From the Desk of the Executive Director:
Transparency, Defined. »Learn More

Politics of Privacy:
California has been a hotbed of privacy activity this Summer. Amidst all the activity, pay attention to movement from the new California Office of Privacy Protection and its chief, Joanne McNabb. »Learn More

Privacy Best Practices:
Privacy breaches can happen anywhere on your web site, says Watchfire Corporation's CEO Peter McKay. Read this column to better understand vulnerability trends and how to best inoculate your company from outside invasion. »Learn More

Bits & Pieces: 
Current TRUSTe happenings and how to take advantage of them. »Learn More

Stay Current: 
Upcoming privacy and security related events. »Learn More

TRANSPARENCY, DEFINED.

Main Entry: trans·par·ent
Etymology: Middle English, from Medieval Latin transparent-, transparens, present participle of transparEre to show through, from Latin trans- + parEre to show oneself Date: 15th century

1 a (1) : having the property of transmitting light without appreciable scattering so that bodies lying beyond are seen clearly : PELLUCID (2) : allowing the passage of a specified form of radiation (as X rays or ultraviolet light) b : fine or sheer enough to be seen through : DIAPHANOUS

2 a : free from pretense or deceit : FRANK b : easily detected or seen through : OBVIOUS c : readily understood synonym see CLEAR Merriam-Webster's

Transparency is all about "showing oneself." It is about disclosure and clarity. It is about showing not only what you do but also how you go about doing it. By becoming more transparent you become more accountable.

Transparency has long been a central "value" of the privacy conversation. At the American Society of Association Executives conference I attended recently, increased transparency was emphasized not only as a best practice but also as a requirement for doing business in our times. Recent corporate business scandals have highlighted a trend already driven by the digital revolution, globalization, and the ongoing spread of democracy.

It's not easy. We struggle with transparency all the time. Do we want to tell our customers everything we collect and how we do it? Do we want to tell our competitors? What about Security? What about privacy of our partners?

At TRUSTe, we aim to help our members become more transparent, more clear and forthcoming regarding their privacy practices to the consumer. We believe that this will help build trust and a more trustworthy reputation. By doing so, it helps consumers discriminate against companies that don't shine the light on their practices.

In addition, we are working with the Short Notices working group to develop a more easily understood privacy statement for consumers.

We are also looking at ourselves, trying to be more transparent by providing more information on how we serve you, what consumer complaints we get (see Sidebar), how we enforce our requirements and so on. We all have more work to do to reach this high goal.

Again, we value your feedback. Do you have a story to share about your company's transition to a more transparent way of doing business? Send us email at editor@truste.org.

California's New Privacy Office Advises Consumers and Business
By Joanne McNabb, Chief, California Office of Privacy Protection

California's new Office of Privacy Protection in the Department of Consumer Affairs officially opened in November 2001, making California the first state in the nation to have an office dedicated to protecting and promoting consumer privacy.

Consumer Information and Assistance
With a staff of eight, the Office has responded to over 2,500 consumer requests for assistance; put up a web site containing consumer information, state and federal privacy laws, pending legislation, and other privacy resources; published four consumer information sheets in five languages; and held 13 community workshops on identity theft, financial privacy and general privacy protection.

The Office also works with law enforcement and with business. Our coordination with law enforcement has focused on identity theft, particularly on a new California law that took effect in January 2002. The law gives identity theft victims and law enforcement a valuable tool: the right to get copies of documents on accounts fraudulently opened using the victim's identity.

As is often the case with newly enacted laws, the challenge is to get the word out. The Office developed forms and procedures to facilitate implementation of the new law, distributed them to local law enforcement agencies, and joined the state Attorney General in a meeting with business representatives to explain the procedures. Since then the Office has functioned as a clearinghouse for local law enforcement, assisting them by intervening when they ran into problems in getting businesses to comply.

We found that contacting a company's privacy officer was usually the quickest way to get results. Usually, the problem was that the information on the new law hadn't been communicated to all the parts of the organization, and with the assistance of the privacy officer, we were able to get help for the victim right away.

Best Practices Recommendations
Another major project of our first 10 months was the publication of recommended practices for handling Social Security numbers (SSNs). The Office's recommendations were developed in part as guidelines to California's new law restricting the public display of SSNs. After being contacted by a number of businesses with questions on the law, we convened an advisory committee. This advisory committee included representatives of the banking, health care, insurance, retail and information industries, as well as consumer and privacy advocates. In addition to helping us in the formulation of our recommendations, issues raised by the advisory committee led to the drafting of proposed amendments to the law, which at the end of August were nearing passage in the Legislature. Our recommendations are based on the widely accepted fair information practice principles, and also on practices recommended by the Canadian federal and provincial privacy commissioners for handling Canadian Social Insurance Numbers and by the U. S. General Accounting Office for federal agencies' handling of SSNs.

The resulting Recommended Practices for Protecting the Confidentiality of Social Security Numbers (available at www.privacy.ca.gov), presents specific practices organized under six general recommendations:

1. Reduce the collection of SSNs.
2. Inform individuals when you request their SSNs.
3. Eliminate public display of SSNs.
4. Control access to SSNs.
5. Protect SSNs with security safeguards.
6. Make your organization accountable for protecting SSNs.

