Mobile Shopping Apps Lack Transparency in Data Collection Practices

Federal Trade Commission (FTC) report on consumer privacy of mobile shopping apps.

In today’s digital age, consumers have access to a whole new shopping experience at their finger tips via mobile apps. These apps provide obvious benefits to consumers, such as real-time price comparisons, alerts for deals from their favorite retailers, as well as easy checkout methods straight from swiping their phone at the counter. With 58% of U.S. adults owning a smartphone (as of January 2014), the possibilities are endless for retailers looking to take advantage. However, there are still precautions businesses must take to make sure they demonstrate transparency with the user data being collected from these apps.

According to a recent Federal Trade Commission (FTC) report, these apps often failed to provide information that is important to consumers concerning privacy of data collected, liabilities, and payment disputes. Although nearly all apps linked to privacy policies, these policies used vague language which stated the company’s rights to collect, use and share consumer data –making it difficult for consumers to understand how their data was actually being used.

To address this concern, the report provides various recommendations for companies to enhance consumer privacy practices with their mobile apps, including:

  • Clarity & Transparency: Apps should more clearly describe how they collect, use, and share consumer data – this gives consumers the choice to evaluate and compare apps based on how their data is handled.
  • Safe & Secure Payments: companies need to disclose consumers’ rights and liability limits for unauthorized or fraudulent transactions.  
  • Honor & Implement Data Security Practices: App developers should implement strong protections for the data being collected, and companies should honors those commitments to stated security practices.

The report also urges consumers to be more proactive and aware by seeking out this information themselves before downloading an app.

Since nearly 8/10 consumers won’t download an app they don’t trust, businesses need to show customers that they are committed to mobile app privacy best practices. Earn your customer’s trust and stay compliant through our TRUSTed Apps Privacy Certification program.


TRUSTe Named to 2014 OTA Email Integrity Honor Roll

Today, the Online Trust Alliance (OTA) announced the results of its 2014 Email Integrity Audit report and TRUSTe was identified as one of the select few companies that provides adequate email security measures to help businesses protect their brands and consumers from receiving fraudulent email.

Being named to the 2014 Honor Roll is a significant achievement as the report revealed 91.7 percent of businesses and government agencies fail to follow adequate steps and adopt email authentication protocols to help consumers identify if emails are genuine or fraudulent.

“TRUSTe continues to show leadership in privacy practices which helps to enhance online trust and promote market innovation,” said Crag Spiezle, Executive Director and President Online Trust Alliance.

The 2014 Report also includes the OTA Email Trust Scorecard, which measures the adoption of the three email authentication protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC). The Scorecard provided interesting insight on the organizations adopting email security best practices – of the companies passing the OTA Email Trust Scorecard:

  • 28 percent of the top 50 social media companies
  • 17 percent of the top 100 financial services companies
  • 14 percent of the top 100 Internet retail companies
  • 6 percent of the top 50 news companies
  • 6 percent of the top 500 Internet retailers
  • 4 percent of the top 50 U.S. government agencies

Visit here to learn more about the in-depth review of email security best practices and 2014 Email Integrity Honor Roll.


EU Regulatory Update: Dutch Cookie Rules Enforced

By Saira Nayak, Director of Policy, TRUSTe

The last few weeks have seen a renewed focus on the EU’s Cookie Laws with news that European Data Protection Authorities are introducing a “Cookies Sweep Day” initiative in September to review compliance with the EU Cookie Directive.  And in October, France’s CNIL will conduct cookie and website audits (more details in this Hogan Lovells blog post).

We also continue to see stepped up enforcement of cookie laws by EU regulators.

Last week, the ACM or Dutch Authority for Consumers and Markets (formerly the OPTA), concluded that the Dutch Foundation for Public Broadcasting violated the requirements of notice and “prior express consent” under the Dutch cookie law.   Also – and importantly – the ACM‘s decision found that implied consent could not be presumed from use of a website.  The ACM ruling interpreting Dutch law is in sharp contrast to other countries such as France, where the CNIL’s guidance specifically provides for implied consent in cases where the user continues to use the site.

Read the rest of this entry »


August Monthly Spotlight

-         August 12

EU Cookie Sweep: Are You Compliant?


You may have heard that European Data Protection Authorities will conduct a “Cookies Sweep” from September 15-19 to assess current compliance levels. The CNIL will then conduct further inspections in October using new powers, which came into effect earlier this year.

With the potential of increased enforcement and growing consumer privacy expectations, companies must make sure they are compliant in order to avoid negative media coverage and damage to their brand.

TRUSTe’s Saira Nayak will join Promontory’s Simon McDougall, Fieldfisher’s Oliver Proust and experts from CNIL in a two-part webinar series to present tips and best practices for staying cookie compliant and to win the trust of European customers.

Register now for the first session, EU Cookie Directive: Key Steps to Compliance, to gain information on the following:

  • Amendments to the EU Cookie Directive and current compliance requirements across the EU
  • Insight into what is required to comply with EU cookie guidelines from a technical/IT perspective
  • Examples of how leading brands across Europe have implemented solutions to comply with EU cookie guidelines

The second and final session of the series, EU Cookie Inspections: Are You Ready?  will take place on September 4th.

-          Looking Ahead

Stay tuned for information on TRUSTe events in September, the Digital Marketing Exposition & Conference in Cologne, Germany and the IAPP Privacy Academy and Congress 2014 in San Jose, CA.


