A Safe Harbor Approach To Privacy: TRUSTe Recommendations

Rebecca Richards, Director of Compliance and Policy
TRUSTe

A Safe Harbor Approach To Privacy: TRUSTe Recommendations [pdf]

This white paper articulates TRUSTe's recommendations for a safe harbor mechanism to protect consumer privacy. TRUSTe's mission � enabling individuals and organizations to establish trusting relationships based on respect for personal information throughout the network world � has been achieved through the enforcement of the fair information practices of notice, choice, access, security and redress. TRUSTe, a privacy seal and certification program founded in 1997, provides these recommendations to policymakers based on its experience with well over 3,000 companies over the last five years.

TRUSTe has long articulated a public policy for privacy protection that incorporates the strength of government oversight, the discipline of industry self-governance and the innovation of privacy-enhancing technology. A smart, focused approach to legislation that provides a framework for safe harbor may be the best way of ensuring this policy balance.

Our recommendations are presented in four sections:

• an overview of safe harbor;
• recommendations for successfully crafting and implementing safe harbor;
• an analysis of existing safe harbor policy frameworks; and
• conclusions based on our experience.

TRUSTe views itself not only as an advocate for consumer protection, but also as a resource for policymakers who wish to understand the complexities of privacy issues.

Overview

As the U.S. Congress and state legislatures consider legislation on privacy, it is vitally important that the focus remain on providing strong protection for consumers. Notwithstanding the implementation difficulties (see below), the primary challenge in legislating privacy practices is ensuring that businesses view the law as a baseline of acceptable practices. The law must provide a floor of protection, not a ceiling.

The concept of a safe harbor within legislation is a self-regulatory regime that, if adhered to, will (1) place a company in compliance with the regulation; and (2) function as a defense in any enforcement action. An effective safe harbor works best when a seal program acts as a first line of defense. From an implementation perspective, safe harbors respond quickly to consumer complaints and send the industry a strong message about appropriate practices.

The second line of defense � the government � picks up where voluntary self-governing bodies leave off. For companies who refuse to abide by voluntary standards or demonstrate a repeated pattern of privacy violation, government oversight is a strong deterrent. For example, government intervention in combination with self-governance has been particularly effective in protecting privacy during the recent attempts on the part of Internet companies in bankruptcy proceedings to sell consumer data as part of their corporate assets.

Given the global and dynamic nature of the Internet and other data-gathering technologies, neither self-governance nor government oversight can do it alone. Government is ill-equipped to handle the daily complaints in a timely manner � it may take the EU Data Protection Authorities 12-24 months to resolve a case � and self-governing bodies are voluntary. Drawing on self governance and government oversight together through the framework of a safe harbor can be extremely effective given the global and ever-changing nature of the Internet and other data gathering technology.

TRUSTe has two safe harbor programs: 1) the Children's Online Privacy Protection Act (COPPA) Safe Harbor as developed by the Federal Trade Commission (FTC); and 2) the European Union Safe Harbor negotiated and established by the U.S. Department of Commerce. These two safe harbor programs adopt different approaches to implementing privacy guidelines/legislation. The successes and shortcomings of safe harbor programs experienced by consumers and industry provides valuable information to public policymakers seeking to integrate elements of these programs and to improve upon them.

Recommendations for Safe Harbors

Safe harbors implemented through seal programs provide a means for government to set baseline practices, monitor participant compliance, and resolve consumer disputes. Based on its experience with safe harbors, TRUSTe has found first that these programs must be sufficiently flexible to respond to market and technology changes. Second, the deliberations and the procedures of a seal program must be fully transparent, to ensure that consumers both understand and trust the protections. Finally, a seal program must offer to industry clear incentives that encourage participation.

Recommendations for Implementing an Effective Safe Harbor:

1. Create a flexible system that allows safe harbor programs to respond to business model changes.
   • Allow appropriate government agencies to recognize safe harbors based upon general principles, dispute resolution and enforcement procedures.
   • Develop principles that regulate the use of technology rather than technology itself. This will have the net effect of addressing the issues without slowing down innovation or possibly outlawing empowering technology (such as cookies).
2. Create incentives for companies to join seal programs/safe harbor.
   • Include specific language to highlight that by joining a safe harbor, government regulators will assume that companies are compliant with the statute. This provides companies with the incentive of decreased compliance costs and less legal liability.
   • Levy fines on companies that violate the statute, but reduce significantly or eliminate the fines for safe harbor participants.
3. Provide for strong enforcement action for both the seal programs and the appropriate federal agency when a company is out of compliance with the safe harbor program or the law.
   • Create a mechanism for transferring information between the safe harbor programs and the appropriate federal agency enforcing the law.
   • Create a standard by which the appropriate federal agency may step in if there is imminent danger to a consumer or group of individuals before the safe harbor program has completed its investigation.
   • Create strong legal protections against defamation suits filed by companies that are found not in compliance with a seal program.
4. Increase consumer awareness of safe harbor programs.
   • Federally fund consumer education initiatives to brand safe harbors.

Analysis of Safe Harbors � the TRUSTe Experience at One Year

What the TRUSTe Safe Harbors Offer Business

The TRUSTe Safe Harbor programs provide licensees with guidance on how to implement privacy practices that comply with regulations (COPPA) or principles (EU Safe Harbor). Our extensive experience in working with businesses and with government agencies � the Federal Trade Commission, the Department of Commerce and the European Commission � serves as a valuable resource for TRUSTe Safe Harbor participants developing or modifying their data practices and privacy policies.

