, fairness, accountability,
efficiency and effectiveness. Each of these is accompanied by a number of “key practices” that flesh
out the principle itself. The six principles and their accompanying key practices are set out at
Exhibit D. The six principles are:
• Benchmark 1 — Accessibility: the scheme makes itself readily available to customers by
promoting knowledge of its existence, being easy to use and having no cost barriers.
• Benchmark 2 — Independence: the decision-making process and administration of the
scheme are independent from scheme members.
• Benchmark 3 — Fairness: the scheme produces decisions which are fair and seen to be fair
by observing the principles of procedural fairness, by making decisions on the information
before it and by having specific criteria upon which its decisions are based.
25
• Benchmark 4 — Accountability: the scheme publicly accounts for its operations by publishing its determinations and information about complaints and highlighting any systemic
industry problems.
• Benchmark 5 — Efficiency: the scheme operates efficiently by keeping track of complaints,
ensuring complaints are dealt with by the appropriate process or forum and regularly
reviewing its performance.
• Benchmark 6 — Effectiveness: the scheme is effective by having appropriate and comprehensive terms of reference and periodic independent reviews of its performance.
4.2.2 Basis for seal assessment
This is a preliminary assessment only and has been based primarily on information available from
the seals’ Web sites. While the sites provide a good deal of information, it may not cover all aspects
of the seals’ operations in sufficient detail to allow a definitive assessment to be made. It would be
surprising if the assessment presented in this document were beyond refinement and we would
expect to revise this preliminary assessment in the light of more detailed discussions with the seal
programs.
Preliminary assessments of the seals’ dispute resolution mechanisms were sent to the seal organizations on July 2, 2000. BBBOnLine responded to its preliminary assessment on July 25 and
WebTrust on August 11. The comments of both organizations have been taken into account in this
assessment of dispute resolution mechanisms.
As this paper was being finalized, an error in communications was revealed. Apparently TRUSTe
did not receive our assessment at the beginning of July. Recent comments by TRUSTe have drawn
our attention to a document — Learn About TRUSTe’s Dispute Resolution Process at <http://
www.truste.org/users/compliance%20docuement-final.doc> — published on its Web site since
our preliminary assessment. Efforts have been made to take this document into account, but short
time lines did not permit a complete reworking of our TRUSTe evaluation.
4.2.3 Description of dispute resolution mechanisms
BBBOnLine
The BBBOnLine Privacy Program Participation Agreement requires a licensee to participate in the
dispute resolution process. BBBOnLine has an internal dispute resolution scheme in two parts: the
Privacy Policy Review Service (PPRS) and the Privacy Review Appeals Board (PRAB). Before the
PPRS will take any action, the complainant must have made a good faith attempt to resolve the matter
with the respondent company. If these efforts fail and the complaint meets BBBOnLine’s eligibility
26
criteria, which are spelled out on its Web site, PPRS staff will evaluate, analyse, investigate and
adjudicate the complaint. Time limits apply to both sides during the investigation process. If the
complaint is substantiated, PPRS may decide that corrective action is required; no monetary
compensation is available.
Either the complainant or respondent can appeal to the PRAB. PRAB will reconsider the matter and
make a final decision, including if necessary, referring the matter to the relevant government agency,
or discontinuing its review if either party has failed to abide by its commitment to keep complaint
related information in confidence <http://www.bbbonline.org/download/DR.PDF>.
TRUSTe
This description of TRUSTe’s dispute resolution process is taken from its Web site, as it stood in
July 2000:
To resolve privacy concerns or complaints raised by consumers or by TRUSTe during
our program oversight process, Web site licensees agree to cooperate with all our
reviews and inquiries. We work with licensees, as well as with consumers, to resolve
privacy-related issues quickly and fairly.
As a licensee in the TRUSTe program, a Web site agrees to provide consumers with
simple, effective means to submit their privacy concerns directly to the Web site. At a
minimum, all privacy statements contain TRUSTe contact information so that consumers may direct their questions or concerns to us. We request users to contact Web sites
directly before filing a report with us.
If the Web site has not acknowledged the receipt of the consumer’s complaint, or if a
satisfactory response is not provided, we step in as the liaison between the consumer and
Web site to resolve the issue. This process entails:
- Notifying the licensee of the consumer’s complaint and working with the site for
a speedy, satisfactory resolution.
- Notifying the consumer of the resolution or other relevant findings.
- Pursuing the issue further if we are unable to reach a mutual resolution with the
licensee.
In the unlikely event that TRUSTe has reason to believe a licensee has violated its posted
privacy practices or other TRUSTe program requirements, we will conduct an escalating
investigation. This process may include an on-site compliance review by one of
TRUSTe’s official auditors, PriceWaterhouseCoopers LLP or KPMG Peat Marwick
27
LLP. If the on-site review finds that a licensee is non-compliant, TRUSTe will advise and
guide the licensee on the steps to remedy the problem.
If no action is taken by the licensee – depending on the severity of the breach – our
investigation may also result in revocation of the TRUSTe trustmark, termination from
the program, or in extreme cases, referral to the appropriate government agency
<http://www.truste.org/webpublishers/pub_recourse.html>.
WebTrust
WebTrust itself does not play a role in complaint resolution but its criteria for obtaining the
WebTrust seal require signatories or licensees to give customers access to a third party arbitration
process. In other words, to gain the WebTrust seal, a business must give its customers access to a
dispute arbitration process that meets certain standards. WebTrust’s Criterion A4.1 reads:
The entity [i.e., the signatory] discloses information to enable customers to file claims,
ask questions and register complaints, including, but not limited to, the following: … in
the event outside dispute resolution is necessary, the process by which these disputes are
resolved. These complaints may relate to any part of a customer’s e-commerce transaction, including complaints related to … accuracy, completeness, and distribution of
private customer information and the consequences for failure to resolve such complaints.
This resolution process should have the following attributes:
- Management’s commitment to use a specified third party dispute resolution
service or other process mandated by regulatory bodies in the event the
customer is not satisfied with the entity’s proposed resolution of such a
complaint together with a commitment from such third party to handle such
unresolved complaints
- Procedures to be followed in resolving such complaints, first with the entity and,
if necessary, with the designated third party
- What use or other action will be taken with respect to the private information,
which is the subject of the complaint, until the complaint is satisfactorily
resolved <http://www.aicpa.org/webtrust/princrit.htm>.
WebTrust endorses the 12 principles for arbitration processes developed by the National Arbitration Forum (NAF) (<http://www.aicpa.org/webtrust/wtpcfaqs.htm>, see also Exhibit E). These
cover much of the same ground as the six Australian benchmark principles. Any third party
arbitrator selected by the signatory must follow these 12 principles. That they do so is part of the
assurance process that WebTrust carries out. WebTrust also recommends that the arbitrator
selected by the licensee follow the more detailed NAF Code of Procedure.
28
4.2.4 Assessment results
Benchmark 1 — Accessibility: the scheme makes itself readily available to customers by
promoting knowledge of its existence, being easy to use and having no cost barriers.
Promoting knowledge of its existence. All three seals require display of the seal on participating sites.
The seal logo on the participating site links back to the seal’s own Web site, which contains
information about the available dispute resolution mechanism.
Easy to use. All three seals require consumers to make bona fide attempts to resolve their concerns
with the participating business before turning to the seal’s dispute resolution mechanism. This is
consistent with the benchmark principles. BBBOnLine and TRUSTe then have complaints mechanisms accessible directly from their Web sites. WebTrust does not, but does require its licensees to
provide “information to enable customers to file claims, ask questions and register complaints.”
No cost barriers. Neither BBBOnLine nor TRUSTe charges customers for dealing with complaints.
In the case of WebTrust, NAF principle 6 is “Reasonable Cost — The cost of an arbitration should
be proportionate to the claim.” But the NAF’s services are available free of cost to those who are not
able to pay. Since WebTrust participants can choose a dispute resolution mechanism other than the
National Arbitration Forum, there is less assurance that a mechanism under the auspices of
WebTrust will meet this element of Benchmark 1.
The elements of this principle have been weighted equally. It seems fair to say that all three seals meet
the first two elements. The possibility of cost barriers in the case of WebTrust suggests that it falls
short of meeting this element entirely: it has been tentatively rated at 0.22 out of a possible 0.33.
This yields the following indicative ratings (out of one):
• BBBOnLine:
• TRUSTe:
• WebTrust:
1.00
1.00
0.88
Benchmark 2 — Independence: the decision-making process and administration of the
scheme are independent from scheme members.
BBBOnLine’s first line of complaint handling, the Privacy Policy Review Service, is overseen by the
Privacy Review Appeals Board. Each PRAB panel has a “public” member, a “data expert” member
and a “company” member.
TRUSTe’s comments on the preliminary assessment made in July 2000 indicate that its initial
decision in a complaint now may be appealed to the TRUSTe Appeals Board, which “shall consist
of (1) a representative from TRUSTe’s Board of Directors designated by its Chairman; (2) a privacy
expert from the academic/university community; (3) a representative chosen by a consumer/privacy
29
advocacy group designated by TRUSTe’s CEO/Executive Director.” If there is reason to believe that
a site has not complied with its posted privacy commitments, TRUSTe may require an on-site
compliance review by PriceWaterhouseCoopers or KPMG Peat Marwick. This process appears
independent from the seal bearers. This suggests adequately independent oversight of the TRUSTe
complaints mechanism and should meet Benchmark 2.
WebTrust recommends reliance on the National Arbitration Forum. If other bodies are used, they
must comply with the NAF principles, which include “3 Competent and Impartial Arbitrators —
The arbitrators should be both skilled and neutral” and “4 Independent Administration — An
arbitration should be administered by someone other than the arbitrator or the parties themselves.”
NAF arbitrators are legal professionals who take an oath of independence.
In summary, BBBOnLine, with its tripartite review board, and WebTrust, with its third party
arbitrator, appear to meet this benchmark. TRUSTe lacks either safeguard and appears considerably
weaker in terms of independence, although possible recourse to independent auditor provides some
assurance. This yields the following indicative ratings (out of one):
• BBBOnLine:
• TRUSTe:
• WebTrust:
1.00
1.00
1.00
Benchmark 3 — Fairness: the scheme produces decisions which are fair and seen to be fair
by observing the principles of procedural fairness, by making decisions on the information
before it and by having specific criteria upon which its decisions are based.
Decisions are fair. Without scrutinizing a sample of particular complaints and assessing the process
gone through, it is not possible to make a judgment about whether decisions in complaints against
seal licensees are fair. Accordingly, this element of the benchmark cannot be effectively assessed.
Seen to be fair. Given the sources for these assessments, it is not possible to judge whether the
decisions made under the three seal programs are actually perceived by complainants and respondents as fair. Again, this element of the benchmark cannot be effectively assessed.
Procedural fairness. So far as the “principles of procedural fairness are concerned,” the key practices
associated with Benchmark 3 specify that a dispute resolution scheme should be structured so that:
3.2 The scheme’s staff advise complainants of their right to access the legal
system or other redress mechanisms at any stage if they are dissatisfied with
any of the scheme’s decisions or with the decision-maker’s determination.
3.3 Both parties can put their case to the decision-maker.
30
3.4 Both parties are told the arguments, and sufficient information to know the
case, of the other party.
3.5 Both parties have the opportunity to rebut the arguments of, and information
provided by, the other party.
3.6 Both parties are told of the reasons for any determination.
3.7 Complainants are advised of the reasons why a complaint is outside
jurisdiction or is otherwise excluded.
In relation to BBBOnLine, decisions by the Privacy Policy Review Service may be appealed to the
Privacy Review Appeals Board. Either the complainant or the respondent may request that
particular information they supply to BBBOnLine remain confidential, but BBBOnLine will provide
the other party with a summary of the material they need to put forward their side of the case. PPRS
and PRAB present written determinations.
TRUSTe’s document, TRUSTe Web site Privacy Seal Program Watchdog Compliance and Escalation
Process, downloaded from its Web site at <http://www.truste.org/users/compliance%20documentfinal.doc>, August 28, 2000, suggests that TRUSTe substantially meets this element of Benchmark
3. It provides for each party to receive information about the arguments of the other, advises
complainants of other avenues if any are available, and to be told the reasons for TRUSTe’s decision.
The National Arbitration Forum, which WebTrust recommends its licensees employ as an independent dispute arbitrator, abides by a Code of Procedure that requires the principles of procedural
fairness in Benchmark 3 be followed. WebTrust signatories are able to use other mechanisms than
the NAF, but they must follow the 12 NAF principles. Following the National Arbitration Forum
Code of Procedure is recommended, but not compulsory. WebTrust comments that its auditors
would require a participant using a dispute resolution mechanism other than NAF to justify
departure from the Code of Procedure.
BBBOnLine and TRUSTe’s process appears substantially to meet the principles of procedural
fairness set out in this benchmark. WebTrust’s arrangements would appear to meet the benchmark
if National Arbitration Forum is employed as the arbitrator, though some doubt remains about other
dispute resolution mechanisms.
This yields the following indicative ratings (out of one):
• BBBOnLine:
• TRUSTe:
• WebTrust:
1.00
1.00
0.75
WebTrust scored slightly lower only because of the doubt surrounding the procedures followed by
complaint mechanisms other than the National Arbitration Forum.
31
Benchmark 4 — Accountability: the scheme publicly accounts for its operations by
publishing its determinations and information about complaints and highlighting any
systemic industry problems.
