Building a Web You Can Believe In.

 
 

Frequently Asked Questions

NOTE: If your site collects age information, click here.

General TRUSTe Application FAQ

License Agreement 9.0 FAQ

Children's Online Privacy Protection Act (COPPA) FAQ

EU Safe Harbor FAQ

General TRUSTe Application FAQ

Q: How do I join the TRUSTe program?

A: To become a TRUSTe licensee, you must first submit an application packet. Please see How to Join for the requested packet of materials, easy-to-follow steps for submitting the application, and guidance on creating a privacy statement for your Web site.

Q: What does TRUSTe need in order to begin the review and approval process?

A: Before TRUSTe begins its thorough review process, prospective and renewing licensees must send to us the following items: a current privacy statement for the site, a completed license agreement and self-assessment form, and an invoice for the appropriate amount (*see invoice section of Web site). Please note that it is critical that all forms are completed and signed.

Q. What is involved in signing the License Agreement?

A. The License Agreement is the binding legal contract between TRUSTe and each of our licensees. It contains all of the terms that you, as a licensee, must agree to in order to receive the TRUSTe certification. It also explains what your rights are as a licensee. We recommend that you have your attorney and/or officer of your organization review the license agreement and that you fully understand the terms and conditions.

Q: In addition to a privacy statement, what are the other TRUSTe program requirements?

A: Please see How the TRUSTe Program Works for a comprehensive overview of our program requirements. You may also want to review the oversight and resolution process.

Q. What is the purpose of the Self-Assessment form?

A. The Self-Assessment document form is a critical tool, both for TRUSTe and for your company, to ensure that you are exercising responsible data management practices within your organization. The form has been developed based on real-world issues of concern from consumers and government authorities. The purpose of the form is to ensure that we identify and correct any loopholes or oversights in your corporate practices or technology before a problem occurs - this will help to minimize your liability.

Q. If I don't have a privacy statement, what should I do?

A. You must submit a privacy statement with your TRUSTe application or shortly thereafter. We have developed Model Disclosures that you can review to help you draft your privacy statement. Unfortunately, there is no single “ideal” privacy statement – by definition, privacy statements vary from company to company and must be tailored to highlight specific practices.

Please note that the Model Disclosures are not to be used as your company’s completed privacy statement, it is merely a tool to serve as an example of a complete and approved TRUSTe privacy statement. It is very important that you TAILOR the privacy statement to the practices of your own Web site. We can not effectively review your privacy statement until it matches the information collection and use practices on your Web site.

DO NOT under any circumstances display these marks on your site until you receive final approval from your account manager.

Q. How long does it take to become TRUSTe certified?

A. Very diligent organizations can become TRUSTe certified in as little as three weeks once they have submitted their applications. You can shorten the certification process significantly by taking great care to submit complete, accurate, and thorough application materials and responding to TRUSTe communications in a timely fashion. If you have any questions about any of the materials, you should contact us at renewals@truste.org or (415) 618-3405 to prevent delays in handling your application. Remember that the certification process is interactive and requires your input in order for the process to progress.

Q: What are the TRUSTe seals?

A: TRUSTe has two seals, the trust mark, which you can use in place of a Privacy Statement link and the “Click to Verify” mark, which is put at the top of your privacy statement and links to TRUSTe’s secure server so that consumers may verify that you are a legitimate licensee.

Q: Can I post more than one privacy statement on my site?

A: Yes. Each web site should determine the best means of delivering a privacy statement. In some cases if a site has both a children’s area and a general audience area, you may need to have two different privacy statements to describe the different practices. With a co-branded web site may have privacy statements for the two companies that are represented on the web site. With downloadable software, which TRUSTe does not review or certify, you may need to have a separate privacy statement that reflects the practices of the software.

Q: How does TRUSTe handle consumer complaints regarding licensed sites?

A: TRUSTe requires consumers to contact the Web site first to resolve the issue. If consumers do not receive satisfaction, they may then come to us with a complaint, and we serve as the liaison to resolve the issue with the TRUSTe licensee. We provide Web users with a simple, convenient online Watchdog Report for communicating their complaints or concerns regarding a member's privacy policy or suspected misuse of the trust mark directly to us. In addition, all privacy statements contain TRUSTe's contact information. For additional information, please review the Watchdog procedures at http://www.truste.org/users/compliance_doc.htm.