The recommendations cover the issues in the law, but also go beyond it to address internal practices and additional safeguards. The recommendations are not regulations, but are intended to serve as guidelines to assist businesses and other organizations in moving towards the goal of aligning their information handling practices with the fair information practice principles.

Navigating the Privacy Maze
by Peter McKay, President and COO, Watchfire Corporation

Privacy breaches can happen anywhere on your web properties, and the repercussions can be significant: Lost revenue and business opportunities; Brand and reputation erosion; Adverse media attention; Unwanted scrutiny from consumer advocates; Class-action lawsuits; and Legislative penalties.

Watchfire Corporation recently commissioned a website risk management survey to study emerging website issues concerning senior risk executives in today's leading organizations. PricewaterhouseCoopers summarized the results in a published report, "Closing the Gap in Website Risk Management" and found that in the area of website privacy, only 53 percent of websites have formally stated privacy policies, and only 40 percent monitor their websites for privacy compliance. Of those companies that do actively monitor, 83 percent do it manually. The Platform for Privacy Preferences Project (P3P) awareness is very low, with 28 percent admitting no knowledge of this new standard.

These results indicate the presence of risk exposure associated with website privacy and a significant gap between the goal of ensuring privacy and actions being taken to achieve this.

Closing the privacy gap
Building trust can go a long way in convincing consumers to spend online. Effective, proactive, and cost-efficient privacy management can minimize the risk of regulatory investigation, class-action lawsuits, and legislative enforcement, and enhance the trust and confidence of your customers and partners. But how do you accomplish all this and still retain your sanity?

Tip #1: Adhere to privacy policies
Ultimately, a company's fear of a privacy breach might be the best incentive to be strict about privacy policies. CNET.com reported in March 2001 that U.S. Bancorp Piper Jaffray failed to adhere to its posted privacy policy and had to pay $4 million in fines. Other firms that have been sued by consumers or the US Federal Trade Commission include Liberty Financial, RealNetworks, Chase Manhatten, and Toysmart.com.

Tip #2: Understand worldwide privacy legislation
Adhering to new privacy legislation is quickly becoming a top concern for companies around the globe. You must identify and stop online privacy breaches to ensure legislative and industry compliance. Some key pieces of legislation worldwide are:

• The Gramm-Leach-Bliley Act of 1999 (US) restricts third party data sharing. Business websites must provide notice and opt-out options prior to sharing information with non-affiliated third parties.
  
  
• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) (US) requires companies collecting or transmitting health information to provide privacy protections. They must also establish a company official responsible for privacy compliance (Chief Privacy Officer).
  
  
• The Children's Online Privacy Protection Act of 1998 (COPPA) (US) safeguards the collection and use of personal information from children under the age of 13 requiring parental consent for any such activity.
  
  
• The European Union Data Protection Directive of 1998 requires all member states to enact wide-ranging data protection law that complies with its principles.

Tip #3: Understand the Platform for Privacy Preferences (P3P)
An initiative of the World Wide Web Consortium (W3C), the goal of P3P is to help users be informed of website practices by simplifying the process of reading privacy policies. With P3P, key information about what data is collected by a website can be automatically conveyed to a user, and discrepancies between a site's practices and the user's preferences can be automatically flagged. Depending on the browser's filter setting, the cookies on a site may or may not be set as expected. The result -- the website page or page(s) may not be appropriately served to the user.

Tip #4: Establish the role of the Chief Privacy Officer
Chief Privacy Officers must address the new privacy needs by assessing risks, managing implementation of privacy policies and associated procedures, ensuring ongoing compliance, raising awareness in the organization, and training staff.

Tip #5: Use privacy seals
To make it easier for organizations to explain their privacy policies, demonstrate compliance, and build consumer trust and confidence, online privacy seal programs and independent privacy audits have been created. Online privacy seal programs, such as that from TRUSTe, use graphics to indicate to consumers that the site has been certified according to a set of standards defined by a privacy or consumer advocate group.

Tip #6: Understand the benefits of good privacy practices
A systematic approach to comprehensive privacy risk management can help organizations achieve the full benefits of online commerce:

• Realizing cost savings through automated privacy monitoring.
  
  
• Reducing risks of non-compliance with regulatory and self-regulatory frameworks.
  
  
• Gaining a competitive edge in the information economy by building consumer trust.
  
  
• Improving relationships with partners, who can trust in the security of business partner data.
  
  
• Improving public image, as a leader in privacy protection.
  
  
• Reducing risk of further regulatory burden.

The Privacy Gap can be closed with sound privacy management practices combined with automated website privacy management solutions; furthermore, organizations must close the Privacy Gap to instill trust in customers and partners. If trust is to be built into the ebusiness process, privacy and confidentiality must be at its core. Those organizations that understand the risks inherent in their privacy management practices, address the exposures, and communicate their policies openly, will earn consumer and user trust, and are more likely to gain customer loyalty and enjoy long-term success.

