 |
|
|
|
| |
|
OCTOBER
TOP 5 PRIVACY STORIES
|
|
|
From
the Desk of the Executive Director:
From guidelines to practices, today's new standards are evolving to meet
the needs of the growing network.
»Learn
More
Privacy
Best Practices:
How do you manage privacy
as your company is set to launch a revolutionary wireless communications product?
This month's Q&A is with Wally Hyer, who explains the privacy behind AT&T Wireless'
new FindFriends service.
»Learn
More
Industry
Insider:
Most Privacy Officers
cite education and corporate-wide compliance as their number one responsibility.
Stephen Cobb of ePrivacy Group explains how companies can jump ahead through privacy
training.
»Learn
More
The Politics
of Privacy:
The Network Advertising
Initiative just released new guidelines on the use and disclosure of Web beacons.
NAI's director, Trevor Hughes, gives TRUSTe members an overview.
»Learn
More
TRUSTe
TIPS:
Monthly privacy tips
for our members. This month: COPPA.
»Learn
More
Stay
Current:
Privacy and Security Events.
»Learn
More
Bits
& Pieces:
Current
TRUSTe happenings and how to take advantage of them.
»Learn
More
|
|
 |
 |
| |
Guideline-based Approaches to Emerging Privacy Practices
By Fran Maier
It seems that everyday TRUSTe gets an inquiry from a member company asking for guidance: Can I do this? What about that? Is this ok? How do I do that? These questions remind me that we are still very much in the early stage of new business models and technologies and at a time where legislative and other policies are still evolving rapidly.
Business models, technologies, and mediums change, but we believe that a commitment to consumer privacy should be maintained even in the most turbulent times. Rather than trying to continuously bring out new program requirements and policies, however, we are increasingly focused on offering our member companies guidelines for best practices.
In 1997, TRUSTe started with a base program based on the FTC's Fair Information Practices. Over time, the implementation of these principles has evolved as a result of new business models, practices and technologies, as well as business trends. In 2001, as a response to the flurry of bankruptcy filings and specifically the Toysmart case, TRUSTe developed guidelines for Mergers, Acquisitions, and Bankruptcy. We invited consumers, government and industry to respond and provide feedback, much of which was incorporated into a final set of requirements.
We are now about to launch TRUSTe License Agreement 8.0 (no coincidence given the emergence of online services and TRUSTe) which reflects ongoing developments in our policies and acceptable standards. This new license agreement addresses new practices and clarifies the principles laid out in the previous agreement.
New web-based technologies have emerged that impact privacy. In these cases, guidelines on appropriate use are extremely helpful. The Network Advertising Initiative's approach to Web Beacons is a case study of this approach (see article from NAI's
Executive Director Trevor Hughes in this newsletter).
Finally, as new mediums become part of the networked world, a similar privacy guidelines-based approach will be needed. In this way, we are working with a coalition of companies to create privacy guidelines for wireless devices. (see the Q&A with Wally Hyer of AT&T Wireless on their approach to ensuring privacy with the launch of the
FindFriends service).
As new practices arise, we will continue to use guidelines as the first step toward informing the changes in our program requirements. These guidelines will be based upon our implementation experiences with our members and input from the privacy community. We hope you will provide us with feedback on these guidelines, so we can make our program as effective as possible.
As I mentioned, we are wrapping up the next version of the TRUSTe License Agreement 8.0. Stay tuned for details and implementation guidelines.
|
|
|
 |
|
| |
An Interview with Wally Hyer, Chief Privacy Officer, AT&T Wireless
This summer, AT&T Wireless introduced Find Friends, the first service in the United States that allows people to locate others - with their consent - through a few keystrokes on a wireless phone. With Find Friends, an AT&T Wireless customer can see the approximate geographical location - for example, a street intersection - of someone he or she may wish to contact and can then choose to call that person, send a text message, or arrange a meeting.
TRUSTe asked Wally Hyer about how AT&T Wireless incorporated privacy protections and customer expectations into this new service.
