With online data privacy an increasing concern and privacy policies showing no signs of shortening, consumers may increasingly take quick comfort from readily recognisable “seals”. Sue Gold reports on recent UK “seal” initiatives by Which? and TRUSTe and others elsewhere in Europe.
Topic: Privacy
Who: Which? and TRUSTe
When: July 2012
Where: UK
Law stated as at: 8 August 2012
What happened:
The use of Web privacy certification seals such as TRUSTe are well known in the US. In Europe use of certification seals on web sites is less popular but with the new EU Data Protection Regulation on the horizon and increased focus on websites, internet activity and accountability, the use of certifications to indicate "good privacy practises" could be on the increase.
There has been growing concern from Consumers and regulators that Privacy Policies have become too complex and that increasingly no-one is reading them. Attempts to promote Layered Privacy Policies have had limited uptake so what can be done to get the message across to customers about what is happening to their data?
Which? feasibility study
Which? are looking at the feasibility of creating a standardised privacy policy for online retailers in the UK and a trust mark.
Which? carried out research which shows that 80% of people are fairly or extremely concerned about their online privacy.
Supporting research by the Information Commissioner's Office (ICO) shows that 94% of consumers rate protecting personal information online as their joint top concern along with cybercrime, with a significant majority feeling that more should be done to protect their personal information.
Studies in the US and Europe show that consumers are more likely to purchase from a site with such a seal and are willing to pay more on websites that better protect their privacy, with one concluding 'it turns out that when you are good on privacy you can charge more and make a great profit' (Soren Pribusch, University of Cambridge).
Which? are looking at the feasibility of running a scheme to provide online e-commerce websites with a Which? approved, consumer-friendly privacy policy. This, along with the Which? Seal, will be an indication of the company's commitment to the transparent and fair use of their customer's information.
Workshops with experts
Which? recently held a number of workshops with leading privacy experts to look at the practicalities of implementing such a scheme including issues such as redress, transparency, accountability and good practise. One of the issues to be clarified is the scope of the due diligence which would be carried out to obtain the seal and what use of the seal signifies in terms of privacy compliance.
Other issues included:
• should there be some form of regular recertification (e.g. annual) and what would that entail?;
• where firms operate in a number of locations different requirements may exist in terms of the level of detail to be included in a privacy policy which may limit the benefit of a purely UK seal;
• what obligations should exist on the certified entity to notify changes in practice?; and
• will the certifying entity carry out audits and in what format?.
Other certifying entities in the US have tended to merely review the privacy policies of different organisations to check that the relevant content has been included rather than carrying out any more detailed due diligence.
This scheme would also differ from US schemes which tend not to have a standard policy. Under the TRUSTe scheme in the US the seal does not indicate that a website complies with any specific set of privacy rules but that the site has self-certified as complying with the site's own Privacy Statement.
TRUSTEe UK certification scheme
TRUSTe offers online privacy solutions for European businesses to address regulatory compliance while building customer trust in order to drive engagement and protect their brand. They have just launched in July 2012 a UK certification scheme to enable businesses to establish and follow best practices for managing customer information in accordance with UK data privacy standards.
The UK certification also focuses on the requirements of the Privacy and Electronic Communications Regulations 2003 as amended in relation to cookie consent and direct marketing.
To apply for certification an organisation must submit its privacy policy for review – ideally in the TRUSTe recommended format (though not essential). TRUSTe may require changes to be made to the policy and request copies of underlying documentation relevant to the policy. TRUSTe have stated that currently approximately 10% of global applications are not approved.
Once a business is certified, it can display the green TRUSTe Certified Privacy Seal on its site. TRUSTe may then carry out ad hoc scanning to check for ongoing compliance. The TRUSTe Certification Solutions are available to manage privacy for all major online channels including websites, mobile sites, mobile apps, email, third-party data collection and cloud. The solutions include full-service Consumer Dispute Resolution Services that enable businesses to address consumer privacy complaints.
TRUSTe also provides solutions to help address requirements of the Privacy and Electronic Communications Directive as amended. These include a TRUSTe EU Cookie Audit and TRUSTed Consent Manager.
Other European certification schemes
Two German federal states provide for privacy audits and privacy seals issued by their local Data Protection Authorities and based on local state law, i.e. Schleswig-Holstein and Bremen.
In Schleswig-Holstein, for instance, public authorities can have their IT products audited by the local Schleswig-Holstein DPA (Unabhängiges Landesamt für Datenschutz” or “ULD”) and obtain a privacy seal. Once a public body has obtained such privacy seal, it can use this seal for both tender procedures and marketing. However, private companies cannot be audited under this scheme, unless they are suitable for use by public bodies.
There is also a European Privacy Seal operated by EuroPrise. The EuroPrise trust mark is issued by an independent certification body to IT products and IT based services after an evaluation. The EuroPrise project consortium includes partners from eight European countries. Currently their register of Awarded Seals shows 25 entries.
Why this matters:
It is important to keep up to date on proposals for such schemes as these are likely to set the minimum standards for industry compliance. If a standard Privacy Policy is agreed then organisations will need to be mindful of these requirements even if they do not sign up to the seal.
The new Data Protection Regulation will introduce an increased need to demonstrate compliance in the form of accountability. Certification seals may be one way to demonstrate compliance. Where firms already operate Global Privacy policies adaptations may need to be made to reflect any agreed standards for local Privacy policies.