Publishing determinations and information about complaints. BBBOnLine posts dispute resolution decisions and complaint statistics, with brief summaries of the issues raised, on its Web site
quarterly. It appears to meet this element of Benchmark 4. No public reporting is mentioned on the
TRUSTe Web site. On the available evidence, TRUSTe would not appear to meet this element of
Benchmark 4. The National Arbitration Forum does not publish details of its decisions. WebTrust
has advised that it is unlikely, for reasons of confidentiality, to require publication of complaint
decisions. WebTrust appears relatively weak in this regard.
Highlighting systemic problems. None of the seals are industry-based but it is still realistic to expect
them to identify systemic issues that arise in the course of resolving complaints. BBBOnLine’s Web
site does not refer to systemic issues although it does provide “consumer tips” on spam, “knockoff sites,” kids in cyberspace, etc. BBBOnLine has advised that as experience builds it intends to
publish information on systemic issues. TRUSTe has a quarterly newsletter with stories about high
profile online privacy incidents. It does not appear (on the available evidence) to identify systemic
issues arising from its complaints. The NAF site does not comment on systemic issues, except for
occasional press releases on cybersquatting and the like. The two elements of this benchmark have
been weighted equally, yielding the following tentative ratings (out of one):
• BBBOnLine:
• TRUSTe:
• WebTrust:
0.80
0.40
0.40
Benchmark 5 — Efficiency: the scheme operates efficiently by keeping track of complaints,
ensuring complaints are dealt with by the appropriate process or forum and regularly
reviewing its performance.
Keeping track of complaints. BBBOnLine has time frames written into its rules to ensure timely
complaint resolution. It advises that internal systems are in place to keep track of complaints. It is
difficult to give TRUSTe a rating against this element of Benchmark 5, since information about its
complaint tracking and performance reviews has not been available. The National Arbitration
Forum’s Principle 10 provides that “hearings should be convenient, efficient and fair for all.”
WebTrust advises that the NAF employs tracking software and case co-ordinators to keep track of
all matters being dealt with. A lesser degree of assurance is available in relation to other potential
dispute resolution mechanisms.
32
Appropriate forum. BBBOnLine’s Web site makes no statements about referrals to other forums,
although it does contain a clear description of what complaints BBBOnLine will and will not deal
with. TRUSTe indicates that it will, if necessary, refer complaints to the appropriate regulatory
authority. The NAF Code of Procedure explains what can be brought under it. If a party attempts
to inappropriately bring an action, NAF co-ordinators will not allow the case to proceed.
Inappropriate disputes include, but are not limited to, cases where there has not been an agreement
to arbitrate and where the issues go beyond the scope of the agreement.
Regular performance reviews. This element is dealt with under Benchmark 6 below.
Equally weighting the first two elements of this benchmark yields the following indicative ratings
(out of one):
• BBBOnLine:
• TRUSTe:
• WebTrust:
0.75
0.75
0.75
Benchmark 6 — Effectiveness: the scheme is effective by having appropriate and
comprehensive terms of reference and periodic independent reviews of its performance.
Appropriate and comprehensive terms of reference. All seals have clear terms of reference.
Regular independent performance reviews. Neither BBBOnLine nor TRUSTe refers to regular
external reviews of the dispute resolution mechanism. WebTrust advises that it audits the National
Arbitration Forum regularly as well as signatories. Non-NAF mechanisms may not be able to be
subjected to the same scrutiny.
The indicative ratings (out of one) are:
• BBBOnLine:
• TRUSTe:
• WebTrust:
0.50
0.50
0.80
33
4.2.5 Summary of dispute resolution assessment results
The following table summarizes tentative ratings against the six benchmarks. Ratings for individual
benchmarks are out of one. Overall ratings are out of six.
Benchmark
BBBOnLine
TRUSTe
WebTrust
Accessibility
1.00
1.00
0.88
Independence
1.00
1.00
1.00
Fairness
1.00
1.00
0.75
Accountability
0.80
0.40
0.40
Efficiency
0.75
0.75
0.75
Effectiveness
0.50
0.50
0.80
Overall
5.05
4.65
4.58
4.3 Compliance/Enforcement
4.3.1 Need for compliance and enforcement
There is a growing concern from consumers about online security and privacy protection. This has
been exacerbated by high profile breaches of public trust at several brand name Web sites, as well as
examples of the vulnerability of Web sites to attacks from hackers. Current research also indicates
that Internet shoppers are looking beyond benefits such as quality and price, and are requiring a
reasonable amount of assurance that the sites are safe and secure, and that their personal information
will be kept private.
Rigorous compliance and enforcement functions of the seal programs will provide some degree of
reassurance to consumers in this regard. Strong compliance and enforcement regimes augment the
privacy principles and dispute resolution mechanisms adopted by the seals by strengthening the
consumer’s trust in the seal.
Compliance functions refer to those processes designed to ensure that the assertions made by the
Web sites are adequate, and that the Web sites are complying with the assertions they have made to
their customers relating to information protection, transaction integrity, business and information
practices. Enforcement functions come into play when the compliance process has gathered
sufficient evidence that a Web site has been unable to adhere to the assertions made to its customers
in a significant manner.
34
4.3.2 Comparison of the functions
We compared the primary elements of the compliance and enforcement functions of the three seal
programs based on information posted on their Web sites (see Exhibit F). These elements are:
•
•
•
•
•
Obtaining the seal
Standards
Objectives
Processes
Enforcement.
To ensure that our understanding of the seals’ compliance and enforcement programs was factually
correct before we undertook a detailed comparative analysis, we sent each of the seal programs a
summary of our review, and asked them to correct any inaccuracies or oversights.
From our preliminary review, there appears to be some similarities but a greater number of
differences in the approaches taken by the three seals. Some salient points include:
• All of the three seal programs require some form of self assessment by the Web sites, generally
by way of a questionnaire, to be completed by the Web sites as a preparatory step to obtaining
and maintaining the seal and for the compliance function.
• WebTrust clearly discloses the required compliance standards, while TRUSTe and BBBOnLine
do not.
• Independence is a fundamental basis of compliance and enforcement activity. All of the three
seal programs could qualify as a third party compliance activity and, therefore, there is some
degree of independence. In our opinion, WebTrust clearly meets the highest level of
independence, as this function is conducted in accordance with established and recognized
standards of a national accounting body and conducted by a licensed accounting firm.
4.3.3 Next steps
We are awaiting response from the seal programs as to the accuracy of our initial review of their
respective programs. From our preliminary analysis, it would appear that WebTrust provides a
comprehensive compliance and enforcement mechanism that is suitable and cost effective for larger
Web sites. However, the WebTrust standard may not be necessary, or affordable for smaller Web
operations. In this case, a “one size fits all” approach to compliance may not be effective given the
diverse and evolving online world. By requiring a compliance regime that is costly and complex,
some Web sites will be discouraged from applying for this seal.
35
Some prudent principles that should be considered in assessing the strength of a seal’s compliance
and enforcement function have emerged from our review, including:
• Compliance standards should be set by an independent and recognized body. The proposed
Assurance Engagement standard of the International Federation of Accountants may provide
an objective basis.
• Compliance and enforcement functions should be conducted by a professional and qualified
body.
• There may be a need to provide cost effective solutions for smaller Web sites and those sites
that do not collect a great deal of personal information. This could be done by providing the
compliance function on a modular basis. For example, by assessing compliance separately for
privacy, security and transaction integrity.
As a next step, the project could identify an appropriate internationally-accepted standard for
assessing the compliance and enforcement function, similar to using the OECD Guidelines to assess
the seal’s privacy principles. An assessment could then be undertaken and reported upon. As noted,
such a standard will need to reflect the diversity of Web sites and the range of personal information
that may be collected.
36
5. Results
5.1 Summary of assessment of the seals
At this stage of this pilot project, we can offer more conclusive results on our privacy standard
assessment than we can on the dispute resolution and enforcement provisions of the seal programs,
for the reasons outlined in this paper.
However, in general, we can conclude that each of the three assessed seals addressed privacy
protection, dispute resolution and compliance/enforcement to some degree, although none of them
completely satisfactorily. It must be emphasized that our preliminary assessment was based on
information available to us at that time.
At the time of our review, each of the seals had its own strengths. For example, although all of the
seals performed well in relation to our dispute resolution assessment, BBBOnLine probably offered
the most customer-friendly dispute resolution system (scoring five out of six in our assessment).
WebTrust probably offered the most rigorous compliance regime. In terms of privacy principles,
while TRUSTe scored the highest in our assessment, it was clear that none of the seals required their
participants to meet all of the OECD principles.
5.2 Effectiveness of seals as a tool online users can use to protect their
personal data
The precise role that seals can fill in providing acceptable and enforceable privacy protection for a
consumer’s transaction on a Web site is still unclear. The role will depend, in part, on:
• whether or not the three parties involved in an online transaction (the consumer, the seal and
the licensed Web site) are in the same jurisdiction; and
• whether an acceptable and enforceable privacy law applies to the transaction between the
consumer and the seal participant.
In circumstances where the transaction is protected by an enforceable privacy law, then that law
would provide the primary protection. In such circumstances, the role of a seal may be more limited.
However, the seal could provide additional protection if its standards exceed those required by law.
In circumstances where the transaction is not protected by an enforceable privacy law, but where all
three parties are located in the same jurisdiction, the seal may be an effective privacy protection
mechanism available to the consumer, especially if there are laws regulating commerce and
providing protection against misleading and deceptive conduct.
37
A particular challenge arises when the consumer and the seal licensee are in different jurisdictions,
and there is no single privacy law covering their transaction. By some estimates, about half of the
online purchases made by Australians for Christmas 1999 were made from offshore Web sites3 and
many other jurisdictions would report similar statistics.
The OECD has undertaken research into effective means of protecting consumers under these
circumstances, particularly looking at whether contracts could provide efficient and effective
protection.4 However, the utility of contracts as a means to protect online business-to-consumer
transactions across multiple jurisdictions is largely untested in practice, including in the case of Web
seals.
Seals could come into their own as a powerful facilitator of globalization of consumer transactions
if indeed they are able to provide acceptable and enforceable privacy protection across jurisdictions.
However, e-commerce on the Web is still in its infancy. A recent Statistics Canada report indicated
that Internet sale of goods and services in 1999 amounted to only 0.2% of the companies’ total
economic activity. Estimates published by the Australian National Office for the Information
Economy indicated that only 0.4% of total Australian retail sales were transacted through the
Internet, while the comparable figure for the United States was 0.64%.5
One current limitation with some seals is that, at this stage at least, they formally cover only the Webbased component of business-to-consumer transactions. They do not cover other elements of that
relationship. This has been the source of some criticism in the past. For example, complaints were
raised when TRUSTe did not revoke Microsoft’s seal after it was found that Microsoft’s registration
process generated a secret hardware identification number.6 TRUSTe concluded that the identification number had nothing to do with Microsoft’s Web site under its license. On the other hand,
even though a similar conclusion was reached about RealNetworks’ collection of customer user
data, TRUSTe proved that it could work with RealNetworks to improve its privacy practices.7
The proliferation of seals may weaken their impact, both in terms of their individual “brand” impact,
and in terms of whether it becomes too easy to pick up another seal if the original one delists a Web
site.
3
“Shoppers flock to Cyberspace”, The Australian Financial Review, December 29, 1999, at <www.afr.com.au/content/991229/
news/news3.html>.
4
Report On Transborder Data Flow Contracts In The Wider Framework Of Mechanisms For Privacy Protection In Global Networks,
OECD DSTI/ICCP/REG(99)15.
5
“Current State of Play – July 2000,” A Quarterly NOIE Information Economy Statistical Report, <www.noie.gov.au/projects/
information_economy/ecommerce_analysis/ie_stats/StateOfPlay/index.htm>.
6
Watchdog #1723 -- Microsoft Statement of Finding, TRUSTe finding, at <www.truste.org/users/users_w1723.html>.
7
Privacy Times, Volume 19, Number 21, November 23, 1999.
38
To be effective, seals need to gain acceptance among consumers on the Web. There is conflicting
evidence as to the current level of awareness and impact of seals.8 Again, though, this situation is
likely to evolve very rapidly. TRUSTe, for example, recently announced a consumer awareness
campaign called Privacy Partnership 2000 that is intended to raise consumer awareness of seals.9
Objective assessment of the extent to which seals provide acceptable and enforceable privacy
protection may be a crucial factor in determining the degree and speed with which they become more
accepted by consumers. Such assessment could help consumers differentiate between seals that offer
effective privacy protection and those that offer only a compromise – in effect, a “seal of seals.” It
is probably too early to say whether the proliferation of seals is a short term development that will
be followed by a period of consolidation as consumers learn which ones offer true privacy
protection and which ones do not.
Once again, it is essential to remember just how recently online business-to-consumer transactions
have developed. With some notable exceptions, almost all such transactions have been established
in only the last few years. In that time, some of the seals have already been subject to a number of
improvements, with informal discussions indicating that more are to be expected.
5.3 The future of this project
It is against this background that this project should be assessed. Focussing on privacy, we have
found that the three seals do provide some protection, but they have some way to go. We believe
that Data Protection Commissioners have considerable potential to influence the privacy protection
standards of the seal programs, as well as the consumers’ perception of seals.
Overall, as a result of our efforts, we conclude that Data Protection Commissioners should continue
to monitor the development of seals and, where possible, assist in the development of acceptable and
enforceable privacy protection standards. In particular, seals may offer a way of providing a degree
of privacy protection for consumers in their transactions with Web sites in other jurisdictions.