TRUSTe: How did you ensure that privacy was a priority for AT&T Wireless as Find Friends was developed?
Hyer: The importance of consumer privacy is ingrained in our corporate culture. Even before AT&T Wireless became an independent company in July 2001, our senior management team began work to create the Chief Privacy Officer post, a Privacy Council comprised of representatives from all parts of the business, and a Privacy Policy.
Our Privacy Policy is based on the concept that consumers deserve to know how their personal information is used and treated, to exercise choice about how their information is treated, to have their information safeguarded, and to communicate with us about our privacy policies.
We use company-wide training, an Intranet site, and other means to keep our employees educated about how these principles apply to our business. So the employees who worked on Find Friends were already knowledgeable about our commitment to consumer privacy, and they were guided by those principles while collaborating on the subtleties of the offering. We had established privacy as a priority for the business long before Find Friends was even on the drawing board.
TRUSTe: How were those privacy principles applied to Find Friends?
Hyer: We put our customers in complete control of Find Friends by giving them the tools to decide whether and how they want their location information shared.
First, in order to use Find Friends, they must create a buddy list of other customers they want to locate, which requires getting each person's consent. Once you've consented to be on someone's buddy list, you can always take yourself off or simply choose not to be located for any length of time. In addition, you're informed every time someone queries your location. So our customers are in the driver's seat.
TRUSTe: What challenges do you face when you are first to market with a product that could have privacy implications, like Find Friends? Are any special precautions necessary?
Hyer: It's exciting to be the first to offer a new service, but it makes the privacy challenges even greater. We weren't able to learn from anyone who had gone before us, so we had to be extremely thorough in our privacy review. It's also important to get the perspective of a third party. In the case of Find Friends, we talked with TRUSTe about the service before it was introduced and benefited from the feedback we received. We knew that if we could satisfy TRUSTe's standards in addition to our own, we would meet our customers' privacy expectations.
TRUSTe: How does AT&T Wireless' commitment to privacy help the company in the marketplace?
Hyer: We believe that a strong and meaningful privacy policy is essential to building trust with consumers and spurring adoption of new services. That's why privacy is a key consideration with all our offerings. Consumers trust our brand, but we need to live up to their expectations. In the competitive wireless marketplace, privacy is a business issue.
|
|
|
 |
|
| |
The Value of Privacy Training
By Stephen Cobb, ePrivacy Group
Companies charting a course through the unsettled seas of consumer privacy concerns have spotted some serious icebergs during the last twelve months, major legal and regulatory settlements have hit brand name companies in the pharmaceutical, software, publishing and Internet service sectors. When you analyze these privacy cases, one of the most consistent themes to emerge is employee training. At both the state and federal level, regulators looking to protect consumer privacy have made it clear that employee privacy training is one of the most basic elements of industry best practices in privacy.
Consider the publishing company that invited people to subscribe to online but inadvertently enabled anyone on the Web to access, for several days, a text file containing about 12,000 consumer magazine subscription orders (including names, mailing addresses, email addresses and, in some cases, credit card numbers). This summer the company settled with Attorneys General from several states over what was originally reported as a security breach-apparently due to a coding error during the execution of an internal marketing project-but was later characterized as a privacy incident.
In the settlement, the company agreed to pay $500 to each of the approximately fifty consumers whose credit card data were exposed, and $100,000 to the New York Department of Law, to be split among the various states involved in the action. The company also agreed to implement new online privacy controls. The first item listed under privacy controls was training. The company was admonished to address privacy risks "by means that include: (i) management and training of personnel." In other words, training employees was identified as an essential privacy control that companies must employ, not just an optional extra to be considered if there happened to be a budget surplus at the end of the year.
This conclusion was underlined by the settlement in August between ten states and a major online advertising company whose "practices in collecting and using data from and about Internet users" came under close scrutiny. In the settlement, the company agreed to "undertake reasonable efforts to educate its clients in technical and business practices that promote Users' privacy," and also to "employ reasonable technical and employee education procedures and mechanisms to safeguard the security and integrity of User Data."
