Web Privacy Programs Are Scrutinized
They’re supposed to be the Good Housekeeping seals of approval for the Internet, telling online shoppers which Web sites they can trust to protect their privacy and which may play fast and loose with sensitive personal data.
But lately, privacy-certification programs, including Truste, BBBOnLine and WebTrust, are coming under scrutiny for failing to attract enough participants, not imposing strict enough privacy standards and not cracking down when companies that have been awarded privacy seals break the rules.
Though the Internet industry had once hoped that these voluntary programs would stave off government legislation, there are growing signs that self-regulation won’t be enough:
* The Federal Trade Commission--which 18 months ago held up seal programs as a reason new privacy laws were not yet needed--concluded this spring that new regulation would be needed after all.
* A review of the three U.S. seal programs--released in September at an international privacy conference in Venice, Italy--gave none a passing grade, raising concerns that the programs do not abide by the basic privacy tenet that personal information should be used only for the purpose for which it was collected.
* The recent financial meltdown of “dot-com” retailers has highlighted the limited influence of voluntary programs. Toysmart.com, a Truste seal holder, abandoned its privacy promise after the company experienced financial problems and attempted to sell its customer data for cash, despite the strong objections of Truste.
Conventional wisdom in Washington these days is that Congress will probably pass some sort of privacy legislation next year to provide basic rights for online consumers.
“Self-regulation just didn’t do the trick,” said Jay Stanley, Internet policy analyst at Forrester Research in Cambridge, Mass. “These seal programs haven’t taken the wind out of the sails of regulation.”
Stanley predicts that legislators will probably require that Web sites, at a minimum, disclose their privacy polices to Web surfers and offer an opportunity to opt out of any information-sharing.
Even some large seal-program sponsors, such as America Online and Hewlett-Packard, recently supported the idea of government intervention.
Officials at the seal programs say they need more time to grow and gain acceptance. They note that new Web sites are signing up every day. And they say awareness among online consumers is growing: An August study by Cheskin Research found 69% of Web users recognized the Truste symbol and 55% said it increased their trust in a Web site.
“In the early going, it takes time to build momentum,” said Charles Underhill, acting chief operating officer at BBBOnLine, which launched its privacy-seal program last year. “It will take time, but self-regulation is going to work in this area.”
BBBOnLine has awarded 727 seals so far. Rival Truste, founded in 1997, has 2,000 licensees.
Participants pay between $200 and $7,000 for their seal and must agree to abide by a basic set of privacy practices. These include disclosing their privacy policies, offering an opt-out, protecting data from theft or hackers, offering dispute resolution and providing some sort of consumer access to data about them.
In addition, the sites are subject to audits to test whether they are living up to their promises. Truste tests its licensees by entering fake names into the sites to see if information is sold or used improperly. BBBOnLine will soon launch random audits of seal-holders, conducted by a third party.
A third seal program, WebTrust, offers a far more rigorous--and costly--privacy seal program. Created by the American Institute of Certified Public Accountants, WebTrust relies on an outside CPA to help a Web site develop a privacy policy and then conducts on-site inspections to ensure compliance every 90 days. The process is similar to the way outside accountants examine a company’s financial books each quarter.
WebTrust officials wouldn’t say how much the process costs, but an affiliated seal program has cost some large participants six-figure sums. To date, only two WebTrust privacy seals have been awarded to e-commerce sites.
Overall, participation in seal programs has been disappointing. Of the hundreds of thousands of Web sites in operation, less than 3,000 have been awarded privacy seals by the three leading programs.
“We’re not seeing wide enough use of these seals to allay our concerns,” said David Butler, spokesman for Consumers Union in Washington.
Participation among e-commerce companies is particularly weak. Only about a quarter of the top 100 Internet retailers boast seals. Notable non-seal-holders include Amazon.com and Barnesandnoble.com. Neither company would comment for this story.
“Having a seal hasn’t become de rigueur yet,” Stanley noted.
The seal programs also are under attack for failing to get tough on licensees. Critics note that none of the programs has ever revoked or suspended a seal, and privacy violations by seal holders often are exposed by the media or by advocacy groups rather than the seal programs.
“They’ve never drawn blood, yet they claim to be an enforcement group,” said Jason Catlett, president of Junkbusters Corp., a privacy advocate in New Jersey.
In particular, Catlett criticized Truste for not taking steps against licensees Microsoft Corp. and RealNetworks after it was revealed that some of their software was collecting personally identifiable information about consumers without their knowledge.
Bob Lewin, president and chief executive at Truste, said the seal program investigated the privacy infractions but decided to take no action because Microsoft and RealNetworks took prompt steps to change the software and resolve the controversy.
He said Truste would not hesitate to revoke a seal for good cause. “But we won’t do it for the wrong reason or just to prove that we have teeth,” Lewin said.
He noted that Truste went to court to try to block Toysmart.com from selling its customer data and helped bring national attention to the case. A bankruptcy judge is reviewing the matter.
Gary Laden, a former FTC consumer-protection attorney who now heads BBBOnLine’s privacy program, also defended the program’s record.
“I didn’t spend all my years in consumer protection for the government to come here and run some kind of toothless program,” Laden said.
He said his group has not revoked any seals because it has stringent criteria before awarding them. Currently, about 1,400 Web sites are applying for a BBBOnLine seal but have not yet met the standards. He noted that two of BBBOnLine’s own corporate sponsors, AOL and Microsoft, have not yet qualified for seals.
Evan Hendricks, a privacy advocate and publisher of Privacy Times, said he is more worried about the thousands of Web sites that continue to collect consumer information but have made no effort to apply for a seal in the first place.
“Privacy needs to be protected comprehensively,” Hendricks said. “You can have seal programs and company policies. But it has to be backed up by the law.”
(BEGIN TEXT OF INFOBOX / INFOGRAPHIC)
Seals of Approval Here’s a look at the leading privacy-seal programs.
Truste.com
( https://www.truste.com )
Founded: 1997
Total seals: 1,900 awarded; 600 in process
E-commerce seal holders: EBay, UBid, Outpost.com, L.L. Bean, America Online.
Seal requirements: Disclose privacy practices; offer consumer opt-out of data-sharing; protect information; provide consumer access to its data; offer dispute resolution; permit and fund outside audits when requested by Truste.
Seal cost: $299 to $6,999, depending on company size.
Seals revoked: 0
Sponsors/founders: CommerceNet, Boston Consulting Group, Electronic Frontier Foundation, AOL, Excite, Intel, Microsoft.
*
BBBOnline
( https://www.bbbonline.com )
Founded: 1999
Total seals: 680 awarded; 1,400 in process
E-commerce seal holders: Dell, Fingerhut
Seal requirements: disclose privacy policies; offer consumer opt-out of data-sharing; protect information; offer dispute resolution; provide consumer access to their data; agree to random third-party audits of practices.
Seal costs: $200 to $6,000, depending on size
Seals revoked: 0
Sponsors/founders: Better Business Bureau
*
WebTrust
( https://www.webtrust.org )
Founded: 2000
Seals awarded: 2
E-commerce seal holders: H.D. Vest
Seal requirements: Development of privacy policy with an independent certified public accountant in keeping with group’s privacy principles; regular testing and verification of a site’s policies, procedures, disclosures, technology and infrastructure; dispute resolution.
Seal costs: Varies (some sites reportedly have paid six-figure sums for WebTrust seals)
Seals revoked: 0
Sponsors/founders: American Institute of Certified Public Accountants.
Source: Times research