View Webinar on Privacy Investment Success Stories

Last week, TRUSTe concluded its three part webinar series which looked at how companies can make the most of their investment in data privacy management. The last session, Privacy Investment Done Right, explored real privacy investment success stories from leading brands.

Forrester’s Fatemeh Khatibloo moderated the discussion between TRUSTe CEO Chris Babel, Intuit CPO Barbara Lawler and AT&T Director – Online Privacy, Compliance and Accessibility, Sachin Kothari to provide insight into how privacy investment has yielded positive returns for their companies. The webinar includes tips on staffing, organizational models, tools, metrics and the cost savings and business benefits realized from deploying an ongoing privacy management strategy.

This session was the perfect conclusion to the three-part series, which explored the ever-important data value exchange between customers and businesses and how transparency, notice and choice are the building blocks of a privacy strategy to create trust in brands.

View the video of the final session below and contact TRUSTe to learn how we can help you implement an effective privacy management strategy for your company.


FTC Revises FAQ Guidance on COPPA and Verifiable Parental Consent

FTC updates COPPA FAQs.

This week the FTC released updates to its Children Online Privacy Protection Act (COPPA) Frequently Asked Questions. The FAQs provide specific guidance for COPPA compliance and the updates reflect new and clarified guidelines on parental consent methods.

If your website, Mobile App, or other online service collects data from children under the age of 13, COPPA (and these updates) apply to you.

1.  All Online Service Providers: Updates to Verifiable Parental Consent Guidelines

COPPA requires that online services gain “verifiable parental consent” before collecting data from children under the age of 13.  The FTC provides several approved mechanisms for gaining verifiable parental consent, but has long said that companies are not limited to those mechanisms and may use any consent method that is “reasonably calculated” to verify that the consenting individual is in fact the child’s parent.

One FTC-approved verification method requires that the parent enter a credit or debit card number.  Previously, the guidelines specified that using a credit or debit card to obtain consent needed to be “in connection with a financial transaction.”  The rationale behind the transaction requirement is that the charge appearing on the parent’s financial statement serves as an additional notice and consent safeguard.

The updates note that companies may use a credit or debit card to obtain verifiable consent in absence of a financial transaction if the credit or debit card information is supplemented with other confirmation measures. Such measures include asking security questions to which only the parent would know the answer, or finding supplemental ways to contact the parent for confirmation.  This reflects the FTC’s long-standing position that companies may choose a consent mechanism that works for their business, so long as it is reasonably calculated to identify that the person providing consent is the parent.

Read the rest of this entry »


TRUSTe Supports Intuit’s Move to Open Source Mobile Privacy Code and Make It Available to Developers

Short-form privacy notice for mobile apps validated by TRUSTe for mobile app developers.

Intuit and Application Developers Alliance today announced the availability of open source software code for developers to implement short-form privacy notices—simple, easily understandable screens that clearly inform consumers what data the app is collecting and with whom the data is shared.  With this open source code, small app developers can use the same template for their mobile privacy notice that Intuit currently uses in Intuit QuickBooks Online for mobile devices. TRUSTe played an important role in Intuit’s short form notice by agreeing to host it under the TRUSTe Privacy Seal program.

Read the rest of this entry »


Bluelock Makes Privacy and Data Security a Top Priority

By Megan Gish, Bluelock

We’re proud to announce that Bluelock has completed self-certification of compliance with the United States – European Union Safe Harbor Framework. This completion of this framework allows customers to use Bluelock’s service with confidence that personal information will be secure.

Bluelock undertook several internal audits to comply with the U.S.-EU Safe Harbor Framework as set forth by the Department of Commerce regarding the collection, use and retention of personal information from customers. Bluelock adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.

In addition to Safe Harbor, TRUSTe, the most recognized Internet privacy seal program in the world, also granted Bluelock the TRUSTe Privacy Seal, which signifies their privacy policy and practices have been reviewed for compliance with the TRUSTe program.

“As a company who protects and recovers important data and applications, it’s easy to understand why data privacy is of critical importance to Bluelock,” says Chris Babel, CEO at TRUSTe. “With the TRUSTe privacy seal, Bluelock sends a clear signal to its customers that it respects and will protect their personal information.”

When providing cloud-enabled managed hosting services, Bluelock retains personal data processed on behalf of its clients, keeping data secure for the expanse of the customer relationship. With Safe Harbor certification, customers of Bluelock can trust their data is safe.

Martin Van Buren, chief operating officer, Bluelock adds, “Meeting the requirements of a major compliance framework demands time and resources, and Bluelock’s ability to gain Safe Harbor certification serves as a testament to the vision of our corporate leadership team.”

Attaining the Safe Harbor certification demonstrates how valuable our customers’ information and privacy is to us, and showcases our commitment to continually serve our customers better. In addition, our designation as SAP-certified provider of cloud and hosting services for SAP solutions confirms our ability to deliver high-quality cloud and hosting services for customers running SAP solutions.

In today’s business landscape, it is crucial to earn your consumer’s trust and ensure that you will protect their personal data. According to a recent TRUSTe study, 76% of consumers are more likely to check websites and apps for a privacy certification or seal. To find out more about TRUSTe’s privacy certification programs, visit

Older posts «

» Newer posts