Extent to which we expect to reach agreement with the seals
All three seals indicated early in this project that they were interested in working with Data
Protection Commissioners in these assessments and in seeing if a common ground could be reached
on meeting any concerns we may raise.
8
Beyond Concern: Understanding Net Users’ Attitudes about Online Privacy, AT&T Labs-Research Technical Report TR 99.4.3,
April 14, 1999, at <www.research.att.com/resources/trs/TRs/99/99.4/99.4.3/report.htm>.
9
TRUSTe Kicks Off Privacy Partnership 2000, TRUSTe Press Release, July 25, 2000, at <www.truste.com/about/
about_campaign.html>.
39
However, the demands on each of the seals have meant that, so far in practice, they have not all been
able to give much time to this project. Some have been heavily involved in other work, including
contributing to the development of the Safe Harbor Agreement, and the Children’s Online Privacy
Protection Act, during a year of particularly rapid developments in the privacy debate in the United
States.
Nevertheless, we would like to think that the seals would continue to work with Data Protection
Commissioners in the future should this project be continued beyond the pilot stage completed in
this first year.
Extent to which other jurisdictions might become involved
Two Data Protection Commissioners, one from Ontario, Canada and one from Australia, undertook
the principal work on this project. A small group of other Commissioners from Europe and Asia
(Berlin, Brandenburg, Netherlands and Hong Kong), as well as British Columbia, provided informal
advice. A limited number of other interested Commissioners were kept informed of our progress.
As it was a pilot project, the arrangements were deliberately kept informal in order to keep it as
streamlined as possible. Nevertheless, it became clear that the number of Data Protection Commissioners supporting the project is critical to the impact it will have in ensuring co-operation with the
seal programs. One question that consistently arose in our discussions with the seals was: “How
many Commissioners do you represent?” Additionally, the number of Commissioners supporting
seals is likely to be equally critical to the perception of seals by consumers.
Assessment of the co-operative arrangements
To date, the informal co-operative arrangements have worked very well. The two offices that have
carried out the work have been able to reach common ground on most of the issues very easily. The
key issue was the selection of the set of criteria to assess the acceptable standards. For privacy, the
international use and acceptance of the OECD principles made this choice easy for our two offices,
but it was the cause of some concern in dealing with the seals. The American-based programs were
primarily focussed on the four fair information practices, as they are understood in the United States:
notice, choice, access and security.10
The current loose arrangement, however, is probably insufficient if the pilot project is scaled up, for
example, to cover more seals or to provide a more continuous monitoring and development
program.
10
FTC Recommends Congressional Action to Protect Consumer Privacy Online, US Federal Trade Commission Press Release, May
22, 2000, at <www.ftc.gov/opa/2000/05/privacy2k.htm>.
40
Data Protection Commissioners appear to be in a strong position to influence the development of
seals. Seals also may be one of the means of delivering acceptable and enforceable privacy protection
for consumer transactions with Web sites in other jurisdictions. Consequently, we believe Data
Protection Commissioners should give consideration to continuing the current project.
A possible modus operandi for future co-operation among Data Protection Commissioners
A project such as this is likely to be more successful if a small group conducts the basic work. A wider
advisory group is necessary to undertake the advice and consultation role, with the aim of gaining
endorsement of the findings by the larger community of Data Protection Commissioners.
The Advisory Group would need to be constructed carefully:
• first, it would have maximum credibility among the seal programs and consumers if it
comprises only Data Protection Commissioners or equivalent regulators; and
• second, it should reflect the views of the different approaches to regulation around the world
– European, North American, Asian and others.
Should the Data Protection Commissioners decide to continue this project, terms of reference will
need to be defined specifically. For the pilot project, it was acceptable to have a general understanding
of intent and to define specifics as we went along. Issues such as whether Data Protection
Commissioners could legitimately endorse seals that do not meet the letter of the law in their own
jurisdictions have not yet been addressed. The terms of reference may have to formalize the process
for the Commissioners to review and endorse the conclusions reached from the basic work
undertaken.
The work of Commissioners also may be more effective if they worked with other groups that have
similar interests. The Global Business Dialogue on Electronic Commerce, for example, has worked
with the OECD and has established a Global Confidence/GBDe Trustmark working group.11 The
Transatlantic Business Dialogue <www.tabd.org>, the Trans Atlantic Consumer Dialogue
<www.tacd.org>, and Consumers International <www.consumersinternational.org> are other
possibilities.
11
See the GBDe Web site at <http://gbde.org/structure/working/trustmark.html>.
41
5.4 Concluding remarks
The Commissioners from Ontario and Australia believe that our pilot project to review the three
major Web seals has been effective in making a preliminary assessment of the programs, which we
acknowledge are in their early stages of development.
If the work that has been commenced is continued, we believe that involvement by additional Data
Protection Commissioners will likely contribute to improved privacy protection for consumers in
our respective jurisdictions, as well as others. Regulators with a primary focus on privacy have much
work to do to improve privacy in global transactions as opposed to those that simply fall within our
own jurisdictions.
Finally, this joint project may be taken as further evidence that it is possible for Commissioners from
different jurisdictions to work together and deliver effective results. We have hopefully identified
some of the characteristics of the arrangement that might advance such work in the future.
The pilot project undertaken by Ontario and Australia will need to be taken up by other Data
Protection Commissioners if we want to increase the impact we can have on seals in terms of effective
and appropriate privacy protection, dispute resolution, and compliance/enforcement.
42
Exhibit A
Comparison of BBBOnLine Privacy Seal with the OECD Guidelines
on the Protection of Privacy and Transborder Flows of Personal Data
OECD
Evaluation Criteria
Pts
BBBOnLine
Pts
Collection Limitation Principle: There should be limits to the collection of personal data and any such data
should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of
the data subject.
Limits to collection by
lawful and fair means
0.5
Knowledge or consent
of data subject
0.5
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
The privacy policy must be easy to read and disclose in clear
and simple language:
1. the collector(s) of the information
2. the type(s) and intended use(s) of the individually
identifiable information being collected
7. any corporate subsidiaries, operating divisions or related
product lines which are excluded from seal coverage
12. if access to any or all of the website is conditioned on the
disclosure of individually identifiable information,
individuals must be informed of the consequences of
refusing to disclose such data
14. if any other organization collects individually identifiable
information at the site as the result of transacting business
with the individual at the site
16. any information collection that is not covered by the
privacy policy, including, but not limited to, information
collection where the individual submitting the information
is clearly acting only in his/her business capacity
Choice & Consent
… Where the site conditions the granting of access to some or
all of its website or online services based on the disclosure of
individually identifiable information, the participant must
inform individuals in its privacy notice or at the point of
collection of the consequences of refusing to provide such
information.
43
0.5
OECD
Evaluation Criteria
Pts
Knowledge or consent
of data subject
(cont’d)
BBBOnLine
Pts
BBBOnLine Privacy Policy Assessment Questionnaire
Information Collection
C12 HELP. An important function of a privacy notice is to
inform individuals about what information is being collected
about them with sufficient specificity for them to know and
understand what that information is so that they can make
informed choices about the use of the website(s) or online
service(s).
Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used,
and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Relevant to purposes
of use
0.5
Accurate, complete
and kept up-to-date
0.5
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
10. the steps the seal participant takes to assure the accuracy of
individually identifiable information that it maintains in
identifiable form
Additionally, the correction process (#10) must employ an
authentication mechanism, which is to be disclosed in the
Compliance Assessment.
Access
A seal participant must assure that information collected online
is accurate, complete and timely for the purpose(s) for which it
is to be used …
A seal participant must establish effective and easy to use
mechanisms to permit individuals access to correct inaccurate
factual information. A seal participant must take steps to help
assure the accuracy of the individually identifiable information
it is maintaining.
44
0.5
OECD
Evaluation Criteria
Pts
Accurate, complete
and kept up-to-date
(cont’d)
BBBOnLine
Pts
BBBOnLine Privacy Policy Assessment Questionnaire
Access
G2 HELP. Organizations must take reasonable steps to assure
that the individually identifiable information and prospect
information they collect is accurate, complete, and timely for
the purposes for which it is used. They must also establish
appropriate processes or mechanisms so that factual
inaccuracies in individually identifiable information may be
corrected.
Purpose Specification Principle: The purposes for which personal data are collected should be specified
not later than at the time of data collection and the subsequent use limited to the fulfilment of those
purposes or such others as are not incompatible with those purposes and as are specified on each occasion
of change of purpose.
Specify purposes to
data subject not later
than time of collection
0.5
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
2. the type(s) and intended use(s) of the individually identifiable
information being collected
8. any individually identifiable information collected at the site
which is shared with contractors, corporate affiliates or other
third party agents not covered by a common privacy policy
13. if the organization merges and/or enhances individually
identifiable information with data from third parties for the
purposes of marketing products or services to the individual
14. if any other organization collects individually identifiable
information at the site as the result of transacting business
with the individual at the site
45
0.5
OECD
Evaluation Criteria
Pts
Specify purposes to
data subject not later
than time of collection
(cont’d)
BBBOnLine
Pts
BBBOnLine Privacy Policy Assessment Questionnaire
Information Use and Transfer
D5 HELP. A website or online service must disclose in its
privacy notice all of the types of uses and transfers of
individually identifiable information then applicable to the
individually identifiable information being collected (actively or
passively) at the site or service. It is not necessary for each use
to be spelled out in detail but there must be sufficient
information for the individual to be reasonably informed as to
what uses will be made of the information … In addition, if the
site(s) or service(s) transfers any of this information to
unaffiliated third parties or corporate affiliates not governed by
a common privacy policy for the marketing purposes of those
parties, that fact must be specifically stated in its privacy notice.
Uses limited to
purposes or specified
consistent purposes
0.5
BBBOnLine Privacy Policy Assessment Questionnaire
0.25
Choice/Consent
E1 HELP. … Uses or transfers of individually identifiable
information that are specified in the notice at the time the
information is collected are related uses. Uses necessarily
incident to carrying out a use disclosed in the privacy notice
also constitute related uses or transfers …
E2 HELP. Any use of information that was not permitted in the
privacy notice in effect at the time the information was
collected, and is not a use necessarily incident to carrying out a
use that was disclosed in the privacy notice at that time, is
unrelated to the purpose for which the information was
collected …
Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for
purposes other than those specified in accordance with [Purpose Specification Principle] except: a) with
the consent of the data subject; or b) by the authority of law.
Use and disclose in
accordance with
specified purposes
0.5
Eligibility Criteria for BBBOnLine Privacy Seal
Transfer of Third Party Information
Seal participants must have a process in place to make
unaffiliated third parties or corporate affiliates not covered by
a common policy practice aware of the site's privacy policies
when transferring individually identifiable information to such
parties, and must describe that process in their Compliance
Assessment.
46
0.25
OECD
Evaluation Criteria
Pts
Use and disclose in
accordance with
specified purposes
(cont’d)
BBBOnLine
Pts
Seal participants must require agents or contractors who have
access to individually identifiable information and prospect
information to keep the information confidential and not use it
for any other purpose than to carry out the services they are
performing for the organization.
Seal participants may not rent, sell, exchange, or in any manner
transfer information about a prospect submitted by another
party to any third party, unless the third party is an agent or
contractor involved in carrying out the transaction for which
the prospect's information was submitted. This prohibition on
such transfers applies without regard to any choices about third
party transfers made by the individual submitting the
information.
Except with data
subject consent or by
authority of law
0.5
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
The privacy policy must be easy to read and disclose in clear
and simple language:
3. the choices individuals have about the way such information
is used and to whom it is disclosed
9. the choices available to users with regard to information
shared with affiliates or third party agents not covered by a
common privacy policy
Choice & Consent
A seal participant must allow individuals the opportunity to
opt-out or otherwise prohibit unrelated uses of individually
identifiable information about them, that is, uses not disclosed
in the privacy policy at the time the information is collected.
A seal participant must provide individuals with a choice
regarding the transfer of information to third parties for
marketing purposes. This may be accomplished through one or
more of the following:
1. an opt-out opportunity
2. an opt-in opportunity
3. through a technological tool for individuals to make choices
about such transfers (The method(s) used must be disclosed
in the Compliance Assessment.) …
47
0.5
OECD
Evaluation Criteria
Except with data
subject consent or by
authority of law
(cont’d)
Pts
BBBOnLine
BBBOnLine Privacy Policy Assessment Questionnaire
Choice/Consent
E1 HELP. … there are three uses that are permitted whether or
not they are specified in the notice. The first is where the
organization is required by law to divulge the information, for
example, in response to a court order or a subpoena or the
requirements of agency rules. The second exception is where
the information is used for research activities, including the
production of statistical reports, where the individually
identifiable information is not published, divulged, or used to
contact the individuals. The third is in situations where the
information is shared in the context of a business transaction
such as a divestiture pursuant to a pledge of confidentiality
under which the recipient agrees to use the information for no
purpose other than carrying out the transaction …
E2 HELP. Any use of information that was not permitted in the
privacy notice in effect at the time the information was
collected, and is not a use necessarily incident to carrying out a
use that was disclosed in the privacy notice at that time, is
unrelated to the purpose for which the information was
collected. Organizations intending to use individually
identifiable information for an unrelated use, other than a use
that falls within one of the three exceptions noted in the help
screen for E1 above, must provide the affected individuals with
the opportunity to opt out or otherwise prohibit these new uses
of the information about them.
