TRUSTe Not So Trustworthy

Privacy certification company has agreed to pay $200,000 to settle FTC charges that it deceived consumers.
IT's 10 Fastest-Growing Paychecks
IT's 10 Fastest-Growing Paychecks
(Click image for larger view and slideshow.)

The Federal Trade Commission on Monday said that TRUSTe, a provider of privacy certifications for websites, has agreed to settle charges brought by the agency accusing the firm of deceiving consumers and misrepresenting itself as a nonprofit organization.

In its complaint against the company, the FTC charged that TRUSTe violated its promise to confirm that its clients -- companies paying to display the TRUSTe privacy seal -- actually lived up to their self-established privacy policies. The complaint claims that in more than 1,000 instances from 2006 through January 2013, TRUSTe did not conduct annual recertifications of companies awarded its privacy seal.

"Self-regulation plays an important role in helping to protect consumers," said FTC Chairwoman Edith Ramirez, in a statement. "But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action."

The FTC complaint also accused TRUSTe of failing to require that its clients change their privacy policy language to reflect that TRUSTe became a for-profit corporation in 2008. The agency alleges that TRUSTe, by allowing clients to continue to refer to it as a nonprofit in their privacy policies, misrepresented itself to consumers.

Whether this misrepresentation had any material impact on consumer perception isn't addressed in the complaint. The complaint makes no mention of whether anyone actually read any of the privacy policies containing the inaccurate description of TRUSTe.

One FTC commissioner, Maureen K. Ohlhausen (R), issued a dissenting statement, arguing that TRUSTe should not be blamed for inaccuracies propagated by the firm's clients, even if the firm could have done more to get its clients to update the language used to describe it.

The settlement requires TRUSTe to pay $200,000, to refrain from future misrepresentations about its status, and to avoid providing clients with boilerplate privacy policy language that facilitates such inaccuracies. It also imposes some reporting requirements.

This is not the first time TRUSTe has been criticized for failing to actually do anything. A 2002 article in Wired suggested that TRUSTe's certification of Yahoo's privacy practices was as meaningless as accounting firm Arthur Andersen's auditing of Enron.

Some have even suggested that third-party trust certification does more harm than good. In a 2009 paper, Benjamin Edelman, currently an associate professor at Harvard Business School, published an update to findings released in 2006 that websites seeking third-party trust certification are actually less trustworthy than those that don't bother.

Edelman found that "sites certified by the best-known authority, TRUSTe, are more than twice as likely to be untrustworthy as uncertified sites."

It appears that self-regulation does work after all, though as a warning sign rather than as a reassurance.

In a blog post, company CEO Chris Babel defended his company, saying, "The FTC did not find any issues with TRUSTe's privacy practices, but there were two processes that needed to be fixed -- and we have addressed both."

Get the latest information to migrate your systems, services, and applications to the next level at Enterprise Connect. Cisco, Microsoft, Avaya, and Oracle will lead the keynote lineup, and thought leaders from enterprises and vendors will cover the full range of platforms, services, and applications that will simplify your migration to next-gen communications and collaboration systems. Register for Enterprise Connect with code DIWKWEB to save $100 off the early-bird rate. It happens in Orlando, Fla., March 16 to 19.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing