Custom Approval Workflows in Assessment Manager

As TRUSTe’s Assessment Manager continues to get broader adoption by privacy and compliance teams we have seen that not all companies review assessments in the same way. There is no such thing as one size fits all when it comes to processes within the privacy teams.

For this reason TRUSTe Assessment Manager has evolved to support different approval workflows. Our customers choose the one that most closely follows their process and are able to customize workflow based on the assessment type.

I will describe each of the 3 main approval workflow options below.

Option 1: Simple Approval

This option allows the privacy reviewer(s) to approve the assessment at any time after all the questions have been answered. While the reviewer will be able to see and review all the issues that have been flagged on the assessment, she will be able to approve the assessment at any time. There is no system enforcement that the issues must be formally resolved prior to approval.

Option 2: Issue resolution required prior to Approval 

This  workflow option requires all issues that have been flagged on the assessment to be resolved prior to approval. This is the most commonly used workflow. It requires the reviewer to formally resolve every issue and “accept” the assessment before she can perform the final approval.

resolve issues

Option 3: Ability to re-open completed assessments 

This option is an extension of option 2, and provides additional functionality for  the privacy reviewer to reassign  sections of the assessment back to users. E.g. if it is becomes obvious that Tony Berman is not the subject matter expert on a particular topic, the reviewer can assign those sections to the person who is – even after the assessment had been submitted by the original respondent.

reassign questions

For more information on customizing your approval workflows, please consult the Assessment Manager User Guide or speak to your account representative.


Assessment Manager August 2016 Release: Advanced collaboration, reporting and assessment logic

As an existing TRUSTe Assessment manager customer you are already managing many different Privacy Assessments through the platform.

TRUSTe Assessment Manager is predominantly used by organizations to assess their products, systems, businesses, vendors and assets against privacy standards, regulations and policies in order to identify and mitigate privacy risks. The latest Assessment Manager release further improves the assessment process with enhanced communication, follow-up question flow logic, and review experience. In addition, the new advanced reporting and tagging features allow you to create any number of custom fields, for example, countries or divisions, tailored to match your organization’s business needs, as well as to tie assessments to specific organizational entities within your company  and to use the new advanced project search for very complex search criteria.

The diagram below indicates how the newly added features fit into the overall Assessment Manager workflow.

AM flow

Click on the image to expand

Read on for a  more detailed description of these new features.

1. Program Reporting Using Advanced Search

The new advanced search feature allows you to perform very complex and granular project searches  based on multiple criteria. Click on ”Advanced Search” on the “Projects” page, to add as many search parameters as you need.

Advanced Search 2016-08-11_8-41-55

Click on the image to expand

Example Use Case: Program Reporting

Say your privacy team has run 60+ Privacy Shield assessments across your organization to understand EU-US data transfers (as some of our customers have). As a CPO you need to be able to quickly slice and dice the information you need. Two main features in the Assessment Manager make this now easier than ever. You can now (1) tie assessments back to specific organizational entities within your enterprise, and (2) use the new advanced search feature to drill down into specific assessment criteria.

For example, if you need to identify all assessments for the Human Resources Department where Sensitive PI is transferred from the EU to the US, you can run and save that query for future use.

2. Template Customization Options

a. “Prologue” and “Epilogue”
With “Prologue” you can provide your respondents with instructions they may need  in order to complete the assessment.

Click on the image to expand

With “Epilogue” you can provide your respondents with additional information at the end of the assessment and  have them attest to the accuracy of their answers.


Click on the image to expand

b. Additional answer options

Two additional answer options are now available:

  • “All of the above” – allows users to indicate that all options are applicable without the need to select them individually. It can be particularly useful for questions with many answer choices.
  • “None of the above” – allows users to indicate that none of the options apply.

Compliance expressions can refer to these new answer options directly.

c. Advanced follow-up question flow logic


With the addition of cross-section follow-up question flow logic, users now have the ability to create follow up questions based on the answers to the questions from the previous sections.