E8 HELP. Regardless of the disclosure an organization makes
in the privacy notice about its practice of renting, selling, or
exchanging or in any way providing individually identifiable
information for marketing purposes, an organization that makes
such transfers to outside parties must provide individuals with
the ability to prevent these transfers in connection with
individually identifiable information about them. Providing
individuals with an opt out will satisfy this requirement. It can
also be satisfied by an opt in or, when technological tools that
enable individuals to make choices about transfers become
available, by the use of such tools as are determined by
BBBOnLine to satisfy its requirements.
48
Pts
OECD
Evaluation Criteria
Pts
BBBOnLine
Pts
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against
such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Reasonable security
safeguards
1
Eligibility Criteria for BBBOnLine Privacy Seal
Adoption of Policy
A seal participant must demonstrate that it has adopted and
implemented (including an effective date) a privacy policy and
data security measures. The policy must be clearly displayed on
a website's homepage and linked to any page on which the site
collects individually identifiable information.
Server Security
A seal participant must take reasonable steps to ensure that
individually identifiable information it collects online is secure
from unauthorized access. This includes but is not limited to the
use of a secure environment for the server (such as doors, locks,
and electronic security), as well as the use of encryption for
sensitive personal, medical or financial data.
Seal participants must have security policies protecting against
unauthorized access to individually identifiable information.
Logs or other appropriate documentation must be maintained
pertaining to security procedures, and organizations must
undertake periodic reviews of their security policies, certifying
them at least once prior to each annual seal renewal. Employees
should receive adequate training on the privacy policies and
information practices of the company.
Policy Content
The privacy policy must be easy to read and disclose in clear
and simple language:
4. the collector's commitment to data security
49
1
OECD
Evaluation Criteria
Reasonable security
safeguards
(cont’d)
Pts
BBBOnLine
BBBOnLine Privacy Policy Assessment Questionnaire
Data Security
HELP F1. … Although an organization is not required to
provide a description in its privacy notice(s) of the data security
measures it undertakes to protect individually identifiable
information, it is required to take appropriate data security
measures and to inform the public that such measures are in
place by a statement in its privacy notice. The security measures
must include physical security measures such as doors, locks,
etc., electronic security and managerial controls that limit the
potential for misuse of information by employees and
contractors. The security measures necessary to protect
information sufficiently will vary based on the risks presented
to the individual by the organization’s collection and use of the
data.
HELP F5. For information being transferred between the
individual and the organization, the use of encryption satisfies
that appropriate security measures have been taken. While not
required in all instances, encryption must be used for the most
sensitive of information including the transfer of health care
information, social security numbers, and financial transactional
information (e.g. credit card number).
HELP: F7. In order to demonstrate managerial controls, the
organization must maintain written security polices to protect
individually identifiable information and prospect information
from unauthorized individuals. Employees who routinely have
access to such information must receive adequate training and
must be familiar with the organization’s information practices.
50
Pts
OECD
Evaluation Criteria
Pts
BBBOnLine
Pts
Openness Principle: There should be a general policy of openness about developments, practices and
policies with respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual residence of
the data controller.
General policy of
openness
0.5
Eligibility Criteria for BBBOnLine Privacy Seal
Adoption of Policy
A seal participant must demonstrate that it has adopted and
implemented (including an effective date) a privacy policy and
data security measures. The policy must be clearly displayed on
a website's homepage and linked to any page on which the site
collects individually identifiable information.
Policy Content
The privacy policy must be easy to read and disclose in clear and
simple language:
1. the collector(s) of the information
6. the seal participant's participation in the BBBOnLine
Privacy Program and information on how individuals may
learn more about that program
7. any corporate subsidiaries, operating divisions or related
product lines which are excluded from seal coverage
14. if any other organization collects individually identifiable
information at the site as the result of transacting business
with the individual at the site
BBBOnLine Privacy Policy Assessment Questionnaire
Privacy Notice: General
B4 HELP. An organization’s privacy notice must be easy to find.
At the very least, the privacy notice must be accessible by a link
from (i) the organization’s homepage or entry point and (ii) at
every subsequent point where the organization elicits
individually identifiable information online through means
other than passive data collection. The terms of the privacy
notice are very important because they substantially determine
an individual’s understanding of how information will be used
and what steps the individual may choose to take to protect his
or her privacy.
51
0.5
OECD
Evaluation Criteria
Pts
Ready means for data
subject to know about
personal information,
and purposes,
including identity and
location of data
controller
0.5
BBBOnLine
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
1. the collector(s) of the information
2. the type(s) and intended use(s) of the individually
identifiable information being collected
3. the choices individuals have about the way such information
is used and to whom it is disclosed
5. an appropriate contact method regarding the website's
privacy policy
14. if any other organization collects individually identifiable
information at the site as the result of transacting business
with the individual at the site
15. that individuals must contact third party collectors of
individually identifiable information directly for
information on the use of their data
BBBOnLine Privacy Policy Assessment Questionnaire
Privacy Notice: General
B2. Please provide the name(s) and position(s), or the position
title(s), of the individual(s) charged with the responsibility for
implementation and oversight of the privacy policy for the
covered website(s) or online service(s) …
B2 HELP. Since a privacy policy is not self-implementing,
assurance that the information practices prescribed in the policy
are being followed depends on there being some assignment of
responsibility for implementation and oversight of the policy.
B6. Does the privacy notice(s) explain how an individual can
contact the organization to express questions or concerns about
the organization's privacy policies and practices? …
B6 HELP. The explanation should include contact information,
e.g., a phone number or email address, that will lead a person
with a complaint about the treatment of his/her information to
a person responsible for the receipt of such complaints without
undue delay. In most cases, this means that a person calling
during normal business hours should be able to speak to such a
person during that first call or by the end of the next business
day. This does not require that the complaint be resolved in that
timeframe but simply that the individual have an opportunity to
make an initial contact with a person authorized to take
information about the complaint and begin the process of
resolving it …
52
Pts
0.5
OECD
Evaluation Criteria
Pts
BBBOnLine
Pts
Individual Participation Principle: An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has
data relating to him;
b) to have communicated to him data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to
challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased rectified,
completed or amended.
Data subject able to
know data controller
has personal
information
0.25
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
11. the process available to individuals to obtain access to
individually identifiable information collected from
them online and the process available to correct factual
inaccuracies in that information
Access
A seal participant … must provide individuals with access to
individually identifiable information collected from them online
if such information is retrievable in the ordinary course of
business and providing access does not impose an unreasonable
burden.
BBBOnLine Privacy Policy Assessment Questionnaire
Access
G4 HELP. An organization must establish a mechanism
whereby, upon request and proper identification of the
individual, it makes available to the individual the individually
identifiable information or prospect information it maintains
with respect to the individual. The information subject to this
requirement tends to be, but is not limited to, (i) account or
application information, for example, name, address, and level
of service subscribed to, and (ii) billing information and similar
data about transactions conducted online, for example, date and
amount of purchase, and credit card account used…
53
0.25
OECD
Evaluation Criteria
Pts
Data subject able to
know data controller
has personal
information
(cont’d)
Data communicated in
reasonable time and
manner, without
excessive charge and
in intelligible form
BBBOnLine
Pts
Organizations have substantial flexibility in deciding how best
to make the individually identifiable information or prospect
information available to the individual. For example, an
organization may choose the form in which it discloses this
information to the individual. Monthly statements from banks
and credit card companies are examples of appropriate
mechanisms to satisfy this disclosure obligation, even though
they may reveal more than the individually identifiable
information that the individual submitted to the organization
online. The organization also determines the reasonable terms
under which it will make such information available such as
limits on frequency and the imposition of fees. Frequency limits
that require intervals of more than a year between requests
and/or fees of more than $15 for a response to an annual
request would not be reasonable except in extraordinary
circumstances. [updated August 17, 2000]
0.25
BBBOnLine Privacy Policy Assessment Questionnaire
Access
G4 HELP. … Organizations have substantial flexibility in
deciding how best to make the individually identifiable
information or prospect information available to the individual.
For example, an organization may choose the form in which it
discloses this information to the individual. Monthly statements
from banks and credit card companies are examples of
appropriate mechanisms to satisfy this disclosure obligation,
even though they may reveal more than the individually
identifiable information that the individual submitted to the
organization online. The organization also determines the
reasonable terms under which it will make such information
available such as limits on frequency and the imposition of fees.
Frequency limits that require intervals of more than a year
between requests and/or fees of more than $15 for a response
to an annual request would not be reasonable except in
extraordinary circumstances. [updated August 17, 2000]
54
0.125
OECD
Evaluation Criteria
Reasons for denial of
access
Pts
0.25
BBBOnLine
BBBOnLine Privacy Policy Assessment Questionnaire
Pts
0.125
Access
G4 HELP. … If an organization can not make information that
it maintains available because it can not retrieve the information
in the ordinary course of business, it must provide the
individual with a reference to the provisions in its privacy
notice that discuss the type of data collected, how it is used, and
appropriate choices related to that data, or provide the
individual with materials on these matters that are at least as
complete as the information provided in the privacy notice.
[updated August 17, 2000]
Ability to challenge
and correct
0.25
Eligibility Criteria for BBBOnLine Privacy Seal
Policy Content
The privacy policy must be easy to read and disclose in clear
and simple language:
11. the process available to individuals to obtain access to
individually identifiable information collected from
them online and the process available to correct factual
inaccuracies in that information
Access
A seal participant must establish effective and easy to use
mechanisms to permit individuals access to correct inaccurate
factual information. A seal participant must take steps to help
assure the accuracy of the individually identifiable information
it is maintaining.
BBBOnLine Privacy Program Dispute Resolution Process
Part 1 Overview
1.2 Parties to Privacy Policy Review Service and Privacy
Review Appeal Board
The parties to a proceeding are:
the complainant, the individual complaining about misuse
of information, and the respondent, the company,
organization or individual about whom the complainant
is complaining.
55
0.25
OECD
Evaluation Criteria
Ability to challenge
and correct
(cont’d)
Pts
BBBOnLine
Part 2 Eligible Complaints
2.2 Personal Eligibility
… The complainant must be (i) the person who provided
the personal information to the organization or individual
that collected it and allegedly misused it, … (iii) the
subject of the information in the case of information
related to an individual that was collected online from
another individual. The complainant must have made a
good faith attempt to resolve her/his complaint directly
with the organization or individual about which he or she
is complaining, following the procedures set out in that
organization’s or individual’s statement of its privacy
policies.
2.5 Available Remedies
A complainant may seek to have the information that she
or he submitted online which is the subject of the
complaint used in a manner consistent with the company’s
published privacy policies and, if applicable, the
BBBOnLine Privacy Program guidelines. A complainant
also may seek to have that information corrected.
BBBOnLine Privacy Policy Assessment Questionnaire
Privacy Notice: General
B7. Does the privacy notice(s) note the availability of the
BBBOnLine dispute resolution mechanism? …
B7 HELP. This provision does not require a detailed discussion
of the dispute resolution process …
Access
G2 HELP. Organizations must … establish appropriate
processes or mechanisms so that factual inaccuracies in
individually identifiable information may be corrected.
56
Pts
OECD
Evaluation Criteria
Ability to challenge
and correct
(cont’d)
Pts
BBBOnLine
G4 HELP. An organization must establish a mechanism
whereby, upon request and proper identification of the
individual, it makes available to the individual the individually
identifiable information or prospect information it maintains
with respect to the individual. The information subject to this
requirement tends to be, but is not limited to, (i) account or
application information, for example, name, address, and level
of service subscribed to, and (ii) billing information and similar
data about transactions conducted online, for example, date and
amount of purchase, and credit card account used.
G6 HELP. The organization must take reasonable steps to
assure itself that the individual to whom it makes individually
identifiable information available is the same person from
whom the organization collected the information and that the
individual to whom it makes prospect information available is
the person who is the subject of the information.
G7 HELP. Upon the request of an affected individual, an
organization must correct factual inaccuracies in the
individually identifiable information it maintains about him or
her, if the information will be communicated to others or used
for substantive decision making. There is no obligation to
ascertain the accuracy of such factual information, unless the
individual’s request includes information that suggests the
likelihood of a factual inaccuracy. The organization chooses the
form of the showing that an individual must make to suggest the
likelihood of a factual inaccuracy in the individually identifiable
information that it maintains.
G8. Does the privacy notice(s) inform individuals of this
opportunity to correct factual inaccuracies to the individually
identifiable information or prospect information?
G8 HELP. Sites or services must inform individuals that this
opportunity exists.
G9 HELP. The organization must take reasonable steps to
assure itself that the individual who is requesting correction of
individually identifiable information is the same person from
whom the organization collected the information and that the
individual requesting correction of prospect information is the
person who is the subject of the information.
57
Pts
OECD
Evaluation Criteria
Pts
BBBOnLine
Pts
Accountability Principle: A data controller should be accountable for complying with measures which give
effect to the principles stated above.
Data controller
accountable for
compliance with
principles
1
Eligibility Criteria for BBBOnLine Privacy Seal
General Requirements
A seal participant must take appropriate steps to assure that its
information management practices comply with its privacy
policies and any applicable BBBOnLine Privacy Program
requirements.
A seal participant must successfully complete the BBBOnLine
Privacy Compliance Assessment to demonstrate that its
information practices conform to program requirements.
A seal participant must agree to cooperate in applicable program
verification requirements in addition to the Compliance
Assessment. Verification requirements include but are not
limited to information pertaining to: choice, individual access
to data, transfer of information to third parties, data integrity,
security, and parental notice and consent.
