Program

Scope

Ongoing Monitoring

Privacy Requirements

Complaint Process  

Cost

BBBOnline

Privacy Policy Self-Assessment

Yes

Random checks

Disclosure

Access

Data security

One of the best, based on Better Business Bureau model

$225 - $5,000

based on annual revenues

Better Web

Comprehensive business practices audit by Price- waterhouse Coopers

Yes

Disclosure

No

$15,000

CPA WebTrust

Comprehensive business

Practices audit by a CPA

Yes

Disclosure

Accuracy

Choice

Access

Data Security

Requires clients to use third-party arbitration

Price available on request

PrivacyBot

Automated Privacy Policy Review

Not clear

Disclosure

Automated nonbinding mediation

$30

Secure Assure

Signed agreement to comply with privacy principles

Not clear

Encryption of financial data

No contact or data shared without consent

Monitored arbitration

$199 - $2,330 based on annual revenues

TRUSTe

Privacy Policy Self-Assessment

Yes

Periodic reviews

Disclosure

Choice

Access

Accuracy

Data Security

Consumer complaint resolution, full audit as necessary

$300 - $7,000 based on annual revenues

Overview
The BBOnline seal appears on over 600 hundred Web sites. If you are not in good standing with the Better Business Bureau, you do not qualify for the BBBOnline seal. We liked that. The seal also requires sites to post the BBBOnline child privacy seal if they collect personally identifying information from children. Launched in March 1999, BBBOnline is one of the most respected and thorough seal programs on the Web.

To receive the BBBOnline seal, a site must complete a 10-page questionnaire (19 pages for kids sites). BBBOnline then verifies the answers. If their review finds that the site does not meet their privacy criteria, BBBOnline will tell the site what changes they must make before they can receive the seal. Cost to participate ranges from $275 up to $6,000 depending on the company's annual revenues.

Privacy watchdogs have criticized BBBOnline for its work with the Online Privacy Alliance, a self-regulatory group of industry leaders, which includes IBM, Hewlett Packard and Disney, and for granting their seal to Equifax when that company was being investigated by the FTC.

Key Findings
When you see the BBBOnline privacy seal it means that the site you are visiting has posted a complete privacy policy and that its practices have been evaluated and approved by BBBOnline. BBBOnline also requires:
Customer access to their personal information

• Data security to protect personal information
• An individual employee responsible for monitoring and updating the privacy policy
• Privacy policy updates sent to BBBOnline
• Participation in the BBB dispute resolution process for complaints

BBBOnline prohibits its seal holders from sharing user information with third parties solely for marketing use by those third parties, even if the user has agreed to have their information shared.

BBBOnline requires opt-in, not opt-out, before Type II information can be shared. Type II information includes health, financial, religious, political, trade union membership, sexual, racial or ethnic origin or any other information that a user defines as especially personal.

Complaint Process
BBBOnline's complaint process is what really sets them apart from the other seals. They have built a privacy dispute resolution center upon their solid reputation in offline customer complaint resolution. If you have a bad experience with one of the sites that carries their seal, or with any site that posts a privacy policy, report it to BBBOnline. They will only accept privacy-related complaints against sites that have a privacy policy. They post complaints online for others to see, along with all follow-ups. The follow-up we reviewed indicates that they have successfully gotten Web sites to improve their privacy policies and practices in response to complaints. However, they have not updated their complaint postings since March 31, 2000.

If a site refuses to take part in the dispute resolution process and BBBOnline believes the complaint is valid, they will forward it to the Federal Trade Commission or other appropriate government agency, and will withdraw their seal. It is not clear if they have ever actually done this.

Back to top

PricewaterhouseCoopers - Better Web

Overview
Fifteen sites post the BetterWeb seal, a service of PricewaterhouseCoopers. This low number is understandable considering that the seal costs $15,000. In addition to privacy, the BetterWeb seal also addresses customer service, security and the sales practices of seal holders.

BetterWeb focuses solely on disclosure: it does not appear to withhold its seal for any particular business practices or privacy policies, as long as the site fully explains those practices and policies. In addition, BetterWeb bases its decision solely on the site's stated policies-it does not conduct audits or reviews of the site or its business practices.

