from the not-so-truste dept
TRUSTe, the organization whose seals of approval are used by many sites to prove that they’re trustworthy, especially with regards to privacy practices, has just agreed to pay the FTC $200,000 and change its representations about how it goes about certifying various sites. In particular, the FTC claims that TRUSTe did not review sites frequently enough. Separately, there were some shenanigans over the fact that TRUSTe switched from being a non-profit to a for-profit operation in 2008, but let users of the seal still tell people that TRUSTe was some sort of non-profit (as many in the public have believed).
The FTC?s complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in over 1,000 incidences, despite providing information on its website that companies holding TRUSTe Certified Privacy Seals receive recertification every year.
In addition, the FTC?s complaint alleges that since TRUSTe became a for-profit corporation in 2008, the company has failed to require companies using TRUSTe seals to update references to the organization?s non-profit status. Before converting from a non-profit to a for-profit, TRUSTe provided clients model language describing TRUSTe as a non-profit for use in their privacy policies.
The proposed order announced today will help ensure that TRUSTe maintains a high standard of consumer protection going forward. Under the terms of its settlement with the FTC, TRUSTe will be prohibited from making misrepresentations about its certification process or timeline, as well as being barred from misrepresenting its corporate status or whether an entity participates in its program. In addition, TRUSTe must not provide other companies or entities the means to make misrepresentations about these facts, such as through incorrect or inaccurate model language.
There is an interesting partial dissent from FTC Commissioner Maureen Ohlhausen, effectively challenging the issue with other websites still saying TRUSTe is a non-profit. While the issue is that TRUSTe was recertifying these websites, and thus should have said that they had to make the certification clear, Ohlhausen points out that it’s wrong to blame TRUSTe for statements made by other sites and not by TRUSTe itself.
Unlike Shell and Magui Publishers, the statement that TRUSTe provided to its clients was indisputably truthful at the time. During the period in which TRUSTe required client privacy policies to state that TRUSTe was a non-profit, TRUSTe was, in fact, a non-profit. Once TRUSTe changed to for-profit status, it no longer required clients to state its non-profit status and actively encouraged clients to correct their privacy policies. TRUSTe did not pass to clients any false or misleading representations regarding its for-profit status. Nor was TRUSTe?s recertification of websites a misrepresentation of TRUSTe?s non-profit status to its clients; during recertification TRUSTe again clearly communicated its for-profit status to clients by requesting that its clients update their privacy policies. Because TRUSTe accurately represented its non-profit status to its clients, TRUSTe cannot be primarily liable for deceiving consumers under a means and instrumentalities theory.
This argument makes a lot of sense, and as someone concerned about secondary liability in a variety of places, it does seem wrong for the FTC to hold TRUSTe responsible for the conduct of third party sites, even as it was recertifying them. Either way, this settlement is a good reminder that just because there’s a “trusted” certification on a site, it doesn’t always mean the site is trustworthy…