A seal participant must agree to participate in the BBBOnLine
Privacy Policy Dispute Resolution Program and to abide by
decisions entered in the program.
A seal participant must inform BBBOnLine of all material
changes to their privacy policies or practices, or of any other
modification which could impact the participant's seal standing,
prior to implementation.
A seal participant must disclose in its Compliance Assessment all
site URL's where individually identified information is collected
or provide alternative evidence that there is a link to the privacy
policy on any page where individually identifiable information
is collected. This disclosure must also include a description of
the “specific types” of information being collected and all uses
of that information.
58
1
OECD
Evaluation Criteria
Data controller
accountable for
compliance with
principles
(cont’d)
Pts
BBBOnLine
Pts
How the Privacy Program Works
The BBBOnLine privacy program:
• Monitors compliance through rigorous requirements for
participating companies to undertake, at least annually, an
assessment of their online privacy practices, and,
• Offers specific consequences for non-compliance such as
seal withdrawal, publicity and referral to government
enforcement agencies.
Participation Agreement
2. Eligibility Requirements
A.
For the Seal. ... Licensee acknowledges compliance
with these Eligibility Requirements and agrees to
continue to abide by them, including participation in
the dispute resolution process ...
D.
Verification. Licensee agrees to cooperate with
BBBOnLine in verification of Licensee’s compliance
with Eligibility Requirements and this Agreement.
BBBOnLine may itself, or through an independent
third party designated by BBBOnLine, conduct
random compliance reviews (online, on-site, or
otherwise) of one or more Eligibility Requirement on
BBBOnLine’s own initiative or in response to
complaints from individuals or third parties (Random
Reviews).
TOTAL
6.25
Initial Assessment: November 17, 1999
Revised Assessment: August 17, 2000
59
Exhibit B
Comparison of TRUSTe Program with the OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data
OECD Criteria
Pts
TRUSTe
Pts
Collection Limitation Principle: There should be limits to the collection of personal data and any such
data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent
of the data subject.
Limits to
collection by
lawful and fair
means
0.5
Knowledge or
consent of data
subject
0.5
Program Principle: Posting notice and disclosure of collection and
use practices regarding personally identifiable information (data
used to identify, contact, or locate a person), via a posted privacy
statement.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
3. Information Collection and Use Practices. Licensee's Privacy
Statement shall be made available to users of the Site (“Users”)
prior to or at the time Personally Identifiable Information or
Third Party Personally Identifiable Information is collected. The
Privacy Statement shall disclose to Users the Site's information
use and collection practices, including each of the following:
A. What Personally Identifiable Information pertaining to Users
and/or Third Party Personally Identifiable Information is
collected through the Site;
B. The identity of the organization (including name, address,
phone, fax number, and e-mail address) collecting the
Personally Identifiable Information and/or Third Party
Personally Identifiable Information through the Site; …
E. What choices are available to the User of the Site regarding
collection, use, disclosure and distribution of Personally
Identifiable Information;
60
0.5
OECD Criteria
Pts
TRUSTe
Pts
Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used,
and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Relevant to
purposes of use
0.5
Accurate,
complete and
kept up-to-date
0.5
Program Principle: Putting data security and quality, and access
measures in place to safeguard, update, and correct personally
identifiable information.
0.5
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
4. Minimum Requirements of the TRUSTe Program.
C. Data Quality and Access. Licensee shall take reasonable steps
when collecting, creating, maintaining, using, disclosing or
distributing Personally Identifiable Information and/or Third
Party Personally Identifiable Information, to assure that the
data are accurate, complete and timely for the purposes for
which they are to be used …
Purpose Specification Principle: The purposes for which personal data are collected should be specified
not later than at the time of data collection and the subsequent use limited to the fulfilment of those
purposes or such others as are not incompatible with those purposes and as are specified on each occasion
of change of purpose.
Specify purposes
to data subject
not later than
time of collection
0.5
Program Principle: Posting notice and disclosure of collection and
use practices regarding personally identifiable information (data
used to identify, contact, or locate a person), via a posted privacy
statement.
Privacy Statement:
•
•
•
•
What personal information is being gathered by your site
Who is collecting the information
How the information will be used
With whom the information will be shared with
61
0.5
OECD Criteria
Pts
Specify purposes
to data subject
not later than
time of collection
(cont’d)
TRUSTe
Pts
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
3. Information Collection and Use Practices. Licensee's Privacy
Statement shall be made available to users of the Site (“Users”)
prior to or at the time Personally Identifiable Information or
Third Party Personally Identifiable Information is collected. The
Privacy Statement shall disclose to Users the Site's information
use and collection practices, including each of the following: …
C. How Personally Identifiable Information and/or Third Party
Personally Identifiable Information collected through the
Site may be used;
D. With whom Personally Identifiable Information and/or Third
Party Personally Identifiable Information collected through
the Site may be shared, if at all; …
Appendix A: Self Assessment Sheet:
1. Collection and Use of Information
After reading your privacy statement users should have no
questions regarding how and why they are giving their name,
email address, company name, and other information to your
Web site…
Uses limited to
purposes or
specified
consistent
purposes
0.5
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
4. Minimum Requirements of the TRUSTe Program.
F. Use of Personally Identifiable Information and/or Third
Party Personally Identifiable Information. Licensee shall treat
all Personally Identifiable Information and/or Third Party
Personally Identifiable Information gathered on the Site in
accordance with Licensee's Privacy Statement(s) in effect at
the time of collection …
G. Limit on Use of Third Party Personally Identifiable
Information. Third Party Personally Identifiable Information
collected through the Site may be used solely by Licensee or
by other parties when necessary to facilitate the completion
of the transaction that is the primary purpose for which the
information was collected …
62
0.5
OECD Criteria
Pts
TRUSTe
Pts
Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for
purposes other than those specified in accordance with [Purpose Specification Principle] except: a) with
the consent of the data subject; or b) by the authority of law.
Use and disclose
in accordance
with specified
purposes
0.5
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
4. Minimum Requirements of the TRUSTe Program.
E. Displaying Personally Identifiable Information and/or Third
Party Personally Identifiable Information. Licensee shall not
make Personally Identifiable Information and/or Third Party
Personally Identifiable Information available to the general
public in any form (including but not limited to on-line
directories and customer lists) without the prior written or
electronic consent of the individual identified …
F. Use of Personally Identifiable Information and/or Third
Party Personally Identifiable Information. Licensee shall treat
all Personally Identifiable Information and/or Third Party
Personally Identifiable Information gathered on the Site in
accordance with Licensee's Privacy Statement(s) in effect at
the time of collection …
G. Limit on Use of Third Party Personally Identifiable
Information. Third Party Personally Identifiable Information
collected through the Site may be used solely by Licensee or
by other parties when necessary to facilitate the completion
of the transaction that is the primary purpose for which the
information was collected. Third Party Personally
Identifiable Information collected through the Site may not
be otherwise used or disclosed or distributed to other parties
unless Licensee first provides the person identified by the
Third Party Personally Identifiable Information a reasonable
means for the third party to notify the Site Operator that
they do not wish to have their Third Party Personally
Identifiable Information used, disclosed or distributed (e.g.
Opt Out), whereupon the Site operator shall ensure that the
identified person's choice is complied with.
63
0.5
OECD Criteria
Pts
TRUSTe
Pts
Except with data
subject consent or
by authority of
law
0.5
Program Principle: Giving users choice and consent over how their
personal information is used and shared.
0.5
Privacy Statement: The choices available to users regarding
collection, use, and distribution of their information: You must offer
users an opportunity to opt-out of internal secondary uses as well as
third-party distribution for secondary uses.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
4. Minimum Requirements of the TRUSTe Program.
A. Choice. Licensee shall offer the user the opportunity to
exercise affirmative choice (e.g. to “Opt Out” as defined
below) before Personally Identifiable Information collected
through the Site may be (1) used when such use is unrelated
to the primary purpose for which the information was
collected; or (2) disclosed or distributed to third parties
when such disclosure or distribution is unrelated to the
primary purpose for which the information was collected.
The scope of uses deemed “related” shall be defined in the
Privacy Statement. At a minimum, if Licensee states in its
Privacy Statement that it provides Personally Identifiable
Information to third parties and such use, disclosure or
distribution is unrelated to the purpose for which the
information was collected users must always be given the
opportunity to opt out of such use, disclosure or
distribution. “Opt Out” means to notify the Site operator
that they do not wish to have their Personally Identifiable
Information used, disclosed or distributed in a manner that
is unrelated to the primary purpose for which the
information was collected, whereupon the Site operator shall
ensure that the user's choice is complied with. Such Opt-Out
opportunity shall not in any way limit the use, disclosure or
distribution of Personally Identifiable Information to the
extent such use, disclosure or distribution is required by law
court order, or other valid legal process.
64
OECD Criteria
Except with data
subject consent or
by authority of
law
(cont’d)
Pts
TRUSTe
E.
Displaying Personally Identifiable Information and/or Third
Party Personally Identifiable Information. Licensee shall not
make Personally Identifiable Information and/or Third Party
Personally Identifiable Information available to the general
public in any form (including but not limited to on-line
directories and customer lists) without the prior written or
electronic consent of the individual identified, except that
this paragraph shall not prevent or restrict Licensee from (i)
distributing information that is already publicly available,
including but not limited to information available in public
telephone directories, classified ads, newspaper reports,
publications, and the like; (ii) providing information as
required by law, court order, or other valid legal process; or
(iii) displaying information in an online bulletin board, chat
room, news group, or other public forum, where the
information being displayed was placed there by a user or
other third party ...
F.
Use of Personally Identifiable Information and/or Third
Party Personally Identifiable Information. ... If Licensee
wishes to materially change its Privacy Statement(s), Licensee
shall notify TRUSTe of the changes and shall take
commercially reasonable measures to obtain the consent
from the user to whom it pertains, such as obtaining written
or electronic consent of the user. Alternatively, with prior
written approval by TRUSTe, which approval should not be
unreasonably withheld or delayed, Licensee may post
prominent notices on the Site about the change of such
policy and leave such notices posted for at least thirty (30)
business days prior to implementation of the new use and
description of how to notify Licensee to prevent such use.
Licensee shall specify in their Privacy Statement how users
will be notified of changes in the use of Personally
Identifiable Information and/or Third Party Personally
Identifiable Information.
G. Limit on Use of Third Party Personally Identifiable
Information. … Third Party Personally Identifiable
Information collected through the Site may not be otherwise
used or disclosed or distributed to other parties unless
Licensee first provides the person identified by the Third
Party Personally Identifiable Information a reasonable means
for the third party to notify the Site Operator that they do
not wish to have their Third Party Personally Identifiable
Information used, disclosed or distributed (e.g. Opt Out),
whereupon the Site operator shall ensure that the identified
person's choice is complied with.
65
Pts
OECD Criteria
Pts
TRUSTe
Pts
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against
such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Reasonable
security
safeguards
1
Program Principle: Putting data security and quality, and access
measures in place to safeguard, update, and correct personally
identifiable information.
Privacy Statement: The security procedures in place to protect users'
collected information from loss misuse, or alteration: If your site
collects, uses, or distributes personally identifiable information such
as credit card or social security numbers, accepted transmission
protocols (e.g. encryption) must be in place.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
3. Information Collection and Use Practices. … The Privacy
Statement shall disclose to Users the Site's information use and
collection practices, including …
F. What kinds of security procedures have been put in place by
Licensee, its collecting organization, and any others with
whom the Personally Identifiable Information and/or Third
Party Personally Identifiable Information collected through
the Site may be shared to protect against the loss, misuse or
alteration of Personally Identifiable Information and/or
Third Party Personally Identifiable Information in the
possession or control of Licensee or the collecting
organization;
4. Minimum Requirements of the TRUSTe Program.
B. Security. Licensee must implement reasonable procedures to
protect Personally Identifiable Information and/or Third
Party Personally Identifiable Information within its control
from loss, misuse or unauthorized alteration. If Licensee
collects, uses, discloses or distributes sensitive information,
such as credit card numbers or social security numbers, it
shall utilize commercially accepted protocols, such as
encryption, to protect information sent over the Internet.
66
1
OECD Criteria
Reasonable
security
safeguards
(cont’d)
Pts
TRUSTe
TRUSTe License Agreement Rev 5.0
Appendix A: Self Assessment Sheet
VI. Security
Security is a major concern for consumers, especially when a
Web site is collecting sensitive forms of information (i.e.
financial and medical information). You need to inform users
what types of security procedures you have in place to protect
the loss, misuse, or alteration of the information collected.
A. Identification. Access to the data should be assigned to
specific individuals in order to maintain control over
access…
B. Authentication. The identity of the individuals accessing the
data must be verified. Requiring the user to enter a password
before accessing data is the most common form of
verification. However, passwords can be guessed or stolen.
Special care must be taken to ensure authentication integrity
is maintained…
C. Authorization/Access Control. Only the appropriate level of
access to the data should be granted. Appropriate levels of
access should be granted to specific individuals with the
degree of access determined by job function or necessity…
D. Data Confidentiality. Data shall be protected from
unauthorized disclosure. Protection from unauthorized
disclosure may be accomplished through employee
awareness or an employee requirement to sign an agreement
to adhere to the company's privacy policy. The duty to
watch over data includes protecting data from interception
while data is sent through cyberspace. Examples of
acceptable means include encryption and Virtual Private
Networks…
E. Data Integrity. Data should be reliable. Appropriate
measures should be in place to prevent unauthorized
modifications of data from various sources and actions such
as viruses and merging of databases. When data has been
purposely modified, inadvertently corrupted, or is incorrect,
the loss of information integrity compromises privacy…
67
Pts
OECD Criteria
Pts
Reasonable
security
safeguards
(cont’d)
TRUSTe
Pts
F. Data Retention. Data should be stored on alternative media
to ensure access in case of disaster. However, access to the
alternative media should be limited and controlled with
appropriate security measures in place to protect privacy...