Key Findings

• The BetterWeb seal indicates that the site you are visiting fully discloses how to navigate and purchase products, what you can expect from customer service, how your data is secured, and how your personal information is collected and used.
• The BetterWeb certificate requires very thorough disclosure in the privacy policy, including all areas where information is collected, who has access to it, and how it will be used. They do not require clients to follow specific privacy principles.

Complaint Process
BetterWeb requires its clients to have their own clearly explained complaint process. It does not provide consumers with the opportunity to submit complaints against seal holders. You cannot go to their site and find results of disputes, as you can with some other seals. It is not clear if the BetterWeb seal would be revoked from a site who has broken their privacy policy.

Back to top

CPA WebTrust

Overview
The CPA WebTrust seal was developed by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. Twenty-nine sites currently display the WebTrust seal. This distinguished seal indicates that a Web site has received an "unqualified report" by a professional accountant that its online company practices meet rigorous criteria not only for privacy, but also business practices, transaction integrity and data protection. So there is good reason to trust sites that carry this seal.

We especially liked the fact that WebTrust focuses on walking the walk, not just talking the talk. This program requires not only disclosure but also adherence to stated privacy policies. It uses a digital certificate to verify its validity, and you can click on a link to read the auditor's full report. In addition, a Certified Public Accountant (CPA) checks the site every 90 days to make sure they are adhering to the seal requirements. Because each business varies, WebTrust does not publish a fee schedule but offers to develop a cost proposal on request.

Key Findings

• WebTrust requires an audit opinion signed by a professional CPA, who must follow specific standards of professional ethics.
• Participating sites must be recertified at least every 90 days.
• A participant's privacy policy will explain what personal information is collected, how it's used, and what choices you may have about that.
• The WebTrust seal also requires specific privacy protection measures, including:
  --Maintaining accurate information
  --Giving consumers the choice to "opt out" of services
  --Notifying users of any cookies and how they are used
  --Consumers have access to their information and a means to correct inaccuracies
  --Determining security policies of third parties if information is shared
• Remember, WebTrust's seal does not mean that information is never collected about you or shared with others.
  
  

Complaint Process
Although WebTrust doesn't arbitrate consumer complaints, its "Business Practice Disclosure Principle" requires companies to post information on how to resolve complaints. It also requires use of a third-party dispute resolution service if no other program is mandated by a regulatory body.

Back to top

PrivacyBot

Overview
PrivacyBot, launched in February 2000 by Invisible Hand Software, is built on a patent-pending, automated system that takes "the busy work" out of running a privacy seal program. Their electronic drafting system automatically writes a Web site's privacy policy and creates a privacy summary table for visitors. Their site claims that "in about ten minutes, you can create a near-custom Privacy Policy for your Web site that helps you comply with privacy laws and principles." We think that's a little fast to really reflect a company's practices.

You can post a temporary PrivacyBot Trustmark for free immediately after creating your privacy policy, and will receive the permanent Trustmark after you complete a more detailed questionnaire. PrivacyBot also features an automated complaint mediation service. The site currently charges an annual fee of $30, and will raise its price to $100 on December 1, 2000. Even with the new price, this is the least expensive seal program we've reviewed. The PrivacyBot Web site does not say how many sites carry their Trustmark.

Although their strong promotional approach made us wary, we think PrivacyBot does a good job encouraging businesses to post complete privacy policies. They say that they conduct periodic manual monitoring and "data seeding" of member sites to see if they are living up to their policies. They also conduct more extensive monitoring of children's privacy sites. Their system is convenient, fast and low-cost.

Key Findings

• The PrivacyBot Trustmark indicates that the site you are visiting has signed an agreement to post a complete privacy policy and to adhere to its own stated policies.
• Web sites joining the PrivacyBot Registry agree to eligibility standards which focus on disclosure, not on privacy protection fundamentals.
• When you click on the PrivacyBot seal, you can see whether there are current complaints. We liked this handy feature of their totally automated system.

Complaint Process
PrivacyBot's online automated mediation service appears in a simple, user-friendly format. It was created to help Web sites resolve privacy complaints "without getting lawyers into the act." Mediation is voluntary and nonbinding. Consumers must pay $1.50 to file a complaint, which PrivacyBot says is to weed out frivolous complaints. They donate these fees to non-profit privacy organizations. Current complaints and unfavorable mediation outcomes are posted for public view. PrivacyBot monitors complaints and may conduct manual monitoring of sites that receive complaints. They also state that they will suspend or revoke their Trustmark for unsavory privacy practices, and will refer particularly bad cases to the Federal Trade Commission.