We find that many of our Safe Harbor program participants, in addition to using the services of lawyers and other counsel, rely upon the program for counsel and practical advice. Small and medium sized companies often rely upon TRUSTe's services in large part because they are less expensive than on-going legal counsel and they provide clear direction for implementing acceptable privacy practices.

In a 2002 Harris Survey, over 90% of consumers stated they would do more business with an organization whose practices were verified by a third party. The TRUSTe seal offers businesses an easy way to demonstrate this to consumers. It also gives companies a means to demonstrate to government that it is in compliance with the law or principles.

TRUSTe's ongoing monitoring efforts uncover minor concerns that require modification of the privacy statement. In each instance, once brought to the company's attention, these matters are quickly resolved.

What TRUSTe Safe Harbors Offer Consumers

The TRUSTe seal offers consumers an easily recognized guidepost indicating that a company is complying with a given law or set of principles. It provides additional assurances to the consumer that the company is having its practices verified by a third party.

Consumer dispute resolution is one of the most important services offered by TRUSTe Safe Harbor programs. The dispute resolution process can help identify real consumer concerns and give consumers a means of communicating those concerns to the company in question. The process provides a means for the company and the disaffected customer to rebuild a damaged relationship. Interestingly, however, overall TRUSTe finds that companies in the Safe Harbor programs receive fewer complaints from consumers. One reason may be that these organizations are diligent in ensuring that they remain in compliance with the program principles.

Children's Online Privacy Protection Act Safe Harbor

The FTC certifies all COPPA Safe Harbor programs through a lengthy and complicated process. The Safe Harbor and the FTC work closely together on this iterative process to ensure that the program is fully compliant with the COPPA regulations.

Companies are not required to join a Safe Harbor program and, because the FTC requires that seal programs largely echo the requirements of the statute, organizations have little incentive to join the Safe Harbor rather than comply directly with the rule.

Benefits

• The FTC has set out clear standards for the Safe Harbor program. This provides clear expectations of what the COPPA Safe Harbor program will do for both industry and consumers.

Drawbacks

• COPPA Safe Harbor is overly prescriptive. There is little incentive for a company to join the FTC-approved seal program Safe Harbor because the license agreement so closely tracks the exact requirements of the regulation that companies perceive joining the Safe Harbor program as adding a second layer of enforcement through seal programs with limited offsetting benefits.
• Because the standards are rigid, there is minimal flexibility to account for new business models, new situations, and modifications to the COPPA Safe Harbor program without going through the lengthy FTC certification process.

EU Safe Harbor

An organization's participation in the EU Safe Harbor is premised on its self-certification of compliance with the Department of Commerce. The FTC or other appropriate federal agency has oversight in cases of non-compliance. The organization self-certifying must verify either internally or through a third party that its privacy practices and privacy statement are in compliance with the Safe Harbor principles. The organization is then required to participate in a third party dispute resolution program to ensure complaints are handled appropriately.

TRUSTe offers two services relating to the EU Safe Harbor:

1. For Web sites, TRUSTe provides verification and third party dispute resolution; and
2. For organizations that collect information through sources other than the Web, TRUSTe provides third party dispute resolution.

Benefits

• No government agency certifies that a program is compliant with the principles. This provides great flexibility by allowing TRUSTe to modify the EU Safe Harbor Program as new issues and new technologies arise to meet consumer, market, and policy needs quickly as long as the program remains consistent with the Safe Harbor principles.
• The requirement for third party dispute resolution provides a clear reason to join a seal program. Ultimately, this is of greatest benefit to consumers as seal programs are an effective means to resolve consumer disputes.

Drawbacks

• Oversight by a government body will, for the most part, only occur if a major incident occurs.
• A public list of all companies that have joined the EU Safe Harbor may increase the likelihood of targeted government oversight.
• To date, the EU Safe Harbor has not received extensive support from many U.S. companies primarily because of jurisdictional issues surrounding the enforcement of European laws in the U.S. rather than any perceived defects in the Safe Harbor process itself.

Conclusion

On the basis of its experience developing and implementing Safe harbor programs, TRUSTe has concluded that it is possible to create a safe harbor that provides the incentives necessary to have industry use them and to protect consumers' rights to take action against companies when their personal information is misused. Granting safe harbor status to approved privacy seal programs will increase the effectiveness and efficiency of any online privacy legislation for the following reasons:

• Online privacy seal programs provide an effective means of enforcing privacy regulations by regularly monitoring the conduct of their program participants and providing enforcement and dispute resolution services. Participating websites' ongoing relationship with a safe harbor seal program will ensure that they consistently comply with online privacy regulations.
• Online privacy seal programs serve as the first line of defense against improper privacy practices. Granting safe harbor status to online privacy seal programs encourages widespread participation by websites in these programs, enabling participants to resolve questions about regulatory compliance quickly and providing consumers with a forum for resolving even minor complaints.
• A safe harbor seal program establishes an effective means of addressing all of the minor issues related to compliance, freeing regulatory agencies to address significant issues, providing a clear benefit to the program participants.
• The seal program demonstrates to consumers, government and industry that a company is compliant with the law. This may increase consumer trust in industry practices.

To fulfill the goals of providing effective and efficient privacy protection, a safe harbor provision should include:

• FTC or other appropriate government agency authority to approve a privacy seal program as a safe harbor when the program maintains guidelines and enforcement processes that meet the requirements of the online privacy statute.
• Clear incentives to join:
  • Participation in an approved program should provide an affirmative a defense to any federal action for program participants.
  • Levied fines should be significantly reduced or eliminated for safe harbor participants.
• Education for consumers about what the safe harbor program is and how it works.