Dec
03

TRUSTe in Atlas Solutions (by Facebook) System and Partner Directory

TRUSTe Ads Compliance Manager has long been compatible with major ad serving systems in the industry. To make the deployment experience more seamless for our clients, we’ve continued to push for deeper integrations with our valued partners.

Recently, Atlas by Facebook launched a Partner Directory listing TRUSTe under “Verification & Privacy” solutions. TRUSTe is excited to be a part of this list and considered a valued partner of Atlas by Facebook.

If any campaigns are trafficked in the Atlas platform, TRUSTe Ads Compliance customers simply enter three parameters: pid, aid, and cid parameter as shown below to activate the back-end integration TRUSTe has with Atlas. This template allows customers to pull in the TRUSTe tag and append the OBA icon onto campaign creatives in an easy way.

Atlas_TRUSTe Integration

TRUSTe customers can enter macros in the parameters. For example, an ad operations manager can enter campaign macros in the cid param in order to receive granular reporting by campaign. This feature helps our clients verify that all campaigns have the OBA icon appended properly.

If you are an ad server and interested in a deeper integration with TRUSTe, please email hhuange@truste.com. Thank you.

Oct
21

TRUSTe Preference Manager

By Jannette Cabardo

Online Behavioral Advertising is an online activity wherein ad companies collect behavioral data so advertisements can be tailored to consumer preferences. Technologies such as beacons, cookies and tracking pixels are used for such activities.

Most companies that are engaged in OBA have opt-out mechanisms where users can say no to the collection of personal information. Opting out from these ad-related activities will stop the online collection of individual’s behavioral data thus no tailored advertisements will be delivered. As a solution, TRUSTe offers Ads Compliance Manager where users can opt-out from known ad companies.

How does this work? TRUSTe has a core data team that maintains data validity and makes sure the opt-out mechanism for each company is up-to-date. This evaluation is done on a regular basis.

When looking into the opt-out mechanism of each company, the data team tries to see if there is an API that can be used so TRUSTe can integrate. The team looks for commonly a GET or POST method URL

pm_1 pm_2 pm_3

In the case TRUSTe isn’t able to integrate due to the absence of an API or is in process of integrating the custom opt-out mechanism available, TRUSTe provides a link to the privacy policy or to the landing page where the opt-out mechanism is found. In these cases, TRUSTe will contact the ad companies and work with them in order to integrate an opt-out mechanism.

pm_4

Why do some opt-outs fail? There are several instances when a call to company’s API fails. When this happens, a link to the privacy policy or opt-out landing page is still available so users can continue to opt-out.

pm_6The server on the ad company side does not respond to the request. When TRUSTe does not get any response from the ad company’s server during the specified time threshold, an error message will be returned. Sometimes, the server responds when opting out the second time. So we encourage users to try again.

Internet connectivity is slow thus no opt-out process will be completed.  No opt-out process is being done and the error message will be displayed.

TRUSTe is currently committed to specific versions in the following browsers: Firefox, Chrome, Opera, Safari and IE. There are opt-outs that do not work on specific browsers. When a certain opt-out does not work on a supported browser, TRUSTe redirects the users to the privacy policy page or the landing page. As part of the periodic maintenance, our data team reaches out to these specific vendors.

If you have any feedback regarding this solution or would like to integrate with TRUSTe, please email jannette.cabardo@truste.com.

Jul
14

Privacy Risk Assessment for Mobile Applications

Mobile application privacy management is now more important than ever—at least half of Fortune 500 companies have internal mobile applications. But managing mobile application privacy risk goes beyond the applications on your employees’ devices. As companies’ presence, products, and services increasingly shift into the mobile space, mobile privacy is drawing increasing attention—both internally and from the Federal Trade Commission. In particular, the healthcare industry had the highest privacy payout in 2014, and the FTC and FDA’s additional scrutiny into wellness and health services should increase management’s focus on improving mobile application development tools and processes.

Product managers in different business units in different companies often develop mobile applications within a single global organization. Adding to this complexity, companies often leverage outsourced mobile developers, putting mobile applications still another step away from the oversight of the privacy officer.

According to Forrester Mobile Study 2015, “Companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.” If developers are not aware of third parties and their activities, privacy officers are left in the dark on transparency and data minimization. The privacy and enforcement risks are real—the FTC fined the Path social networking service $800,000 for collecting users’ data without their consent.