3. Real-time collaboration 

It is now possible to send a comment with a question to any user and non-user with an e-mail address. This is available for:

  • The comments section in the assessment survey
  • Comments on tasks
  • Comments in the assessment report
  • Comments in the project approvals.

The person will receive an email notification with your comment and will be able to reply to that email with their response. The response will be added as an additional comment for ease of review.

To send a comment to a particular person, put this person’s email address at the beginning of your comment   enclosed into “[~ ]”, for example, []. Thus, your comment might be: ”[] Tony, have you updated the privacy statement?”

comments on project

Click on the image to expand

4. Customized Organizational Group Tags

You can add any number of custom fields to your projects tailored to your organizational needs. The list of the available values for each of those fields can be configured separately through “Tag Groups” in the Admin area of your account.  For example, you may create a Tag Group called “Brand” with  different brand values. If you then associate this new Tag Group with a “Project” entity, your Projects will have an additional “Brand” field, where you will be able to select one or more of the brands from  the drop down list during project creation.

Brand screenshot

Click on the image to expand

5. Additional Assessment Participants

You now have the ability to add additional participants to the project. Project Participants are able to access the project report , to track the progress of the assessment. Typically they are stakeholders who have an interest in the assessment outcome.

Project participantss

Click on the image to expand

For more information on any of these new features please refer to the TRUSTE Assessment Manager user guide available from your account.



GDPR Consent Requirements

Your Tactical Guide to Compliance with GDPR Consent Requirements

GDPR is bringing a long-awaited standard regulatory approach to user data privacy and control in the EU. Global companies are paying close attention since the GDPR applies to any company collecting data on residents in the EU regardless of where the company is located. With the current initiative of the e-Privacy Directive Working Group, the privacy industry is analyzing how these heightened requirements will play out and complement the existing user data privacy and control regulations which broaden scope and address data collection points outside of digital tracking technologies.

GDPR codifies an increased level of protection and control for the user by expanding the consumers’ rights:

  • Consumers may access their data (Article 15[1]).
  • Consumers may request information on where and when their data is processed (Article 15).
  • Consumers may request a digital copy of their data and transfer that data to another data controller in a relatively seamless manner (Article 18[2]).
  • Consumers may request erasure of their data and receive confirmation of the erasure (Article 16[3] & 17[4]).
  • In addition, the data subjects’ consent must be freely-given, specific and informed…either by a statement or by a clear affirmative action, signifying agreement to processing their personal data (Article 7[5]).
    • “Personal data” is defined as “any information relating to an identified or identifiable natural person. Under GDPR, “personal data” profiling is further expanded for example, to biometric data and other unique persistent identifiers that were ambiguous before such as IDFA and GAID. (Article 4[6]).

Although the deadline of May 28th, 2018 feels far away, the schedule to come into compliance with the new GDPR consent requirements is tight. Reference guided timeline below.

Screen Shot 2016-08-12 at 12.27.39 PM

  1. Scope Definition: A company must first determine scope of the internal consent initiative in order to make strategic resource calculations.
  2. In-House Build or Vendor Selection: A company then makes a business decision on whether to build the consent solution in-house or select a consent vendor. Selecting the right consent vendor could take some time depending on internal organization procurement procedures.
  3. Scope Definition continues: The company kicks off the project by identifying data collection points and analyze where the consent integrations have to be completed. TRUSTe has a Data Discovery system with PII/SPII detection technology for digital properties to help companies automate this process.
  4. Project Design: Often, consumer-facing touch points involve legal, marketing, and engineering stakeholder approvals.
  5. Project Implementation: Once scope and design deliverables are approved, the engineering team needs to bake the consent integration into internal sprint release cycles.