G. Overall Management, Policies, and Procedures. Lack of
awareness regarding the value of customer information and
the necessity of security measures is one of the greatest
privacy threats. Appropriate measures to both inform and
remind employees of the importance of data security policies
and procedures should be in place...
H. Monitoring/Oversight. Accurate assessment of the level of
threat against customer information is critical to the success
of security initiatives. A threat to customer information is a
person, organization, event or condition that could gain
unauthorized access to the information. Countermeasures
are the steps, procedures, devices, etc. that the company has
(or should have) in place to detect and address specific
vulnerabilities...
Openness Principle: There should be a general policy of openness about developments, practices and
policies with respect to personal data. Means should be readily available of establishing the existence and
nature of personal data, and the main purposes of their use, as well as the identity and usual residence of
the data controller.
General policy of
openness
0.5
Program Principle: Adopting and implementing a privacy policy that
factors in the goals of your individual Web site as well as consumer
anxiety over sharing personal information online.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
2. Licensees agrees to the following requirements.
F. Privacy Statement(s). Licensee shall maintain and abide by
a privacy statement, approved by TRUSTe that reflects
Licensee's information use policies, and is easily accessible at
Licensee's Site
68
0.5
OECD Criteria
Pts
TRUSTe
Pts
Ready means for
data subject to
know about
personal
information, and
purposes,
including identity
and location of
data controller
0.5
Program Principle: Posting notice and disclosure of collection and
use practices regarding personally identifiable information (data
used to identify, contact, or locate a person), via a posted privacy
statement.
0.5
Privacy Statement Wizard:
Contact Information About the Web site
This section asks you to enter some basic questions about your site.
This information will be disclosed in the privacy statement so that
users can contact you if there is a problem. Any and all information
entered into the wizard is optional and is not captured by the site.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
2. Licensee agrees to the following requirements.
F. Privacy Statement(s). Licensee shall maintain and abide by a
privacy statement approved by TRUSTe that reflects
Licensee’s information use policies, and is easily accessible at
Licensee’s Site …
I. The Privacy Statement must include a statement explaining
that the Site is a participant in the TRUSTe Program, and is
using the TRUSTe Mark(s) under license from TRUSTe
pursuant to the requirements of the TRUSTe program, and
that all rights in the TRUSTe Mark(s) belong to TRUSTe.
This statement shall include a full description of how users of
the Site can contact Licensee as well as a description of how
to contact TRUSTe to express concerns regarding Licensee's
Privacy Statement.
69
OECD Criteria
Pts
TRUSTe
Pts
Individual Participation Principle: An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has
data relating to him;
b) to have communicated to him data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to
challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased rectified,
completed or amended.
Data subject able
to know data
controller has
personal
information
0.25
Program Principle: Adopting and implementing a privacy policy that
factors in the goals of your individual Web site as well as consumer
anxiety over sharing personal information online.
Program Principle: Posting notice and disclosure of collection and
use practices regarding personally identifiable information (data
used to identify, contact, or locate a person), via a posted privacy
statement.
Program Principle: Putting data security and quality, and access
measures in place to safeguard, update, and correct personally
identifiable information.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
3. Information Collection and Use Practices. … The Privacy
Statement shall disclose to Users the Site's information use and
collection practices, including each of the following: …
G. Whether Users of the Site are offered access to their
Personally Identifiable Information and how they may have
inaccuracies corrected.
Data
communicated in
reasonable time
and manner,
without excessive
charge and in
intelligible form
0.25
Reasons for
denial of access
0.25
70
0.125
OECD Criteria
Ability to
challenge and
correct
Pts
TRUSTe
Pts
0.25
Program Principle: Putting data security and quality, and access
measures in place to safeguard, update, and correct personally
identifiable information.
0.25
Privacy Statement: How users can update or correct inaccuracies in
their pertinent information: Appropriate measures shall be taken to
ensure that personal information collected online is accurate,
complete, and timely, and that easy-to-use mechanisms are in place
for users to verify that inaccuracies have been corrected.
Resolution Process: As a licensee in the TRUSTe program, a Web
site agrees to provide consumers with simple, effective means to
submit their privacy concerns directly to the Web site. At a
minimum, all privacy statements contain TRUSTe contact
information so that consumers may direct their questions or
concerns to us. We request users to contact Web sites directly before
filing a report with us.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
4. Minimum Requirements of the TRUSTe Program.
C. Data Quality and Access. … Licensee must implement
reasonable and appropriate processes or mechanisms to allow
users to correct inaccuracies in material Personally
Identifiable Information, such as account or contact
information. These processes or mechanisms must be simple
and easy to use, and shall confirm to users that inaccuracies
have been corrected.
6. User Complaints. Licensee shall provide users with reasonable,
appropriate, simple and effective means to submit complaints
and express concerns regarding Licensee's privacy practices.
Licensee shall respond to all reasonable user submissions in a
timely fashion, not to exceed ten (10) business days. Licensee
shall also reasonably cooperate with TRUSTe's efforts to resolve
user complaints, questions and concerns.
71
OECD Criteria
Pts
TRUSTe
Pts
Accountability Principle: A data controller should be accountable for complying with measures which give
effect to the principles stated above.
Data controller
accountable for
compliance with
principles
1
TRUSTe Oversight: We monitor our licensees for compliance with
their posted privacy practices and TRUSTe program requirements
through a variety of measures. Our oversight process includes initial
and periodic Web site reviews, “seeding,” and online community
monitoring.
Resolution Process: In the unlikely event that TRUSTe has reason
to believe a licensee has violated its posted privacy practices or other
TRUSTe program requirements, we will conduct an escalating
investigation. This process may include an on-site compliance review
by one of TRUSTe's official auditors, PriceWaterhouseCoopers LLP
or KPMG Peat Marwick LLP. If the on-site review finds that a
licensee is non-compliant, TRUSTe will advise and guide the
licensee on the steps to remedy the problem.
If no action is taken by the licensee--depending on the severity of
the breach--our investigation may also result in revocation of the
TRUSTe trustmark, termination from the program, or in extreme
cases, referral to the appropriate government agency.
TRUSTe License Agreement Rev 5.0
Schedule A: Program Requirements:
5. Reviews. Licensee shall reasonably cooperate with TRUSTe to
ensure compliance with the Program, Program Requirements
and Privacy Statement(s). TRUSTe may, itself or through an
independent, qualified, neutral third party designated by
TRUSTe, review the Privacy Statement(s) and the Site
periodically, to assess the level of consistency and quality of use
of the TRUSTe Mark(s) on the Site and the consistency and
quality of Licensee's Privacy Statement(s) and related privacy
practices, and Licensee's conformance with the Program
Requirements throughout the term of the Agreement…
72
1
OECD Criteria
Data controller
accountable for
compliance with
principles
(cont’d)
Pts
TRUSTe
Pts
8. Notice of Violation. Licensee agrees to notify TRUSTe within
five (5) business days of any violation of its Privacy Statement(s)
or of the Program Requirements relating to the misuse of
Personally Identifiable Information and/or Third Party
Personally Identifiable Information collected through the Site so
that TRUSTe can help Licensee resolve the problem.
9. Cooperation To Resolve Complaints. If Licensee is the subject
of a complaint submitted to TRUSTe either concerning alleged
misuse of the TRUSTe Mark(s) or raising specific privacy
concerns pertaining to a Licensee, in addition to any other
obligations hereunder, Licensee shall cooperate with TRUSTe in
an effort to resolve the complaint in a manner that will prevent
any disparagement of the TRUSTe Mark(s) or any injury to
TRUSTe's good will.
TOTAL
6.375
November 15, 1999
73
Exhibit C
Comparison of WebTrust Principles and Criteria for Business-toConsumer Electronic Commerce with the OECD Guidelines on the
Protection of Privacy and Transborder Flows of Personal Data
OECD Criteria
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
Collection Limitation Principle: There should be limits to the collection of personal data and any such
data should be obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject.
Limits to
collection by
lawful and fair
means
0.5
Knowledge or
consent of data
subject
0.5
Business and Information Privacy Practices
A1 Description of goods and/or services
The entity discloses descriptive information about …
A1.3 Source of information (meaning, where it was obtained and
how it was compiled).
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.1 The specific kinds and sources of information being collected
…
A5.2 Choices regarding how individually identifiable information
collected from an individual online may be used and/or
distributed. Individuals should be given the opportunity to
opt out of such use, by either not providing such information
or denying its distribution to parties not involved with the
transaction.
A5.3 The consequences, if any, of an individual’s refusal to provide
information …
A5.5 If the Web site uses cookies, how they are used and the
consequences, if any, of an individual’s refusal to accept a
cookie.
74
0.5
OECD Criteria
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and,
to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Relevant to
purposes of use
0.5
Accurate,
complete and
kept up-to-date
0.5
Transaction Integrity Principle
The entity maintains effective controls to provide reasonable assurance
that customers’ transactions using e-commerce are completed and billed
as agreed.
B1 Requesting goods and/or services
The entity maintains controls to provide reasonable assurance that:
B1.1 Each request or transaction is checked for accuracy and
completeness.
B1.2 Positive acknowledgment is received from the customer
before the transaction is processed.
B5 Entity monitoring of its transaction integrity
The entity maintains monitoring procedures that provide reasonable
assurance of the following:
• Its transaction integrity controls remain effective.
• Reports of noncompliance are promptly addressed and corrective
measures taken.
Information Protection Principle
C4 Accuracy and completeness of information
The entity maintains controls so that individually identifiable
information collected, created or maintained by it is accurate and
complete for its intended use.
75
0.5
OECD Criteria
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
Purpose Specification Principle: The purposes for which personal data are collected should be specified not
later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes
or such others as are not incompatible with those purposes and as are specified on each occasion of change
of purpose.
Specify
purposes to
data subject not
later than time
of collection
0.5
Business and Information Privacy Practices
0.5
The entity discloses its business and information privacy practices for
e-commerce transactions and executes transactions in accordance with
its disclosed practices.
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.1 The specific kinds and sources of information being collected
and maintained; the use of that information; and possible
third party distribution of that information.
Uses limited to
purposes or
specified
consistent
purposes
0.5
Business and Information Privacy Practices
0.5
The entity discloses its business and information privacy practices for
e-commerce transactions and executes transactions in accordance with its
disclosed practices.
Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for
purposes other than those specified in accordance with [Purpose Specification Principle] except: a) with the
consent of the data subject; or b) by the authority of law.
Use and
disclose in
accordance
with specified
purposes
0.5
Business and Information Privacy Practices
The entity discloses its business and information privacy practices for
e-commerce transactions and executes transactions in accordance with its
disclosed practices.
Information Protection Principle
The entity maintains effective controls to provide reasonable assurance
that private customer information obtained as a result of e-commerce is
protected from uses not related to the entity’s business.
These controls address privacy and security matters such as
encryption or other protection of private customer information
(such as credit card numbers and personal and financial
information) transmitted to the entity over the Internet, protection
of such information once it reaches the entity and requesting
permission of customers to use their information for purposes other
than those related to the entity’s business, and for obtaining
customer permission before storing, altering, or copying
information on the customer’s computer.
76
0.25
OECD Criteria
Pts
Use and disclose
in accordance
with specified
purposes
(cont’d)
Except with
data subject
consent or by
authority of law
WebTrust Principles & Criteria, Version 2.0
Pts
C5 Entity responsibility for third party information
The entity maintains controls and carries out procedures to determine
the adequacy of information protection and privacy policies of third
parties to whom information is transferred.
0.5
Business and Information Privacy Practices
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.2 Choices regarding how individually identifiable information
collected from an individual online may be used and/or
distributed. Individuals should be given the opportunity to
opt out of such use, by either not providing such information
or denying its distribution to parties not involved with the
transaction.
Information Protection Principle
The entity maintains effective controls to provide reasonable assurance
that private customer information obtained as a result of e-commerce is
protected from uses not related to the entity’s business.
These controls address privacy and security matters such as
encryption or other protection of private customer information
(such as credit card numbers and personal and financial
information) transmitted to the entity over the Internet, protection
of such information once it reaches the entity and requesting
permission of customers to use their information for purposes other
than those related to the entity’s business, and for obtaining
customer permission before storing, altering, or copying information
on the customer’s computer.
C2 Collecting customer informationz
The entity maintains controls over the collection of data and has policies
which provide customers with the following:
• A choice as to whether individually identifiable information collected
from them online may be used for purposes other than completing the
transaction in progress (an internal secondary use or external thirdparty use)
• The opportunity to opt out of any particular internal secondary or
external third-party usage of that information except those required by
law or other regulatory agency.
77
0.5
OECD Criteria
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against
such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Reasonable
security
safeguards
1
Information Protection Principle
The entity maintains effective controls to provide reasonable assurance
that private customer information obtained as a result of e-commerce is
protected from uses not related to the entity’s business.
These controls address privacy and security matters such as
encryption or other protection of private customer information
(such as credit card numbers and personal and financial
information) transmitted to the entity over the Internet …
C1 Transmission of private customer information
The entity maintains controls to protect transmissions of private
customer information over the Internet from unintended recipients.