Back to top

Secure Assure

Overview
Overview Actively launched in early 2000, this program requires Web sites to pass its S.A.F.E. (Secure Assure Faith Entrusted) screening process and to agree to comply with specific principles of security and privacy. Secure Assure also makes a directory available to the public, listing each company's history and contact information. Secure Assure also offers sites an automatic privacy profile generator, that creates a simple, easy to read chart of a site's privacy policy. Participation costs range from $199 up to $2,330 depending on company revenues. When they launched, Secure Assure positioned themselves as being more trustworthy and considered about consumer privacy than other seals, directly challenging the current leading seal TRUSTe.

Key Findings

• The Secure Assure seal indicates a Web site has agreed to the following principles: --secure server encryption to exchange financial information
  --no unsolicited promotional contact without prior explicit customer authorization
  --no sharing of personally identifiable information with third parties, without prior explicit customer authorization.
• We could not determine whether or not this seal requires a formal privacy policy, although Secure Assure encourages disclosure.
• Secure Assure conducts periodic random reviews of its members to ensure that they are living up to the requirements.

Complaint Process
Seal participants agree to work with their customers to resolve disputes through an arbitration process monitored by Secure Assure.

Back to top

TRUSTe

Overview
Founded in 1996 by Lori Fena of the Electronic Frontier Foundation and Charles Jennings of Portland Software, TRUSTe is the most prominent privacy seal on the Internet. It is sponsored by some of the major Internet companies, including America Online, Microsoft and Intel. Its fees range from about $300 to $7,000 depending on the participant's annual revenues. According to Media Metrix, 88 percent of all U.S. Internet users visit a TRUSTe-licensed site each month.

Like many seal programs, its privacy review is based primarily on each participating company's self-assessment. TRUSTe periodically reviews participating Web sites to make sure the posted privacy policies meets program requirements, and for Web sites aimed at children, TRUSTe offers a unique children's seal for companies that meet its requirements.

Because of its high visibility, any privacy gaffe by TRUSTe or its members immediately becomes news. In August 2000, TRUSTe drew criticism for violating its own privacy policy. The site used a third party, Internet.com, to track personally identifiable information. TRUSTe claimed it had no knowledge this was happening, and it also terminated its connection with Internet.com the same day. This privacy breach was reported by Interhack, a Columbus, Ohio, security consulting firm.

In July 2000, Interhack reported that two sites carrying the TRUSTe seal, Lucy.com and Fusion.com had been violating their posted privacy policies by secretly forwarding personal information to Coremetrics, an Internet marketing company. TRUSTe vowed to investigate, but no results are posted on their Web site. Both sites eventually dropped Coremetrics. TRUSTe was also criticized in the past for not following up on privacy invasions by two major seal holders, Real Networks and Microsoft, on the basis that the privacy invasion was a fault of those companies' software and not their Web sites. TRUSTe was criticized for awarding GeoCities its Trustmark when the site was under investigation by the FTC. In addition, TRUSTe has taken heat because it is sponsored by some of the major Internet companies, all of whom have had very public privacy problems.

Key Findings

• When you click on the TRUSTe seal, you will go directly to the Web site's privacy statement, where you can read what information is collected, how the information is used, and who the information is shared with.
• TRUSTe requires participants to offer:
  --consumer choice and consent over how information is used
  --appropriate data security protection
  --a procedure to ensure data accuracy and quality … consumer access to correct inaccuracies
• TRUSTe conducts periodic reviews of seal holders to determine if they are living up to their policies.

Complaint Process
TRUSTe provides a separate "Watchdog" page for consumers to report suspicious activity or privacy violations of its seal participants. It also furnishes a consumer complaint and resolution process. If TRUSTe believes a participant has violated its posted privacy practices, one of its official auditors will conduct an "escalating investigation," and will advise the participant about how to correct the problem. If no correction is made, the seal will be revoked. TRUSTe's official auditors are PricewaterhouseCoopers LLP and KPMG Peat Marwick LLP. From time to time, TRUSTe posts results of its consumer complaint investigations, though no information could be found on the recent privacy upsets cited above.

Back to top