TRUSTe is evaluating the GDPR consent requirements in order to evolve our existing consent solutions and help companies achieve compliance by the May 28th, 2018 deadline. Working with TRUSTe provides all our resources and guidance within a hand’s reach:

  • A software technology that helps companies come into compliance with the notice, consent, and audit requirements of GDPR.
  • A software technology that works on desktop and mobile devices. Not only is TRUSTe’s consent notice mobile-optimized, TRUSTe’s solution is tracking technology agnostic and can save consent with ID’s and/or emails.
  • A dedicated Technical Account Management team to facilitate implementation and provide post support maintenance.
  • A customer-facing portal to manage user consent choices at any point in the data collection and sharing process.
  • A client-facing portal to analyze consent metrics and maintain a database of informed consent for regulatory audits. The data can be exported and manipulated for custom reporting metrics.

Contact TRUSTe to learn more and participate in our GDPR Consent Program.



Advanced Assessment search and Reporting – TRUSTe Assessment Manager

Assessment Manager allows organizations to run more assessments across their organization than ever before. The challenge you now face as a privacy professional is knowing what assessment information you have, and and be able to query it for your internal and external reporting needs. For example, you may suddenly have a need to identify all assessments touching China that collect health information. How do you get to that information?

With the latest release of Assessment Manager, you now have the ability to query your entire  assessment database. This is achieved by leveraging a combination of one or more of the following features: filters; labels and search strings. For the first time, no assessment information is beyond your reach.

Using Filters
Projects contain metadata e.g. organization divisions, business units, countries etc. Assessments can be filtered by one or more of these fields. Assessments may also be labelled (either automatically based on question answers) or manually by a user. These labels can be added to a filter.

For example if you wanted to filter all your assessments for only those in China for your business Administration Division where credit card information is being collected you can filter by those parameters.

Filter 2016-07-26_14-28-37


Using Search

Users can use the advanced search query to build out queries to meet their criteria. Search allows you to query your assessments for any assessment content. It is possible to search for particular question and answer combinations. All metadata and questions and answers are searchable and the search interface allows users to build out as many search parameters as needed.

Searches can be saved and re-used at any time simply by clicking on the saved search.

advanced search UX

In addition, users are able to use to write and run lucene searches from the search box. E.g., to run a search on  all assessments using third party vendors.  this search a user would search as follows :

join% question:”vendor” AND answer:”yes”

If you also wanted to know which vendors have not agreed to your model contractual clauses you could add that to query too by adding:

join% question:”model clauses” AND Answer:”No”

Your full query would be as follows:

join% question:”vendor” AND answer:”yes” join% question:”model clauses” AND Answer:”No”

Combining Filters and Search

If you wanted to know this for a particular country or division specfifically then you can add the appropriate filter. To your search.

Finally you can save your query in your account to run at any time

save search 2016-07-26_14-40-12

Having this level of information available at one’s fingertips addresses the challenge currently faced by most privacy professionals – that they cannot  easily access all the information they have collected through their assessment process, for internal and external reporting purposes.


TRUSTe in Atlas Solutions (by Facebook) System and Partner Directory

TRUSTe Ads Compliance Manager has long been compatible with major ad serving systems in the industry. To make the deployment experience more seamless for our clients, we’ve continued to push for deeper integrations with our valued partners.

Recently, Atlas by Facebook launched a Partner Directory listing TRUSTe under “Verification & Privacy” solutions. TRUSTe is excited to be a part of this list and considered a valued partner of Atlas by Facebook.

If any campaigns are trafficked in the Atlas platform, TRUSTe Ads Compliance customers simply enter three parameters: pid, aid, and cid parameter as shown below to activate the back-end integration TRUSTe has with Atlas. This template allows customers to pull in the TRUSTe tag and append the OBA icon onto campaign creatives in an easy way.

Atlas_TRUSTe Integration

TRUSTe customers can enter macros in the parameters. For example, an ad operations manager can enter campaign macros in the cid param in order to receive granular reporting by campaign. This feature helps our clients verify that all campaigns have the OBA icon appended properly.

If you are an ad server and interested in a deeper integration with TRUSTe, please email Thank you.


TRUSTe Preference Manager

By Jannette Cabardo

Online Behavioral Advertising is an online activity wherein ad companies collect behavioral data so advertisements can be tailored to consumer preferences. Technologies such as beacons, cookies and tracking pixels are used for such activities.