Insecure transmission of data also poses a risk to both users’ privacy and corporate reputations. The FTC has ordered that Fandango and Credit Karma undergo security assessments every other year for the next 20 years because of their insecure transmission of data. The privacy officer to prevent possible public backlash in the event of a user perceived privacy violation should review other mobile application designs and implementations. For example, privacy officers should analyze whether an application contains an overly broad set of requested permissions, which may indicate high privacy risk or be considered suspicious activity.

To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application across all their companies’ mobile applications. Privacy officers can leverage in-house technology or hire a vendor to provide the information to which the privacy officer can map against in-house guidelines and regulations to determine if there is a privacy risk. Depending on how many applications a company have and how often the company updates the mobile application, this could drain a lot of resources. To efficiently manage privacy risk of mobile applications across the company, a privacy officer needs:

  1. Condensed, relevant and actionable data to assess privacy risk. The report should either be a standalone privacy report or a comprehensive separate section within a security report.
  2. An automated or partially automated tool to generate the information
  3. Sufficient resources internally or outsourced to analyze the findings and flag any privacy risks.

TRUSTe Mobile App Assessments

The time is right to streamline the discovery of any privacy risks within your company’s mobile applications. TRUSTe mobile assessments help you analyze applications by gathering information within network traffic, system API calls, log activities, and application source code to find the data flows, security safeguards, and third-party data access within the application. These comprehensive scanning tools produce an accurate, detailed, and actionable mobile risk assessment report.

TRUSTe Standard Mobile Assessments provide the privacy officer with all the information necessary to analyze the privacy risk of a mobile application. The discovery report lists:

  • Third-party domains, frameworks, and SDKs attached with company metadata and the Privacy Sensitivity Score from the proprietary TRUSTe Vendor Database
  • The data collected
  • Which third party is collecting data and/or what data the third party is collecting
  • What data is stored on the device
  • Any insecure transmissions (those that are unencrypted or that use misconfigured encryption)
  • The permissions an app is requesting

With this information, a privacy officer can easily analyze whether internal enterprise or consumer applications are following regulatory or internal guidelines and whether application behavior is consistent with the app’s purpose.

In addition, TRUSTe offers a mobile assessment premium service that provides manual technical analysis to generate an even more detailed report. This identifies any areas in the mobile application that pose privacy risks and provide intelligent remediation recommendations. TRUSTe can also compare the mobile app findings against applicable regulations to highlight any noncompliance risks.

To help privacy officers manage mobile application data privacy globally, TRUSTe is expanding its mobile offerings to include privacy risk scanning and assessment solutions. To learn more about these new TRUSTe scanning offerings, contact hhuang@truste.com.

 

Dec
10

Cookie Consent and It’s Relationship with Tag Management Systems (TMS)

TRUSTe’s Cookie Consent solution has been helping global companies comply with the EU Cookie Directive and continues to evolve into the most robust platform that is completed by TRUSTe’s privacy brand.

TRUSTe’s Cookie Consent integrates with leading Tag Management Systems (TMS) in order to help companies comply with the “zero-cookie” load requirement, specifically under CNIL’s laws. The “zero-cookie” requires that no trackers, outside of the exceptions, are dropped until user has consented. TRUSTe has a preferred partnership w/ Signal and already developed an integration with Google TMS. (You may have also seen us in Tealium’s portal.)

TRUSTe has a Cookie Consent API that provides Tag Management Systems the ability to digest the user-level of consent in order to respect the user’s preferences.

The newest addition to TRUSTe’s TMS system family is Adobe DTM (Dynamic Tag Manager). TRUSTe has been working closely with the Adobe DTM team to ensure clients that use Adobe DTM is able to seamlessly leverage TRUSTe Cookie Consent in their system.

The Cookie Consent integrates with Adobe DTM in a three step process:

  1. The first process is just to add the Cookie Consent script, like you would any other Third Party Tag in DTM.
  2. The second step is to apply a special Tag which will reload the page when a user has changed their preference, thereby loading any newly allowed Tags/Rules.
  3. The third step is applying a Condition to any Rule you wish covered by the Cookie Consent.
    1. Adobe DTM is able to leverage the Cookie Name and Cookie Value to communicate the user-level consent back to the TMS for compliance.