Training also features in the FTC's privacy settlements with a major drug company and a leading Internet service company. In both cases, the risks to privacy posed by a lack of proper training were highlighted. The drug company was instructed to examine "risks posed by lack of training" and to mitigate these risks in "each relevant area of its operations." The Internet service company agreed to undertake a risk assessment "in each area of relevant operation, including: (1) employee training and management."
The unavoidable conclusion is that failure to provide adequate privacy training to employees exposes a company in two ways. First of all, the probability of a damaging privacy breach occurring is considerably greater if a company does not provide employees with adequate privacy training. Second, if a privacy incident does occur, the company's ability to deflect criticism is seriously undermined if it cannot document that it has been providing appropriate privacy training to employees. Not that privacy training is just about avoiding problems and minimizing risk, there are positive benefits as well. As employees become more "privacy-savvy" they often suggest improvements in privacy practices and procedures, strengthening the company's ability to deliver on its privacy promises to consumers, deepening the trust that is so critical for success in business today.
Stephen Cobb, Senior VP of Research and Education, ePrivacy Group, is a Certified Information Systems Security Professional and author of Privacy for Business: Web sites & Email.
|
|
|
 |
|
| |
The Network Advertising Initiative: Guidance at the Intersection of Privacy and Technology
By Trevor Hughes, Network Advertising Initiative
The Network Advertising Initiative (NAI) is an online privacy, self-regulation success story. Since 1999, we have focused on creating guidelines and best practices surrounding emerging web based technologies and how those technologies impact consumer privacy by seeking input from all interested parties.
Comprised of the leading Internet advertising networks, the NAI was formed at the behest of the Federal Trade Commission and has been implementing self-regulatory principles that it developed in consultation with the FTC and Commerce Department since their adoption on July 29, 2000.
The NAI Self-Regulatory Principles govern the online profiling practices of the NAI member companies (the NAI Principles use the phrase "online preference marketing" or "OPM" to describe profiling). OPM is a process that involves the collection of non-PII "clickstream" data across web pages to determine or predict consumer characteristics or preferences for use in ad delivery on the Web. The NAI Principles require each NAI member to post clear and conspicuous notice about the OPM practices of the NAI member as well as the user's ability to choose not to participate. Consumers can also opt-out of OPM by visiting the NAI website, www.networkadvertising.org.
The NAI Principles require a strong enforcement and compliance partner to ensure the Principles are being upheld. Through the TRUSTe Watchdog program, the NAI provides consumers with a recognized and reliable mechanism for raising complaints related to the NAI Principles. NAI members involved in OPM are also required to undergo periodic independent audits of their practices to ensure compliance with the NAI Principles. These audits are provided to TRUSTe, which in turn issues a seal to be displayed on the member's site.
The experience of building a successful online self regulatory program gave the NAI expertise in dealing with privacy issues associated with emerging technologies. So today, the NAI has grown and expanded the scope of its activities. The group is currently finalizing a document to guide the use of web beacons (a.k.a. "web bugs"). Over 25 organizations, including TRUSTe, participated in the drafting of the web beacon guidelines - with the ultimate goal of providing businesses and consumers with a workable set of parameters for the appropriate use of the technology.
The NAI has also emerged as an important resource for legislators and regulators in the U.S. and Europe on issues of privacy and technology. The group has been active in both the House and Senate on numerous bills involving privacy. In fact, the concept of "robust notice" in the Holling's Privacy Bill was borrowed from the NAI Principles! The NAI was also very active on the privacy amendment to the EU telecommunications directive - and was even asked to testify on "cookies" before the committee overseeing the amendment.
The NAI will continue to provide important guidance at the intersection of privacy and technology. This guidance can come from self regulatory programs (such as the NAI principles and the web beacon guidelines), continued advocacy in the US and abroad, or merely providing a public policy forum for members.
Our inclusive approach -- working with government, industry and oversight groups like TRUSTe -- has proven successful in creating and adopting sensible privacy standards and guidelines. The NAI will continue with this approach and provide important guidance at the intersection of privacy and technology.