Q: What happens if my Web site fails a compliance review?

A: In the unlikely event that a site fails a compliance review or TRUSTe has reason to believe that a site is in non-compliance with its stated privacy practices, we will conduct an escalated investigation. Depending on the severity of the breach, the investigation could result in an on-site compliance review by a CPA firm, or revocation of the site's trust mark license. After TRUSTe has exhausted all escalation efforts, extreme violations are referred to the appropriate law authority, which in the U.S. may include the appropriate attorney general's office, the Federal Trade Commission, or the Consumer Protection Agency. TRUSTe may pursue breach of contract or trademark infringement litigation against the site.

Q: Is it possible for a Web site to apply for both the TRUSTe Privacy Seal and the TRUSTe Children's Privacy Seal?

A: Yes it is. As stated in the TRUSTe license agreement, Web sites can apply for both seals. You must sign both license agreements in order to do so. In some cases, after reviewing your site, TRUSTe may determine that your site is directed at children and therefore must join the children’s program.

Q: Does TRUSTe cover privacy practices of third parties with whom you may share personally identifiable information?

A: No. TRUSTe only covers the information collected and shared by our licensees. We do not monitor the uses of that information by the business partners of our licensees.

Q: What is TRUSTe's policy regarding the approval of Web sites that have not yet been launched?

A: While we understand that many Web sites make efforts to address consumer privacy concerns before public launch, we cannot review and approve the privacy statement of a Web site if it will change before launch. If the Web site is complete and no further changes to the collection of information will be made, the site can be reviewed by TRUSTe. TRUSTe will give a provision approval and conduct an implementation review, after the site has gone live.

License Agreement 9.0 FAQ

Q. What are the key differences between L.A. 8.0 and L.A. 9.0?

A. TRUSTe has changed the License Agreement to simplify the steps Licensees must take for renewals, to clarify the circumstances under which the Agreement may be assigned to another company (i.e., in a business transition such as a merger or acquisition), and to clarify the procedures for appealing Notices of Termination. New requirements for email newsletters and promotional emails have been added to the Program Requirements to reflect certain provisions of the federal CAN-SPAM Act. Highlights of the changes are as follows:

Renewals / re-certifications

Rather than sign a new License Agreement at the end of each license term, Licensees will sign a brief addendum extending the Licensee Agreement and submit any proposed Material Changes in their privacy practices or privacy statement for TRUSTe approval.

Beginning with L.A. 9.0, licensees will submit a full self-assessment every three years, regardless of the length of their license term (with exceptions, e.g., in the case of an assignment or when the Program Requirements have changed). COPPA and EU Safe Harbor program participants must continue to complete a new self-assessment annually, in keeping with the specific requirements of those programs.

Assignments

In response to Licensees’ concerns, TRUSTe has made it clear that a Licensee may assign its rights and obligations under the License Agreement with notice to TRUSTe, provided that the company to which the Agreement is transferred (1) owns the Web site on which the TRUSTe seals are posted; (2) agrees to undertake all of the Licensee’s obligations under the Agreement; (3) signs the License Agreement; and (4) completes a new self-assessment.

Appeals

The License Agreement provides an appeals process for the rare circumstance in which TRUSTe issues a Notice of Termination. L.A. 9.0 clarifies that all appeals from terminations based upon a Licensee’s violation of its privacy statement or of the Program Requirements will be heard by the TRUSTe Appeals Committee, rather than by TRUSTe’s Board of Directors. The Appeals Committee will be composed of two privacy experts who are not TRUSTe employees and two members of TRUSTe’s Board. The Appeals Committee procedures are posted at www.truste.org.

Email

TRUSTe has established key minimum requirements for email, in response to the CAN-SPAM Act. Licensees who sign L.A. 9.0 must include a postal address and a functional unsubscribe mechanism in all email newsletters and promotional messages, except administrative or customer service-related emails and communications a customer has agreed to receive as a condition of using a Licensee’s service (e.g., in the case of free email accounts).