C3 Protection and use of private customer information
The entity maintains controls to protect private customer information
obtained as a result of e-commerce and retained in its system from
outsiders.
C3.1 Systems that retain private customer information obtained as
a result of e-commerce are protected from unauthorized
outside access.
C3.2 Customers entering through the Web page cannot access
other customers’ private information.
C3.3 Private customer information obtained as a result of
e-commerce is not intentionally disclosed to parties not
related to the entity’s business unless (1) customers are clearly
notified prior to their providing such information or (2)
customer permission is obtained after the customer has
provided such information.
C3.4 Private customer information obtained as a result of
e-commerce is used by employees only in ways associated
with the entity’s business
78
1
OECD Criteria
Pts
Reasonable
security
safeguards
(cont’d)
WebTrust Principles & Criteria, Version 2.0
Pts
C6 Protection of customers’ computers and files
The entity maintains controls to protect against its unauthorized access
to customer’s computers and its unauthorized modification of customer’s
computer files:
C6.1 Customer permission is obtained before storing, altering or
copying information in the customer’s computer or the
customer is notified with an option to prevent such activities.
C6.2 Transmission of malicious computer code to customers is
prevented.
Openness Principle: There should be a general policy of openness about developments, practices and policies
with respect to personal data. Means should be readily available of establishing the existence and nature of
personal data, and the main purposes of their use, as well as the identity and usual residence of the data
controller.
General policy
of openness
0.5
Business and Information Privacy Practices Principle
The entity discloses its business and information privacy practices for
e-commerce transactions and executes transactions in accordance with
its disclosed practices.
To enhance customer confidence in e-commerce, it is important
that the customer is informed about the entity’s business practices
for e-commerce transactions. … The entity should also follow its
disclosed practices. This includes management’s agreeing to thirdparty arbitration to settle customer complaints. The entity also
needs to disclose its practices relating to the manner in which in
uses, protects and maintains private customer information along
with the site’s consumer recourse provisions.
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.1 The specific kinds and sources of information being collected
and maintained; the use of that information; and possible
third party distribution of that information.
79
0.5
OECD Criteria
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
A5.2 Choices regarding how individually identifiable information
collected from an individual online may be used and/or
distributed. Individuals should be given the opportunity to
opt out of such use, by either not providing such information
or denying its distribution to parties not involved with the
transaction.
General policy
of openness
(cont’d)
A5.3 The consequences, if any, of an individual’s refusal to provide
information or of an individual’s decision to opt out of a
particular use of such information.
A5.4 How individually identifiable information collected can be
reviewed and, if necessary, corrected or removed.
A5.5 If the Web site uses cookies, how they are used and the
consequences, if any, of an individual’s refusal to accept a
cookie.
Ready means
for data subject
to know about
personal
information,
and purposes,
including
identity and
location of data
controller
0.5
Business and Information Privacy Practices
The entity discloses its business and information privacy practices for
e-commerce transactions and executes transactions in accordance with
its disclosed practices.
A4 Customer communications
The entity discloses information to enable customers to file claims, ask
questions and register complaints, including, but not limited to, the
following:
• Street address (not a post office box or email address)
• Telephone number (a number to reach an employee on a reasonably
timely basis and not only a voice mail system or message machine)
• Days and hours of operation
• If there are several offices or branches, the same information for the
principal office.
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.1 The specific kinds and sources of information being collected
and maintained; the use of that information; and possible
third party distribution of that information.
80
0.25
OECD Criteria
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
Individual Participation Principle: An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has
data relating to him;
b) to have communicated to him data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to
challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased rectified,
completed or amended.
Data subject
able to know
data controller
has personal
information
0.25
Business and Information Privacy Practices
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.1 The specific kinds and sources of information being collected
and maintained; the use of that information; and possible
third party distribution of that information.
A5.4 How individually identifiable information collected can be
reviewed and, if necessary, corrected or removed.
Data
0.25
communicated
in reasonable
time and
manner,
without
excessive
charge and in
intelligible form
Reasons for
denial of access
0.25
81
0.25
OECD Criteria
Ability to
challenge and
correct
Pts
0.25
WebTrust Principles & Criteria, Version 2.0
Business and Information Privacy Practices
A4 Customer communications
A4.1 In the event outside dispute resolution is necessary, the
process by which these disputes are resolved. These
complaints may relate to any part of a customer’s
e-commerce transaction, including complaints related to the
quality of services and products, accuracy, completeness, and
distribution of private customer information and the
consequences for failure to resolve such complaints. This
resolution process should have the following attributes:
• Management's commitment to use a specified third party
dispute resolution service or other process mandated by
regulatory bodies in the event the customer is not satisfied
with the entity's proposed resolution of such a complaint
together with a commitment from such third party to
handle such unresolved complaints.
• Procedures to be followed in resolving such complaints,
first with the entity and, if necessary, with the designated
third party.
• What use or other action will be taken with respect to the
private information, which is the subject of the complaint,
until the complaint is satisfactorily resolved.
A5 Information Privacy
The entity discloses on its Web site its information privacy practices.
These practices include but are not limited to the following disclosures.
A5.4 How individually identifiable information collected can be
reviewed and, if necessary, corrected or removed.
Information Protection Principle
The entity maintains effective controls to provide reasonable assurance
that private customer information obtained as a result of e-commerce is
protected from uses not related to the entity’s business.
82
Pts
0.25
OECD Criteria
Pts
Ability to
challenge and
correct
(cont’d)
WebTrust Principles & Criteria, Version 2.0
Pts
… In connection with safeguarding this information, consumers are
concerned about being able to correct or update information
provided to a site. The process by which a site allows this process
to occur can greatly enhance its e-commerce activity. Consumer
concern about the safeguarding of private information traditionally
has been one of the most significant deterrents to undertaking
e-commerce transactions.
Accountability Principle: A data controller should be accountable for complying with measures which give
effect to the principles stated above.
Data controller
accountable for
compliance
with principles
1
The WebTrust Seal of Assurance
The WebTrust Seal of assurance symbolizes to potential customers that
a CPA or CA has evaluated the Web site’s business practices and controls
to determine whether they are in conformity with the WebTrust
Principles and Criteria for Business-to-Consumer E-commerce, and has
issued a report with an unqualified opinion indicating that such
principles are being followed in conformity with the WebTrust Criteria.
Obtaining the Seal
To obtain the WebTrust Seal of assurance, the entity must meet all the
WebTrust Principles as measured by the WebTrust Criteria associated
with each of these principles. In addition, the entity must (1) engage a
CPA or CA practitioner, who has a WebTrust business license from the
AICPA, CICA, or other authorized national accounting institute to
provide the WebTrust service and (2) obtain an unqualified report from
such practitioner
The Seal Management Process
The WebTrust Seal of assurance will be managed using a trusted-thirdparty service organization (the seal manager) …
83
1
OECD Criteria
Data controller
accountable for
compliance
with principles
(cont’d)
Pts
WebTrust Principles & Criteria, Version 2.0
Pts
The WebTrust Criteria
In order to provide more specific guidance, a number of WebTrust
Criteria have been developed for each WebTrust Principle. The entity
must be in conformity with these criteria to obtain and maintain its
WebTrust Seal…
The entity must be able to demonstrate over a period of time (at least
two months or more) that (1) it executed transactions in accordance with
the business practices it discloses for e-commerce transactions, (2) its
controls operated effectively, (3) it maintains a control environment that
is conducive to reliable business practice disclosures and effective
controls, and (4) it maintains monitoring procedures to ensure that such
business practices remain current and such controls remain effective in
conformity with the WebTrust Criteria. These concepts are an integral
part of the WebTrust Criteria.
Business and Information Privacy Practices
A6 Monitoring
The entity maintains monitoring procedures that provide reasonable
assurance of the following:
• Its business practice disclosures on its Web site remain current.
• Reports of noncompliance are promptly addressed and corrective
measures taken.
Information Protection Principle
C7 Monitoring
The entity maintains monitoring procedures that provide reasonable
assurance of the following:
C7.1 Its business practice disclosures on its Web site remain
current.
C7.2 Reports of non-compliance are promptly addressed and
corrective measures taken.
TOTAL
6
November 17, 1999
84
Exhibit D
Australian federal government Benchmarks for Industry-Based
Customer Dispute Resolution Schemes
Principle 1 — Accessibility
The scheme makes itself readily available to customers by promoting knowledge of its existence,
being easy to use and having no cost barriers.
Key Practices
1.1
The scheme seeks to ensure that all customers of the relevant industry are aware of its
existence.
1.2
The scheme promotes its existence in the media or by other means.
1.3
The scheme produces readily available material in simple terms explaining:
how to access the scheme;
how the scheme works;
the major areas with which the scheme deals; and
any restrictions on the scheme’s powers.
1.4
The scheme requires scheme members to inform their customers about the scheme.
1.5
The scheme ensures that information about its existence, procedures and scope is available
to customers through scheme members:
when a scheme member responds to a customer’s complaint; and
when customers are not satisfied in whole or in part with the outcome of the internal
complaints mechanism of a scheme member, when the scheme member refuses to deal with
a complaint, or when the time period within which the internal complaints mechanism is
expected to produce an outcome has expired, whichever first occurs.
1.6
The scheme promotes its existence in such a way as to be sensitive to disadvantaged
customers or customers with special needs.
1.7
The scheme seeks to ensure nation-wide access to it by customers.
1.8
The scheme provides appropriate facilities and assistance for disadvantaged complainants or
those with special needs.
85
1.9
Complainants can make initial contact with the scheme orally or in writing but the complaint
must ultimately be reduced to writing.
1.10
The terms of reference of the scheme are expressed clearly.
1.11
Customers do not pay any application or other fee or charge before a complaint is dealt with
by the scheme, or at any stage in the process.
1.12
The scheme’s staff have the ability to handle customer complaints and are provided with
adequate training in complaints handling.
1.13
The scheme’s staff explain to complainants in simple terms:
how the scheme works;
the major areas it deals with;
any restrictions on its powers; and
the timelines applicable to each of the processes in the scheme.
1.14
The scheme’s staff assist complainants to subsequently reduce a complaint to writing, where
complainants need assistance to do so.
1.15
The scheme’s processes are simple for complainants to understand and easy to use.
1.16
The scheme provides for a complainant’s case to be presented orally or in writing at the
determination stage, at the discretion of the decision-maker.
1.17
The scheme provides for complainants to be supported by another person at any stage in the
scheme’s processes.
1.18
The scheme uses appropriate techniques including conciliation, mediation and negotiation
in attempting to settle complaints.
1.19
The scheme provides for informal proceedings which discourage a legalistic, adversarial
approach at all stages in the scheme’s processes.
1.20
The scheme discourages the use of legal representatives before the decision-maker except in
special circumstances.
1.21
The scheme provides the opportunity for both parties to be legally represented where one
party is so allowed.
1.22
The scheme provides for the scheme member to pay the legal costs of complainants where
the scheme member is the first party to request to be legally represented and the decisionmaker agrees to that request.
86
Principle 2 — Independence
The decision-making process and administration of the scheme are independent from scheme
members.
Key Practices
2.1
The scheme has a decision-maker who is responsible for the determination of complaints.
2.2
The decision-maker is appointed to the scheme for a fixed term.
2.3
The decision-maker is not selected directly by scheme members, and is not answerable to
scheme members for determinations.
2.4
The decision-maker has no relationship with the scheme members that fund or administer
the scheme which would give rise to a perceived or actual conflict of interest.
2.5
The scheme’s staff are not selected directly by scheme members, and are not answerable to
scheme members for the operation of the scheme.
2.6
There is a separate entity set up formally to oversee the independence of the scheme’s
operation. The entity has a balance of customer, industry and, where relevant, other key
stakeholder interests.
2.7
Representatives of customer interests on the overseeing entity are:
capable of reflecting the viewpoints and concerns of customers; and
persons in whom customers and customer organizations have confidence.
2.8
As a minimum the functions of the overseeing entity comprise:
appointing or dismissing the decision-maker;
recommending or approving the scheme’s budget;
receiving complaints about the operation of the scheme;
recommending and being consulted about any changes to the scheme’s terms of reference;
receiving regular reports about the operation of the scheme; and
receiving information about, and taking appropriate action in relation to, systemic industry
problems referred to it by the scheme.
87
2.9
The scheme has sufficient funding to enable its caseload and other relevant functions
necessary to fulfil its terms of reference to be handled in accordance with these benchmarks.
2.10
Changes to the terms of reference are made in consultation with relevant stakeholders,
including scheme members, industry and customer organizations and government.
Principle 3 — Fairness
The scheme produces decisions which are fair and seen to be fair by observing the principles of
procedural fairness, by making decisions on the information before it and by having specific criteria
upon which its decisions are based.
Key Practices
3.1
The decision-maker bases determinations on what is fair and reasonable, having regard to
good industry practice, relevant industry codes of practice and the law.
3.2
The scheme’s staff advise complainants of their right to access the legal system or other
redress mechanisms at any stage if they are dissatisfied with any of the scheme’s decisions or
with the decision-maker’s determination.
3.3
Both parties can put their case to the decision-maker.
3.4
Both parties are told the arguments, and sufficient information to know the case, of the other
party.
3.5
Both parties have the opportunity to rebut the arguments of, and information provided by,
the other party.
3.6
Both parties are told of the reasons for any determination.