TRUSTe has a flexible Cookie Consent API that is ready to integrate with any TMS system to enable an easy tag integration. If you have a TMS partner you would like to integrate with TRUSTe Cookie Consent, please email us for next steps! CNIL just did cookie sweep. If you’re not yet prepared for the next one, please email us now @ hhuang@truste.com.

Aug
29

EU Cookie Consent Manager Self-Service Portal

TRUSTe’s Cookie Consent Manager assists clients in complying with the EU Cookie Directive laws in EU countries. TRUSTe is proud to offer both Managed Services and Self-Service options to our clients. TRUSTe’s Managed Services team helps set-up, brand, and generate a customized Cookie Consent Manager from start to finish. A dedicated Account Manager acts as global deployment project manager to help get a proper Notice, Consent, and Control mechanism up and running. Having a dedicated Account manager is nice but TRUSTe also offers a robust Self-Service Portal to manage and update your Cookie Consent Manager.

Below is the Dashboard of TRUSTe portal:

You will have access to the following applications that contain every tool you need to set-up a proper Cookie Consent Manager.

  1. Cookie Consent Configuration: Set-up & update the trackers that are loaded into the Cookie Consent Manager. Your Cookie Consent Manager automatically updates as new trackers are found in your cookie audit crawls utilizing TRUSTe’s Website Monitoring Service.

TRUSTe’s in-house proprietary crawler scans thousands of pages identifying and classifying trackers to provide the recommended categorization of cookies into Required, Functional, and Advertising automatically making it easier to maintain an accurate, up-to-date Cookie Consent Manager.

  1. Consent Manager CMS: Customize the verbiage and HTML/CSS of the Cookie Consent Notice mechanism. Whether it’s a simple logo change or adding an additional link to the Notice frame, TRUSTe allows full flexibility on customizing the look & feel of the Cookie Consent Manager so that it flows seamlessly with your website.

Example of granular CSS a web developer can access if desired:

.pdynamicbutton .submit {
font-size: 10pt;
padding-left: 20px;
color: #FFFFFF;
text-align: center;
background: #627E9D;
text-shadow: none;
border: 1px solid #627E9D;
overflow: hidden;
}

Set up dynamic browser language detection for locales and sub-locales to ensure appropriate language is displayed to the user automatically.

  1. User Management: Add global team members to the portal and provide access with customized permissions as appropriate for each business unit.
  2.  Consent Manager Summary Report: Run user engagement metrics to monitor the performance of your Cookie Consent Manager.

TRUSTe’s Cookie Consent Manager can be set-up as a banner, button/text, or an express pop-in to comply from the lowest to strictest level of consent in the EU countries.  Cookie Consent Manager is only one of the many integrated solutions to efficiently manage global privacy regulations from one single platform. Discover, Assess, Monitor global compliance regulations and projects from one single platform with integrated technology compliance solutions at your fingertips.

To get started, contact TRUSTe today!

Apr
26

Push API

Earlier this year, TRUSTe launched TRUSTed Interests: a new product that allows consumers to express their interests and to share them with the advertising ecosystem participants. In order to make this data available to interested parties, TRUSTe just released a PUSH API and this short blog post provides a few details around this API.

TRUSTe wanted to build an interface flexible enough for TRUSTe to build its own application, be friendly and simple for its partners. This translates into being explorable via web browser and using web standards.

The first steps was to identify what function to expose. Since security and privacy are TRUSTe’s main modus vivendi,  TRUSTe decided to expose only the GET method (read only) and always to use SSL. Another advantage of always using SSL is that guaranteed encrypted communications simplifies authentication efforts – you can get away with simple access tokens instead of having to sign each API request.

TRUSTe’s roadmap includes a full REST APIs to TRUSTe partners. It will let partners access their data, filter it, sort it and paginate through the results. The resultant data set will be JSON objects.

For version 1 available today, the service will push data securely (via SSL) to partners to a location of their choice as often as necessary: every hour, 2hours, days etc …The data set will include both opt out and preferences data, if applicable.