The unsubscribe mechanism must be functional for 30 days. Licensees must honor a customer’s unsubscribe request beginning on the 10th business day after it is received, and may not re-contact the customer unless he or she subsequently asks to be contacted.

In light of these new requirements, as well as developments in industry practice, we have removed the Shelf Life Preferences provisions from the Program Requirements.

Q. Why did TRUSTe make these changes?

A. We work continually with our Licensees, federal and state regulators, industry and consumer groups and others interested in privacy to refine and strengthen the TRUSTe program, to ensure that it reflects both applicable law and best industry practices. The result of this process is Program Requirements that are effective for both businesses and consumers.

Q. How will TRUSTe roll out L.A. 9.0?

A. Version 9.0 of the License Agreement is available now via the TRUSTe Web Site here. Companies that are new to the program will sign version 9.0. Current members will be moved to version 9.0 as their license agreements expire.

Q. Will TRUSTe members need to change their privacy statement or privacy practices to be in compliance with L.A. 9.0?

A. When current licensees transition to version 9.0 of the License Agreement, their privacy statements and privacy practices may need to change to reflect the new Program Requirements for email, if they do not already do so. We strongly suggest that Licensees consult their legal advisors on how best to comply with the CAN-SPAM Act.


Q. Do current TRUSTe Licensees need to fill out a new self-assessment?

A. All licensees on L.A. 9.0, other than participants in the COPPA and Safe Harbor seal programs (who complete a self-assessment annually), must complete a new self-assessment every three years regardless of the length of their License term. If a Licensee wishes to make Material Changes in its privacy practices and privacy statement, it must submit the proposed changes for TRUSTe’s approval. Depending upon the extent of the changes, TRUSTe may require an update to the self-assessment that reflects those changes.

TRUSTe will require a new self-assessment when the License Agreement has been assigned (e.g., in the case of a business transition such as a merger), or when TRUSTe deems it necessary to conduct an investigation in response to complaints about a Licensee’s privacy practices.

Q. When was the last time TRUSTe created a new version of the License Agreement?

A. Version 8.0 of the TRUSTe License Agreement was introduced in November 2002.


COPPA FAQ


Q: What is COPPA?

A: COPPA is The Children's Online Privacy Protection Act. It was signed into law in October 1998 to protect the privacy of children by controlling the personal information that can be collected from children online. The Federal Trade Commission (FTC) enforces COPPA by requiring compliance with its Children's Online Privacy Protection Rule.

Q: Who must comply with COPPA?

A: If any of your Site(s) is directed at and collects Personally Identifiable Information from children under the age of thirteen (13), or if any section of your Site(s) is directed at and collects Personally Identifiable information from children under the age of thirteen (13), or if you knowlingly collect (or maintain) Personally Identifiable Information from children under the age of thirteen (13) on your Site(s), you must comply with COPPA.
You must comply with COPPA if:
• You operate a website or online service that is specifically aimed at children under 13 AND the site collects or maintains Personally Identifiable Information; OR
• you operate a general audience website that collects Personally Identifiable Information, including age or date or birth, from children under the age of 13.

Q: What happens if I don’t comply with COPPA?

A: The Federal Trade Commission is authorized to assess civil penalties of $11,000.00 per violation, if it finds that a company has violated or evaded COPPA. The total amount of penalties assessed could be far in excess of $11,000.00.

Q: Is COPPA compliance required even if the age field is optional?

A: Yes.

Q: Does TRUSTe have guidelines that show me how to comply with COPPA?

A: Yes, TRUSTe provides these guidelines here

Q: I operate a general audience Web site. What can I do if I don’t want to collect and maintain children’s PII?

A: If you do not wish to collect and maintain data from children under the age of 13 , you may create a “bump-out” mechanism. To implement “bump-out”, a session cookie is set that directs the user to an informational page that explains why registration cannot be accepted. The presence of this session cookie prevents the user from changing his or her age on the registration form.

Q: Is the “bump-out” mechanism fool-proof?

A: No. Implementing the “bump-out” mechanism demonstrates that you are taking all necessary and reasonable steps to comply with COPPA and are not knowingly collecting and maintaining data from children.

Q: Are there examples of successful implementations of the “bump-out” mechanism”?