Most companies that are engaged in OBA have opt-out mechanisms where users can say no to the collection of personal information. Opting out from these ad-related activities will stop the online collection of individual’s behavioral data thus no tailored advertisements will be delivered. As a solution, TRUSTe offers Ads Compliance Manager where users can opt-out from known ad companies.

How does this work? TRUSTe has a core data team that maintains data validity and makes sure the opt-out mechanism for each company is up-to-date. This evaluation is done on a regular basis.

When looking into the opt-out mechanism of each company, the data team tries to see if there is an API that can be used so TRUSTe can integrate. The team looks for commonly a GET or POST method URL

pm_1 pm_2 pm_3

In the case TRUSTe isn’t able to integrate due to the absence of an API or is in process of integrating the custom opt-out mechanism available, TRUSTe provides a link to the privacy policy or to the landing page where the opt-out mechanism is found. In these cases, TRUSTe will contact the ad companies and work with them in order to integrate an opt-out mechanism.


Why do some opt-outs fail? There are several instances when a call to company’s API fails. When this happens, a link to the privacy policy or opt-out landing page is still available so users can continue to opt-out.

pm_6The server on the ad company side does not respond to the request. When TRUSTe does not get any response from the ad company’s server during the specified time threshold, an error message will be returned. Sometimes, the server responds when opting out the second time. So we encourage users to try again.

Internet connectivity is slow thus no opt-out process will be completed.  No opt-out process is being done and the error message will be displayed.

TRUSTe is currently committed to specific versions in the following browsers: Firefox, Chrome, Opera, Safari and IE. There are opt-outs that do not work on specific browsers. When a certain opt-out does not work on a supported browser, TRUSTe redirects the users to the privacy policy page or the landing page. As part of the periodic maintenance, our data team reaches out to these specific vendors.

If you have any feedback regarding this solution or would like to integrate with TRUSTe, please email


Privacy Risk Assessment for Mobile Applications

Mobile application privacy management is now more important than ever—at least half of Fortune 500 companies have internal mobile applications. But managing mobile application privacy risk goes beyond the applications on your employees’ devices. As companies’ presence, products, and services increasingly shift into the mobile space, mobile privacy is drawing increasing attention—both internally and from the Federal Trade Commission. In particular, the healthcare industry had the highest privacy payout in 2014, and the FTC and FDA’s additional scrutiny into wellness and health services should increase management’s focus on improving mobile application development tools and processes.

Product managers in different business units in different companies often develop mobile applications within a single global organization. Adding to this complexity, companies often leverage outsourced mobile developers, putting mobile applications still another step away from the oversight of the privacy officer.

According to Forrester Mobile Study 2015, “Companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.” If developers are not aware of third parties and their activities, privacy officers are left in the dark on transparency and data minimization. The privacy and enforcement risks are real—the FTC fined the Path social networking service $800,000 for collecting users’ data without their consent.

Insecure transmission of data also poses a risk to both users’ privacy and corporate reputations. The FTC has ordered that Fandango and Credit Karma undergo security assessments every other year for the next 20 years because of their insecure transmission of data. The privacy officer to prevent possible public backlash in the event of a user perceived privacy violation should review other mobile application designs and implementations. For example, privacy officers should analyze whether an application contains an overly broad set of requested permissions, which may indicate high privacy risk or be considered suspicious activity.

To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application across all their companies’ mobile applications. Privacy officers can leverage in-house technology or hire a vendor to provide the information to which the privacy officer can map against in-house guidelines and regulations to determine if there is a privacy risk. Depending on how many applications a company have and how often the company updates the mobile application, this could drain a lot of resources. To efficiently manage privacy risk of mobile applications across the company, a privacy officer needs:

  1. Condensed, relevant and actionable data to assess privacy risk. The report should either be a standalone privacy report or a comprehensive separate section within a security report.
  2. An automated or partially automated tool to generate the information
  3. Sufficient resources internally or outsourced to analyze the findings and flag any privacy risks.