Each partner will give TRUSTe the location where they want the data to be transferred:

The data will be available in a file the following JSON format for opt out:

{

“tpid”:”165d8062-52af-4d49-ae3c-5bb8384809a3″,

“application”:”global application”,

“platform”:”iOS”,

“country”:”us”,

“createdDate”:”03-17-2014 15:11:23″,

“changedDate”:”03-17-2014 15:11:23″,

“optinFlag”:”false”,

“adnetwork”:”Adnet A”

}

The data will be available in a file the following JSON format for preferences:
{

“tpid”:”5022d809-c850-4cad-b0fe-48fa41e55c7f”,

“consumerPreferenceValues”:[

{“key”:”health”,”answer”:”NEUTRAL”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″},

{“key”:”food”,”answer”:”LIKE”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″},

{“key”:”auto”,”answer”:”LIKE”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″},

{“key”:”dating”,”answer”:”DISLIKE”,”category”:null,”createdDate”:”03-17-2014 15:22:46″,”lastChangedDate”:”03-17-2014 15:22:46″}],

“platform”:null,

“country”:null,

“createdDate”:”03-17-2014 15:22:46″,

“changedDate”:”03-17-2014 15:22:46″
}

Response Code:
If the response code received is 200, TRUSTe considers the PUSH successful. If the response code is not 200 the partner will be notified. 

Finally ….
From there, the partners can parse the data and integrate it in their systems. Voila !
Want to learn more about our APIs?  Contact your account manager. 

 

Apr
11

Self-Service Tag Generator

TRUSTe takes pride in providing high quality customer service through our dedicated account management team, while providing flexibility to our global clients through a self-service portal. Our self-service portal launched in 2011 to provide our clients the ability to pull their own reports, and later, the ability generate their own TRUSTed Ad tags for AdChoices implementations.

TRUSTed Ads can be implemented in any ad serving system and can also be integrated with the platform through an API to make it seamless for your ad operations team. TRUSTe has integrations with major platforms including AppNexus to make experiences as easy as a checkbox. Having a self-service portal at hand allows clients to make changes on the fly whether it is to update the logo, privacy policy link, or verbiage of the in-ad interstitial.

For global clients, the feature to generate localized tags in EU languages is seen as a tremendous benefit. To enhance global language support, TRUSTe tags have dynamic browser language detection to ensure the appropriate translation displays depending on user browser settings. Without the self-service portal, clients can already easily move icons to various corners and modify the cid to report back on granular campaign data.

TRUSTe tags are battle tested being able to dynamically detect rich media expandables, flash creatives (w/ or w/o wmode), and SSL environments and respond accordingly. TRUSTe also has SmartTags to let you use ONE tag across all creatives. We proactively create SmartTags with major ad serving systems, including Doubleclick, Microsoft Atlas, MediaMind and many more, either through finding the ad size parameters in the ad tag OR simply digesting ad size macros in our tag. TRUSTe’s tag was built on the notions of flexibility and simplicity because TRUSTe knows trafficking is already a lot of work and a complementary privacy system should bake into existing processes.

Self-Service is not just a reality for our TRUSTed Ads products. Across all our services, we play a balance between being your personal privacy advocate as policy and regulations change globally and giving you control over technical compliance tools. TRUSTe knows that privacy management done well involves both pushing the envelope in new technology along with expert skilled services. TRUSTe is the leading global Data Privacy Management (DPM) company and powers trust in the data economy by enabling businesses to safely collect and use customer data across web, mobile, cloud and advertising channels.

Self-Service Tag Generator

Key Features:

– Customize Design and Verbiage of Interstitial
– Generate tags and choose among Regular Tags, DFA Smarttags, and Microsoft Smarttags
– Retrieve Existing Tags Individually or Export Batches to CSV
– Generate Tags in Various Languages

Self-Service Ad Choices Report

Key Features:

– Run Reporting on Impressions, Clicks, Opt-Outs
– Select Daily, Weekly, or Monthly Breakdown
– Select from various time zones including PST, PDT, EST, EDT, GMT
– Pivot Reporting by Various Parameters including Campaign and Creative Size 

Want to learn more about our self-service platforms?  Contact your account representative.

Mar
04

A rose by any other name. Part 1

Agile methodologies offer the benefits of sustainable, lightweight, and predictable development culture, allowing the work to be refined by the on-going, quickly turnaround execution format. The real outcome can be more predictable and as a result, the stakeholders gain the flexibility and dynamic understanding of, based on what was built, how to deliver most value to the markets that often act like moving targets. You can easily find many such definitions of Agile practices with a simple web search.