A: Yes. A good example of implementation of a COPPA bump-out mechanism for a general audience Web site can be found at www.care2.com.
• Join at http://passport.care2.net/signup.html
• Select 1/1/1995 as your date of birth and start
• An informational message is presented, explaining why your registration cannot be accepted.
• Click the back button on your browser and change your date of birth to 1/1/1984, and start.
• An informational message is displayed, explaining why your registration cannot be accepted.

Q: Are there examples of a financial services (i.e. banking, insurance, taxes, investments) Web sites that do not want to collect data from children under age 13 and are not targeted to children implementing a “bump-out” mechanism?

A: Yes. A good example of a implementation of a COPPA “bump-ut” mechanism on a financial services site can be found at http://nwinsurance.nationwide.com/nwinsurance/.

• On the Get-a-Quote form, choose District of Columbia as the state and choose Auto as the Quote type.
• Choose “Start a Quick Quote” and enter 1/1/1995 as your date of birth and start. Use 20006 as your zip code.
• An informational message is presented, explaining why your quote request cannot be accepted.

Q: I have a children’s area on my Website. Do I need the TRUSTe
Children’s Seal in addition to the regular Web privacy seal?

A: Yes. TRUSTe requires all licensees comply with TRUSTe’s Children’s program requirements if they knowingly collect (or maintain) Personally Identifiable Information from children under 13. License agreements and self-assessments must also be completed for both programs. If you have applied for TRUSTe’s Children’s Privacy Seal, your account manager will assist you with fulfilling all of these requirements. Safe Harbor FAQ

EU Safe Harbor


Q: Who should apply for the EU Safe Harbor program?

A: If your company is doing business in Europe and you receive personal information, you should review with your legal counsel how your company is meeting the adequacy requirements of the European Directive on Data Protection.

Q: What are the benefits of complying with EU safe harbor framework?

A: The EU safe harbor framework provides predictability and continuity for U.S. and EU companies. All 15 EU member states are bound by the European Commission’s finding of “adequacy,” a provision that indicates fulfillment of legal requirements.

Therefore your company must only comply with the safe harbor framework rather than 15 different member state laws. Companies are deemed adequate upon complying with the safe harbor framework, so there is either no need for prior approval or such approvals are automatic.

Finally, the EU safe harbor framework provides U.S. organizations with a clear set of rules for dealing with EU authorities and prevents EU authorities from unfairly targeting U.S. companies.

Q: What happens if my company does not comply with the safe harbor framework?

A: According to the EU Directive on Data Protection, Data Protection Authorities in the individual member states must stop all data flows to companies that are not deemed adequate. In practice, Data Protection Authorities will have several mechanisms to ensure compliance, including legal recourse and negative publicity campaigns. Clearly, failure to comply with the EU Data Protection Directive can harm a U.S. company’s ability to do business in or expand business to Europe.

Q: My company is an Internet company based in the U.S. Does my company need to comply with the EU safe harbor framework?

A: While the law is unclear as to what types of companies should become safe harbor compliant, our advice is to consider the following scenarios:
• Internet companies whose brand is global in nature are likely to be accessed by European citizens and should comply with the safe harbor framework.
• Internet companies that are targeting European citizens through media and advertisement should comply with the safe harbor framework because they are likely to receive information about European citizens.
At a minimum in either scenario, joining a safe harbor program ensures that you are handling European data appropriately. You should also check with your legal counsel.

Q: My company is not an Internet company. Do I still need to join the EU Safe Harbor program?

A: If you receive personal information from European citizens, then you need to comply with the EU Data Protection Directive. To fulfill some of the requirements of the EU law, we have created a dispute resolution mechanism for offline privacy-related complaints.

Q: What are the components of the TRUSTe EU Safe Harbor Privacy Program?

A: There are two main components to the TRUSTe EU Safe Harbor Privacy Program. They include:

• Web Site Privacy Certification and Oversight: Similar to the current TRUSTe Privacy Seal program, TRUSTe will provide a certification program for data gathering and dissemination practices conducted via a Web site. The Web site privacy program will include enforcement of privacy policies – through quarterly monitoring and seeding -- as well as the TRUSTe Watchdog Alternative Dispute Resolution mechanism.