TRUSTe Mobile App Assessments

The time is right to streamline the discovery of any privacy risks within your company’s mobile applications. TRUSTe mobile assessments help you analyze applications by gathering information within network traffic, system API calls, log activities, and application source code to find the data flows, security safeguards, and third-party data access within the application. These comprehensive scanning tools produce an accurate, detailed, and actionable mobile risk assessment report.

TRUSTe Standard Mobile Assessments provide the privacy officer with all the information necessary to analyze the privacy risk of a mobile application. The discovery report lists:

  • Third-party domains, frameworks, and SDKs attached with company metadata and the Privacy Sensitivity Score from the proprietary TRUSTe Vendor Database
  • The data collected
  • Which third party is collecting data and/or what data the third party is collecting
  • What data is stored on the device
  • Any insecure transmissions (those that are unencrypted or that use misconfigured encryption)
  • The permissions an app is requesting

With this information, a privacy officer can easily analyze whether internal enterprise or consumer applications are following regulatory or internal guidelines and whether application behavior is consistent with the app’s purpose.

In addition, TRUSTe offers a mobile assessment premium service that provides manual technical analysis to generate an even more detailed report. This identifies any areas in the mobile application that pose privacy risks and provide intelligent remediation recommendations. TRUSTe can also compare the mobile app findings against applicable regulations to highlight any noncompliance risks.

To help privacy officers manage mobile application data privacy globally, TRUSTe is expanding its mobile offerings to include privacy risk scanning and assessment solutions. To learn more about these new TRUSTe scanning offerings, contact



Cookie Consent and It’s Relationship with Tag Management Systems (TMS)

TRUSTe’s Cookie Consent solution has been helping global companies comply with the EU Cookie Directive and continues to evolve into the most robust platform that is completed by TRUSTe’s privacy brand.

TRUSTe’s Cookie Consent integrates with leading Tag Management Systems (TMS) in order to help companies comply with the “zero-cookie” load requirement, specifically under CNIL’s laws. The “zero-cookie” requires that no trackers, outside of the exceptions, are dropped until user has consented. TRUSTe has a preferred partnership w/ Signal and already developed an integration with Google TMS. (You may have also seen us in Tealium’s portal.)

TRUSTe has a Cookie Consent API that provides Tag Management Systems the ability to digest the user-level of consent in order to respect the user’s preferences.

The newest addition to TRUSTe’s TMS system family is Adobe DTM (Dynamic Tag Manager). TRUSTe has been working closely with the Adobe DTM team to ensure clients that use Adobe DTM is able to seamlessly leverage TRUSTe Cookie Consent in their system.

The Cookie Consent integrates with Adobe DTM in a three step process:

  1. The first process is just to add the Cookie Consent script, like you would any other Third Party Tag in DTM.
  2. The second step is to apply a special Tag which will reload the page when a user has changed their preference, thereby loading any newly allowed Tags/Rules.
  3. The third step is applying a Condition to any Rule you wish covered by the Cookie Consent.
    1. Adobe DTM is able to leverage the Cookie Name and Cookie Value to communicate the user-level consent back to the TMS for compliance.

TRUSTe has a flexible Cookie Consent API that is ready to integrate with any TMS system to enable an easy tag integration. If you have a TMS partner you would like to integrate with TRUSTe Cookie Consent, please email us for next steps! CNIL just did cookie sweep. If you’re not yet prepared for the next one, please email us now @


EU Cookie Consent Manager Self-Service Portal

TRUSTe’s Cookie Consent Manager assists clients in complying with the EU Cookie Directive laws in EU countries. TRUSTe is proud to offer both Managed Services and Self-Service options to our clients. TRUSTe’s Managed Services team helps set-up, brand, and generate a customized Cookie Consent Manager from start to finish. A dedicated Account Manager acts as global deployment project manager to help get a proper Notice, Consent, and Control mechanism up and running. Having a dedicated Account manager is nice but TRUSTe also offers a robust Self-Service Portal to manage and update your Cookie Consent Manager.