Peter McKay is the President and COO of Watchfire Corporation, a website management software and services company based in Lexington, MA. Watchfire's Website Management software and services help organizations optimize their ebusiness execution by mitigating corporate risk, enhancing web team effectiveness, and addressing critical website and privacy compliance issues that can affect visitor success.

TRUSTe Announces Children's Seal Promotion - 10% Off License Fee**

The Federal Trade Commission recently issued its annual COPPA compliance snapshot which indicated that "…as many as half of the sites have not fully implemented aspects of the [COPPA]." This survey comes on the heels of a well-publicized fine of $35,000 against a brand name company that the FTC found in violation of the law.

To ensure that the greatest amount of Web sites are meeting the requirements of the law, and creating a safe environment for children online, TRUSTe is offering a promotional rate for its Children's Privacy Seal Program, an FTC recognized Safe Harbor for COPPA.
We encourage all sites that communicate with children to become TRUSTe members by contacting our business development staff by phone at 415-618-3402 or by e-mail at bizdev@truste.org.

**This is a one time promotion applicable only for new customers.

TRUSTe Partners with Watchfire to Bolster Compliance

On August 27, TRUSTe and Watchfire Corporation announced a strategic partnership to strengthen TRUSTe's certification and compliance efforts. Beginning immediately, TRUSTe will deploy Watchfire WebXM to perform website content analysis of its members' sites to identify issues affecting privacy compliance. WebXM's privacy management module, PrivacyXM, enables organizations to collect, audit and report on privacy-related website management issues such as identifying secure and unsecured forms, P3P cookie issues, website data collection practices and web beacons. PrivacyXM gives companies the ability to understand their site's data collection, use, and potential sharing practices, helping them to avoid privacy glitches and better manage their ongoing compliance efforts.

"Watchfire will help us strengthen our compliance abilities by automating the auditing and monitoring of our licensees' websites to help them ensure their ongoing certification compliance," said Fran Maier, Executive Director of TRUSTe. "Consumers want assurance that companies are living up to their privacy commitment, while companies are increasingly challenged to manage privacy compliance on an ongoing basis due to the size and complexity of their websites. TRUSTe offers both consumers and companies an effective privacy solution." Learn More

Mailshell Incorporates Postiva Trusted Sender Technology, Building Trust-Based Email Infrastructure to Fight Spam

On August 22, TRUSTe and ePrivacy Group announced that Mailshell, a leading provider of anti-spam software, has integrated Postiva™ Trust Stamp technology into its web-based email client and SpamCatcher™ software. By offering customers an additional way to distinguish legitimate commercial email from spam, Mailshell's SpamCatcher™ software and email client are the first to be certified as compliant with the Postiva™ Trusted Sender Program - a cryptographically secure way for consumers, ISPs, spam filters and email clients to distinguish wanted and trusted email from spam. Postiva™ Trusted Sender is a joint program of TRUSTe, the independent non-profit organization best known for its leading privacy seal and certification program, and ePrivacy Group, a provider of trust technology and services.

"Spammers intentionally emulate legitimate commercial email and masquerade as legitimate companies. Incorporating the Postiva™ Trusted Sender program into our email client and SpamCatcher™ software provides an additional way for users to distinguish between legitimate commercial email and spam in disguise," said Eytan Urbas, vice president at Mailshell. "This represents the first time Mailshell has relied on a third party to authenticate senders' legitimacy. Partnering with TRUSTe and ePrivacy Group is a natural fit for us." Learn More

Privacy 2002

Date: September 24-26, 2002

Location: Cleveland, OH

Overview: See article on Privacy 2002. TRUSTe Members receive a special discount. If you are a TRUSTe Member interested in attending, please contact Dave Steer by email at dsteer@truste.org. For more information, please visit www.privacy2000.org.

International Association of Privacy Officers
Privacy & Data Security Academy & Expo

Date: October 16 - 18, 2002

Location: Marriott Downtown, Chicago, IL

Overview:
Leaders in the privacy and data security field representing health care, financial services, insurance, banking, marketing, high technology, e-commerce, government contractors, Fortune 500 companies, academia and more will gather at IAPO's Privacy & Data Security Academy & Expo.

This groundbreaking educational event focuses on today's emerging privacy and data security issues. The nation's leading experts, business leaders, policy makers, regulators & authors will explore the latest developments in Privacy and Security. Sessions will focus on various aspects of HIPAA, International Privacy, Managing Privacy, Privacy Law, Security & E-Business. Featured speakers include: J. Howard Beales (FTC), Fred Cate (Indiana University, Author), and Ann Cavoukian (Ontario Privacy Commissioner).

TRUSTe Members receive a special rate. For more information on the Academy, visit www.privacyassociation.org or call 800-266-6501.

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to editor@truste.org.

TRUSTe announces a promotional rate (10% off) for its Children's Privacy Seal Program.**

»Learn More

**This is a one time promotion applicable only for new customers.

Privacy Goes International -- TRUSTe is gearing up to launch a Privacy Translation Services program to help companies globalize their privacy strategy. Stay tuned for details next month. To learn more, please contact our business development staff at 415-618-3402.