• Online and Offline Dispute Resolution: As a requirement for companies to meet the safe harbor privacy framework set forth by the Department of Commerce, TRUSTe will provide an alternative dispute resolution mechanism for Web based and offline privacy-related disputes. Under the requirements of the TRUSTe EU Safe Harbor program, all companies must seek certification for the Web site privacy practices as a prerequisite to consideration for the offline dispute resolution program.

Q: I am already a member of the TRUSTe Web seal program, why do I have to sign an additional addendum and pay an added fee?

A: There are additional requirements that must be fulfilled for companies that are meeting the safe harbor requirements rather than the general web seal program. Additionally, TRUSTe takes on additional liability and reporting requirements of aggregate data to the Department of Commerce and the European Commission for companies that are signing up to the Safe Harbor requirements.

Q: What is the TRUSTe EU Safe Harbor Offline Dispute Resolution Program?

A: Any company that wants to become fully safe harbor compliant must provide third-party dispute resolution both online and offline. TRUSTe will provide qualified companies with third-party dispute resolution for all privacy complaints.

Q: Why should my company join the TRUSTe EU Safe Harbor Offline Dispute Resolution Program?

A: This program builds on the knowledge and experience that TRUSTe has gained providing privacy-related dispute resolution since 1997.

Q: How does my company join the TRUSTe offline dispute resolution program?

A: Your company must first become a member of the TRUSTe EU Safe Harbor Web Privacy program. Your company should then submit an offline dispute resolution license agreement, a safe harbor compliant privacy statement, a document outlining your company’s internal procedures for implementing its privacy practices, and a copy of the verification letter required by the Department of Commerce, and a check for the appropriate fee. Once this has been done, TRUSTe will contact you for any further information and the final approval. For more information http://www.truste.org/programs/pub_harbor_join.html

Q: My company does not have a Web site. Can we still join your offline dispute resolution program?

A: Yes. However, if your company creates a Web site at a later date, you must immediately notify TRUSTe and apply for the Safe Harbor Web Privacy program.

Q: What dispute resolution process will be used?

A: The dispute resolution process for online and offline complaints will follow the same process. For offline complaints, TRUSTe may receive complaints via email, fax, or mail. For Web-based complaints, TRUSTe may only receive complaints via email. An additional 10 business days is added to existing dispute resolution process. Presently, all complaints must be in English unless you have signed up for International Services.

Q: Why should my company join the TRUSTe EU Safe Harbor Web Privacy program?

A: The TRUSTe Web safe harbor program provides U.S. companies with the following benefits:

• Clear guidelines for what a company must do to be safe harbor compliant;
• Assistance in creating a safe harbor compliant privacy policy;
• Fulfillment of a company’s need for verification of their privacy procedures; and
• Fulfillment of a company’s need for third party enforcement of the safe harbor for individual consumers.

Q: What does my company need to do to join the TRUSTe safe harbor web privacy program and self-certify to the Department of Commerce?

A: Similar to the current TRUSTe Privacy Seal Program, the process for becoming a safe harbor licensee contains several steps.
STEP 1. Complete the TRUSTe license agreement, safe harbor addendum, the privacy statement, and the verification documentation and submit these with appropriate payment.
STEP 2. A TRUSTe Account Manager will review these documents and conduct a Web site audit. If the site meets the standards of the TRUSTe program, it will be certified as a Safe Harbor Privacy Program licensee. Upon certification, TRUSTe will allow the site to display the TRUSTe EU Safe Harbor privacy seal.
STEP 3. Once the Web site portion of a company’s information practices have been certified, the account manager will review the application for offline dispute resolution services.
STEP 4. The company must inform the consumer of TRUSTe’s service in all subsequent communications to the consumer.
STEP 5. The company self-certifies to the Department of Commerce that it is safe harbor compliant. This can be done through the Department of Commerce Safe Harbor site at www.export.gov/safeharbor.

 

____________________________________________________________
Back to Top

Privacy Programs l For Consumers l For Businesses l Consumer Education l Newsroom l About TRUSTe
Privacy Statement l Site Map l Contact Us

©1997-2001 TRUSTe. All Rights Reserved.