Below is the Dashboard of TRUSTe portal:

You will have access to the following applications that contain every tool you need to set-up a proper Cookie Consent Manager.

  1. Cookie Consent Configuration: Set-up & update the trackers that are loaded into the Cookie Consent Manager. Your Cookie Consent Manager automatically updates as new trackers are found in your cookie audit crawls utilizing TRUSTe’s Website Monitoring Service.

TRUSTe’s in-house proprietary crawler scans thousands of pages identifying and classifying trackers to provide the recommended categorization of cookies into Required, Functional, and Advertising automatically making it easier to maintain an accurate, up-to-date Cookie Consent Manager.

  1. Consent Manager CMS: Customize the verbiage and HTML/CSS of the Cookie Consent Notice mechanism. Whether it’s a simple logo change or adding an additional link to the Notice frame, TRUSTe allows full flexibility on customizing the look & feel of the Cookie Consent Manager so that it flows seamlessly with your website.

Example of granular CSS a web developer can access if desired:

.pdynamicbutton .submit {
font-size: 10pt;
padding-left: 20px;
color: #FFFFFF;
text-align: center;
background: #627E9D;
text-shadow: none;
border: 1px solid #627E9D;
overflow: hidden;

Set up dynamic browser language detection for locales and sub-locales to ensure appropriate language is displayed to the user automatically.

  1. User Management: Add global team members to the portal and provide access with customized permissions as appropriate for each business unit.
  2.  Consent Manager Summary Report: Run user engagement metrics to monitor the performance of your Cookie Consent Manager.

TRUSTe’s Cookie Consent Manager can be set-up as a banner, button/text, or an express pop-in to comply from the lowest to strictest level of consent in the EU countries.  Cookie Consent Manager is only one of the many integrated solutions to efficiently manage global privacy regulations from one single platform. Discover, Assess, Monitor global compliance regulations and projects from one single platform with integrated technology compliance solutions at your fingertips.

To get started, contact TRUSTe today!


Push API

Earlier this year, TRUSTe launched TRUSTed Interests: a new product that allows consumers to express their interests and to share them with the advertising ecosystem participants. In order to make this data available to interested parties, TRUSTe just released a PUSH API and this short blog post provides a few details around this API.

TRUSTe wanted to build an interface flexible enough for TRUSTe to build its own application, be friendly and simple for its partners. This translates into being explorable via web browser and using web standards.

The first steps was to identify what function to expose. Since security and privacy are TRUSTe’s main modus vivendi,  TRUSTe decided to expose only the GET method (read only) and always to use SSL. Another advantage of always using SSL is that guaranteed encrypted communications simplifies authentication efforts – you can get away with simple access tokens instead of having to sign each API request.

TRUSTe’s roadmap includes a full REST APIs to TRUSTe partners. It will let partners access their data, filter it, sort it and paginate through the results. The resultant data set will be JSON objects.

For version 1 available today, the service will push data securely (via SSL) to partners to a location of their choice as often as necessary: every hour, 2hours, days etc …The data set will include both opt out and preferences data, if applicable.

Each partner will give TRUSTe the location where they want the data to be transferred:

The data will be available in a file the following JSON format for opt out:



“application”:”global application”,



“createdDate”:”03-17-2014 15:11:23″,

“changedDate”:”03-17-2014 15:11:23″,


“adnetwork”:”Adnet A”


The data will be available in a file the following JSON format for preferences:



{“key”:”health”,”answer”:”NEUTRAL”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″},

{“key”:”food”,”answer”:”LIKE”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″},

{“key”:”auto”,”answer”:”LIKE”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″},

{“key”:”dating”,”answer”:”DISLIKE”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″}],



“createdDate”:”03-17-2014 15:22:46″,

“changedDate”:”03-17-2014 15:22:46″

Response Code:
If the response code received is 200, TRUSTe considers the PUSH successful. If the response code is not 200 the partner will be notified. 

Finally ….
From there, the partners can parse the data and integrate it in their systems. Voila !
Want to learn more about our APIs?  Contact your account manager. 


Older posts «