TRUSTed Website Certification

Background

From TRUSTe’s website:

TRUSTe is the leading global Data Privacy Management (DPM) company and powers trust in the data economy by enabling businesses to safely collect and use customer data across web, mobile, cloud and advertising channels.

All TRUSTe solutions are engineered to enable businesses to continuously develop new and innovative products and marketing programs while adhering to best practices for providing customers with transparency, choice and accountability regarding the collection and use of personal information.

Principles

Excerpted from the TRUSTed Website Certification Requirements:

  1. Collection Limitation. Participant shall only collect PII where such collection is limited to information reasonably useful for the purpose for which it was collected, in accordance with the business’s privacy policy, with consent from the individual.
  2. Use of PII. Participant shall use PII in the provision of those services advertised or provided for, and in accordance with their posted Privacy Statement in effect at the time of collection, or with notice and consent…. (Inflection Principle 1)
  3. Choice. (Inflection Principle 4) Participant shall offer the Individual control over their collected [PII] as follows:
    1. Participant must provide the Individual an opportunity to withdraw consent to having PII used by the Participant for a Secondary Purpose.
    2. Participant must provide the Individual a Just in Time Notice and the opportunity to withdraw consent to having PII disclosed or distributed to Third Parties, other than Service Providers, at the time PII is collected;
    3. Participant shall honor and maintain the Individual’s choice selection in a persistent manner until such time the Individual changes that choice selection; and
    4. Participant shall provide a means by which the Individual may change their choice selection….

  4. Collection and Use of Third Party PII. Participant shall use Third Party PII collected solely to facilitate the one-time completion of the transaction that is the Primary Purpose for which the information was collected by the Participant except as allowed [for] Search Services…. A Participant that compiles information about Individuals, who are neither customers of or registered users of, that Participant’s services; and then sells access to that information to Third Parties may provide search results containing Third Party PII without the notice and choice requirements noted above, providing:
    1. Information obtained about the Individual is from public or published sources which have no prohibition around onward transfer or use associated with the information;
    2. The Participant shall provide the Individual a mechanism to stop having their information displayed in search results:
      1. Such mechanism shall be easily accessible to the Individual; and
      2. Privacy Statement shall state how the Individual can stop having their information displayed in search results….

  5. Access. Participant must implement reasonable and appropriate mechanisms to allow the Individual to correct or update inaccurate PII…. If Participant denies access to PII, Participant must provide the Individual with an explanation of why access was denied and contact information for further inquiries regarding the denial of access….
  6. Data Governance. Participant shall implement controls and processes to manage and protect PII within its control…. Such controls and processes shall be appropriate to the size of the Participant’s business, and appropriate to the level of sensitivity of the data collected and stored. (Inflection Principle 5)

Further Reading

Link: TRUSTe Privacy Program Requirements