3.7
Complainants are advised of the reasons why a complaint is outside jurisdiction or is
otherwise excluded.
3.8
The decision-maker encourages but cannot compel complainants to provide information
relevant to a complaint.
3.9
The decision-maker can demand that scheme members provide all information which, in the
decision-maker’s view, is relevant to a complaint, unless that information identifies a third
party to whom a duty of confidentiality or privacy is owed, or unless it contains information
which the scheme member is prohibited by law from disclosing.
88
3.10
Where a scheme member provides information which identifies a third party, the information may be provided to the other party with deletions, where appropriate, at the discretion
of the decision-maker.
3.11
The scheme ensures that information provided to it for the purposes of resolving complaints
is kept confidential, unless disclosure is required by law or for any other purpose specified
in these benchmarks.
3.12
Parties to a complaint agree not to disclose information gained during the course of any
mediation, conciliation or negotiation to any third party, unless required by law to disclose
such information.
Principle 4 — Accountability
The scheme publicly accounts for its operations by publishing its determinations and information
about complaints and highlighting any systemic industry problems.
Key Practices
4.1
The scheme regularly provides written reports of determinations to scheme members and
any interested bodies for the purposes of:
educating scheme members and customers; and
demonstrating consistency and fairness in decision-making.
4.2
Written reports of determinations do not name the parties involved.
4.3
The scheme publishes a detailed and informative annual report containing specific statistical
and other data about the performance of the scheme, including:
information about how the scheme works;
the number and types of complaints it receives and their outcome;
the time taken to resolve complaints;
any systemic problems arising from complaints;
examples of representative case studies;
information about how the scheme ensures equitable access;
a list of scheme members supporting the scheme, together with any changes to the list during
the year;
89
where the scheme’s terms of reference permit, the names of those scheme members which
do not meet their obligations as members of the scheme; and
information about new developments or key areas in which policy or education initiatives
are required.
4.4
The annual report is distributed to relevant stakeholders and otherwise made available upon
request.
Principle 5 — Efficiency
The scheme operates efficiently by keeping track of complaints, ensuring complaints are dealt with
by the appropriate process or forum and regularly reviewing its performance.
Key Practices
5.1
The scheme deals only with complaints which are within its terms of reference and have not
been dealt with, or are not being dealt with, by another dispute resolution forum and:
which have been considered, and not resolved to the customer’s satisfaction, by a scheme
member’s internal complaints resolution mechanism; or
where a scheme member has refused, or failed within a reasonable time, to deal with a
complaint under its internal complaints resolution mechanism.
5.2
The scheme has mechanisms and procedures for referring relevant complaints to other,
more appropriate, fora.
5.3
The scheme has mechanisms and procedures for referring systemic industry problems, that
become apparent from complaints, to relevant scheme members.
5.4
The scheme excludes vexatious and frivolous complaints, at the discretion of the decisionmaker.
5.5
The scheme has reasonable time limits set for each of its processes which facilitate speedy
resolution without compromising quality decision-making.
5.6
The scheme has mechanisms to ensure that the time limits are complied with as far as possible.
5.7
The scheme has a system for tracking the progress of complaints.
5.8
The scheme’s staff keep the parties informed about the progress of their complaint.
90
5.9
The scheme sets objective targets against which it can assess its performance.
5.10
The scheme keeps systematic records of all complaints and enquiries, their progress and their
outcome.
5.11
The scheme conducts regular reviews of its performance.
5.12
The scheme’s staff seek periodic feedback from the parties about the parties’ perceptions of
the performance of the scheme.
5.13
The scheme reports regularly to the overseeing entity on the results of its monitoring and
review.
Principle 6 — Effectiveness
The scheme is effective by having appropriate and comprehensive terms of reference and periodic
independent reviews of its performance.
Key Practices
6.1
The scope of the scheme and the powers of the decision-maker are clear.
6.2
The scope of the scheme (including the decision-maker’s powers) is sufficient to deal with:
the vast majority of customer complaints in the relevant industry and the whole of each such
complaint; and
customer complaints involving monetary amounts up to a specified maximum that is
consistent with the nature, extent and value of customer transactions in the relevant
industry.
6.3
The decision-maker has the power to make monetary awards of sufficient size and other
awards (but not punitive damages) as appropriate.
6.4
The scheme has mechanisms for referring systemic industry problems to the overseeing
entity (where referral to the scheme member or members under key practice 5.3 does not
result in the systemic problem being adequately addressed) for appropriate action.
6.5
The scheme has procedures in place for:
receiving complaints about the scheme; and
referring complaints about the scheme to the overseeing entity for appropriate action.
91
6.6
The scheme responds to any recommendations of the overseeing entity in a timely and
appropriate manner.
6.7
The scheme requires scheme members to set up internal complaints mechanisms.
6.8
The scheme has the capacity to advise scheme members about their internal complaints
mechanisms.
6.9
The scheme has mechanisms to encourage scheme members to abide by the rules of the
scheme.
6.10
The determinations of the decision-maker are binding on the scheme member if complainants accept the determination.
6.11
The operation of the scheme is reviewed within three years of its establishment, and regularly
thereafter, by an independent party commissioned by the overseeing entity.
6.12
The review, undertaken in consultation with relevant stakeholders, includes:
the scheme’s progress towards meeting these benchmarks;
whether the scope of the scheme is appropriate;
scheme member and complainant satisfaction with the scheme;
assessing whether the dispute resolution processes used by the scheme are just and
reasonable;
the degree of equitable access to the scheme; and
the effectiveness of the terms of reference.
6.13
The results of the review are made available to relevant stakeholders.
<http://www.treasury.gov.au/publications/ConsumerAffairs/IndustrySelf-RegulationPublications/
BenchmarksForIndustry-BasedCustomerDisputeResolutionSchemes/index.asp>
92
Exhibit E
Australian National Arbitration Forum Principles
The National Arbitration Forum believes arbitration must be based on the rules of law, applied
consistently, under The Forum Code of Procedure and applicable law. The Code must also be
applied fairly. To that end, we commit to these twelve principles, which conform to The Forum’s
Due Process Standard:
PRINCIPLE 1. FUNDAMENTALLY FAIR PROCESS - All parties in an arbitration are entitled to
fundamental fairness.
PRINCIPLE 2. ACCESS TO INFORMATION - Information about arbitration should be reasonably accessible before the parties commit to an arbitration contract.
PRINCIPLE 3. COMPETENT AND IMPARTIAL ARBITRATORS - The arbitrators should be
both skilled and neutral.
PRINCIPLE 4. INDEPENDENT ADMINISTRATION - An arbitration should be administered by
someone other than the arbitrator or the parties themselves.
PRINCIPLE 5. CONTRACTS FOR DISPUTE RESOLUTION - An agreement to resolve disputes
through arbitration is a contract and should conform to legal principles of contract.
PRINCIPLE 6. REASONABLE COST - The cost of an arbitration should be proportionate to the
claim.
PRINCIPLE 7. REASONABLE TIME LIMITS - A dispute should be resolved with reasonable
promptness.
PRINCIPLE 8. RIGHT TO REPRESENTATION - All parties have the right to be represented in
an arbitration, if they wish, for example, by an attorney or other representative.
PRINCIPLE 9. SETTLEMENT & MEDIATION - The preferable process is for the parties
themselves to resolve the dispute.
PRINCIPLE 10. HEARINGS - Hearings should be convenient, efficient, and fair for all.
PRINCIPLE 11. REASONABLE DISCOVERY - The parties should have access to the information
they need to make a reasonable presentation of their case to the arbitrator.
PRINCIPLE 12. AWARDS AND REMEDIES - The remedies resulting from an arbitration must
conform to the law.
<http://www.arb-forum.com/other/index.html>, 08/29/00
For the Code of Practice see <http://www.arb-forum.com/library/code.html>, 08/29/00
93
Exhibit F
Compliance/Enforcement Activity of Privacy Seals
Activity
Documents Reviewed
BBBOnLine
<www.bbbonline.org>
How to apply for a privacy seal/ privacy Policy/Eligibility
requirement/Privacy Program Participation Agreement/Privacy Policy
Assessment Questionnaire/How BBBOnLine protects your privacy/Privacy
Program/How the privacy program works/FAQ
Obtaining the Seal
Prior to applying for the Privacy Seal the Web site should have adopted
and posted an online privacy policy and meets the eligibility
requirements.
A Business Application and Compliance Assessment Questionnaire must
be completed. The questionnaire is the basis for determining an
organization’s eligibility for the Privacy Seal. This is reviewed and
approved by a Compliance Analyst.
Standards
To provide consumers the highest level of confidence that their personal
data is being used and how protective the privacy policies are that are
posted on the Web. To ensure that processes in place are adequate to live
up to the privacy policies
Objective
To provide consumers the highest level of confidence that their personal
data is being used and how protective the privacy policies are that are
posted on the Web.
To ensure that processes in place are adequate to live up to the privacy
policies posted.
Process
Comprehensive Compliance Assessment Review, at least annually and on
a random basis. This may be conducted as initiated on its own or in
response to public complaints. The compliance reviews may be conducted
by BBBOnLine staff or by an independent third party.
This includes review of a Web site’s privacy policies that are posted on
the site and the processes that the Web site has in place to live up to the
privacy policies.
Enforcement
Non-compliance results in seal withdrawal, publicity, and referral to
government enforcement agencies. The Web site/licensee may appeal
and/or request an audit.
94
Activity
Documents Reviewed
TRUSTe
<www.truste.org>
How TRUSTe program works/TRUSTe Oversight/FAQ
Obtaining the Seal
A TRUSTe representative will initially review the Web site for adherence
to TRUSTe program principles, privacy statement requirements, and the
TRUSTe seal.
Standards
Not specifically stated.
Objective
To ease consumers' privacy concerns and to establish Web site credibility
by ensuring that Web sites are complying with their posted privacy
practices.
Process
A TRUSTe representative will periodically review the Web site to ensure
compliance with posted privacy practices and program requirements and
to check for changes to the privacy statement.
TRUSTe regularly “seeds” Web sites, which is the process of tracking
unique identifiers in a site's database. Unique user information is
submitted and results monitored to ensure that the Web site is practising
information collection and use practices that are consistent with its stated
policies.
Online Community Monitoring — TRUSTe relies on online users to
report violations of posted privacy policies, misuse of the TRUSTe seal, or
specific privacy concerns pertaining to a Web site.
Enforcement
Where TRUSTe has reason to believe that a site is in non-compliance with
its stated privacy practices, an escalating investigation will be conducted.
Depending on the severity of the breach, the investigation could result in
an on-site compliance review by a CPA firm or revocation of the site's
seal/license. After TRUSTe has exhausted all escalation efforts, extreme
violations are referred to the appropriate law authority, which in the U.S.
may include the appropriate attorney general's office, the Federal Trade
Commission, or the Consumer Protection Agency. TRUSTe may pursue
breach of contract or trademark infringement litigation against the site.
95
Activity
Documents Reviewed
WebTrust
<www.cica.ca>
WebTrust principles & criteria for business-to-consumer electronic
commerce October 15, 1999.
Obtaining the Seal
To obtain the WebTrust Seal of assurance, the Web site must meet all the
WebTrust Principles as measured by the WebTrust Criteria associated
with each of these principles. The management of the Web site will make
such assertions by filling out a self-assessment questionnaire. In addition,
the entity must: (1) engage a Certified Public Accountant (CPA-U.S.) or
Chartered Accountant (CA-Canada) practitioner who has a WebTrust
business license from the American Institute of Certified Public
Accountants (AICPA-U.S.), Canadian Institute of Chartered Accountants
(CICA-Canada), or other authorized national Accounting institute to
provide the WebTrust service and (2) obtain an unqualified report from
such practitioner.
Standards
The audit standard is pursuant to the CICA — Section 5025 Standards for
Assurance Engagement
or
CPA — Section SSAE1
CICA and CPA standards and requirements for an Assurance Engagement
are both similar.
Objective
To assure potential customers that a CPA or CA has evaluated the Web
site’s business practices and controls to determine whether they are in
conformity with the WebTrust Principles and Criteria for Business-toConsumer E-commerce, and has issued a report with an unqualified audit
opinion indicating that such principles are being followed in conformity
with the WebTrust Criteria.
These principles and criteria reflect fundamental standards for business
practices, transaction integrity, and information protection.
Process
Once the seal is obtained, the Web site will be able to continue displaying
the seal provided that it can obtain an unqualified audit report. The
frequency of the audits will be based on:
a) The nature and complexity of the Web site’s operation.
b) The frequency of significant changes to its Web site.
c) The relative effectiveness of the Web site’s monitoring and change
management controls for ensuring continued conformity with the
WebTrust Criteria as such changes are made.
d) The auditor’s professional judgment.
Enforcement
Seal (a digital certificate) withdrawal if Web site is not able to obtain an
unqualified audit report. In such situations, the auditor will advise the seal
manager (a trusted third party organization) and the Web site to initiate
withdrawal. This will electronically revoke the seal.
96
Information and Privacy
Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario Canada M5S 2V1
416-326-3333
1-800-387-0073
Fax: 416-325-9195
TTY (Teletypewriter): 416-325-7539
Website: www.ipc.on.ca
Office of the
Federal Privacy Commissioner
Level 8 Piccadilly Tower
133 Castlereagh Street
Sydney NSW 2000 Australia
+61 2 9284 9600
Fax: +61 2 9284 9666
TTY (Teletypewriter): 1-800-620-241
Website: www.privacy.gov.au