Trevor Hughes is the executive director of the Network Advertising Initiative.
|
|
|
 |
|
| |
TRUSTe Member TIPs
This Month: COPPA
Are you collecting age or thinking about collecting age information? If so, make sure you have considered the implications of the Children's Online Privacy Protection Act (COPPA). You must comply with COPPA if:
- You operate a website or service that is specifically aimed at children under 13 AND you collect and maintain PII; OR
- You operate a general audience website that allows both the collection of age and PII.
If you operate a general audience Website and don't want to collect and maintain children's PII, you may create a "bump-out" mechanism. To implement "bump-out", a session cookie is set that directs the user to an informational page that explains why registration cannot be accepted. The presence of this session cookie prevents the user from changing their age on the registration form. If you have any questions as you consider implementing such questions, ask your TRUSTe account manager.
|
|
|
|
|
|
| |
Privacy and American Business' Privacy Leadership Group Briefing and Workshop
Date: December 5-6, 2002
Location: Omni Shoreham Hotel, Washington, D.C.
TRUSTe members receive a special rate. For more information on the event, please visit www.pandab.org or call 201-996-1154.
|
|
|
|
|
| |
TRUSTe Announces 2003 Price Schedule - Members Encouraged
to Renew Certification and Receive Rate Protection for
up to Two Years.
Effective
January 1, 2003, TRUSTe will be raising its license
fees. TRUSTe is currently accepting renewals under the
normal price schedule. Members can also take advantage
of a new 2 year certification package and rate protect
themselves through 2004. Complete renewal applications
must be received by December 31, 2002.
For
renewing members, please contact George Mamashiani by
phone at 415-618-3403 or by email at gmamashiani@truste.org.
For new members, please contact Michelle Lucas by phone
at 415-618-3402 or by email at mlucas@truste.org.
TRUSTe Launches Privacy Education Services
On October 6, 2002, TRUSTe and ePrivacy Group introduced the first-ever online privacy training course for businesses. Now businesses can use a turnkey solution to educate everyone from executives to call center employees on how to protect customers' personal privacy.
Announced at the Privacy & Security Academy & Expo in Chicago, the annual conference of the International Association of Privacy Officers, the joint education initiative was designed to enable privacy officers to fulfill needs in compliance and corporate-wide education. The training offers a curriculum, developed by the privacy education experts at ePrivacy Group and honed with input from TRUSTe gained from their experience with 1500 member companies. The training modules are delivered online, to minimize both costs and workplace disruptions, and can be customized to meet a company's specific needs.
For more information, please contact Dave Steer by email at dsteer@truste.org.
|
|
 |
|
| |
Got Feedback?
We would like to hear what you
think of the TRUSTe Advocate. Send an email with your
comments and suggestions to editor@truste.org.
|
|
|
 |
|
| |
Thanks
to the following businesses and organizations for their
ongoing support: |
|
|
 |
 |
|
|
 |
|
TRUSTe Announces 2003 Price Schedule - Members Encouraged
to Renew Certification and Receive Rate Protection for
up to Two Years.
For
renewing members, please contact George Mamashiani by
phone at 415-618-3403 or by email at gmamashiani@truste.org.
For new members, please contact Michelle Lucas by phone
at 415-618-3402 or by email at mlucas@truste.org.
Privacy
Goes International -- TRUSTe is gearing up to launch
a Privacy Translation Services program to help companies
globalize their privacy strategy. Stay tuned for details
next month. To learn more, please contact our business
development staff at 415-618-3402.
|
 |
|
|
 |
Privacy and American Business' Privacy Leadership Group Briefing and Workshop
Date:
December 5-6, 2002
Location:
Omni Shoreham Hotel, Washington, D.C.
»Learn
More
|
|
|
|
TRUSTe is currently compiling case studies of privacy
in action, highlighting the best practices of our
members. If you would like to participate in our
case study program, please contact Dave Steer by
email at dsteer@truste.org.
|
|
|
| |
|