Yet in a broader sense, the culture of agility can help to evolve an organization that may keep the momentum of more traditional, sequential development styles. Often the focus of the development can be on over-documentation, redundancy in phases or stage gates. A valid question is that “Why does such momentum persist?” In contrast, often when Agile is alluded to, it can be confused or erroneously interchanged with notions of lack of documentation or with disorganization. Productivity can be questioned when the iterations fail to deliver the flexibility and predictability as promised. Instead, the cycles demonstrate less progress than ideal or the changes are more about fixing blemishes due to poor expectation setting in the beginning. In such cases, both practices have been poorly articulated; more importantly, not been considered in light of the organization’s culture and the changing climate of market nature.

Especially when facing emerging market trends, product development is highly impacted by unknown. Clarifying those unknowns can be extremely costly which further aggravates the business projections. For example, the shift to mobile from existing “Internet of things” exponentially creates long-tail and countless issues as is visible by all metrics. One only has to look at the tremendous explosion of mobile apps, ecosystems, and mobile devices evident in so many case studies. The need to handle, analyze, and make decisions based on so much growth means that development cycles of months is quickly becoming obsolete.

Communicating to the business stakeholders with manageable expectations in such fluctuated climate requires that product owner and developers have solid foundations. This can mean technology stacks influenced by dynamic development – tier abstraction, concurrent development, and reduced heavy weight technology dependencies. It can also mean product requirements established with clear state – tangible objectives, measurable results, and incremental ambition. There is no prescriptive formula or complete checklist to follow. In fact, this is at the heart of what Agile should truly strive to influence the “brain power” of the whole rather than on one or two individuals.

At its heart, Agile is about self-organization, real ownership of problem solving, yet integration to a larger, perpetually improving team. Supporting a business’ success can only be done by product owner and developers building the credibility of delivering solutions together. The credibility must be rooted in the synergy of product design and a technology platform, and stack that can adjust and respond dynamically. Transforming can’t be magically master-planned but rather must be brought to life by coaxing each member of the organization to develop a self-governance culture. This matter requires its own investigation as each organization is uniquely formed by mixed individuals. How has TRUSTe been evangelising itself? Look for Part II for further discussion.

Feb
20

TRUSTe extends web tracking analytics ability

TRUSTe has recently extended its Website Monitoring capability by introducing process flow scanning. This web browser add-on (currently in beta) provides for customized site scanning and analytics by providing the ability to scan any part of a site in any sequence as often as needed. This allows for seamless site navigation and reporting into a central portal with all the rich analytics necessary for complete and accurate discovery of tracking on specific flows on a website.

How it works
Navigate to where you need to scan > start your scan > navigate the process > end your scan > view results in your account at my.truste.com instantly.

It is that simple.

 

Use cases
Some examples of customer specified use cases we have seen include:

1. Making purchases after logging into an account: What trackers drop when different products are purchased

2. Creating a specific persona for purpose of tracking analytics

3. Closing an account and taking the corresponding survey: what trackers drop? – is the survey really anonymous?

4. Shopping cart drop-off: marketing needs to verify what cookies drop when order is not completed?

5. Cookie consent testing: Testing what cookies drop when cookie preferences are set on the site for EU cookie directive compliance?

6. Reporting on tracking behind a VPN

These are just samples of the use cases TRUSTe can and has scanned into for customers. Every business will have a different use case that can be fulfilled using this technology.

 Problems doing this manually
Manual methods of looking for trackers, such as using a consumer tracker plug-in or tools like Firebug are cumbersome, time consuming and don’t provide all the required information needed to make informed decisions about site tracking. For example, by having to copy and paste each line item from a tool like Firebug into a spreadsheet takes time, and then one would still need to identify which entity belongs to each domain, how that entity got to the website, what are their privacy practices etc – all this insight is not available from plug-ins and similar tools. Just ask the TRUSTe Ops team about this painful process – their experiences led to this new browser add-on being developed.

Trying to derive this type of data using consumer plug-ins simply does not give the enterprise control over the specific site processes they may need scanned and analyzed.  

Availability
This is not a consumer privacy tool. The technology was developed specifically for an enterprise to get a better understanding of the data flows across specific areas on its site. This technology is currently only available to TRUSTe Website Monitoring customers.

Comprehensive web tracking analytics
With this addition to our Website Monitoring  Service, TRUSTe now provides analytics across an entire site, or just a specified portion of that site.

But enough talk on tracking, did you know that our monitoring service has been extended to identify and report on personal information collection. Keep a look out for my next post on how TRUSTe website tracking technology has transcended being solely a tool for tracker detection and has evolved into a full-featured privacy management tool that detects all data collection (tracking as well as personal information), providing the insight needed to understand comprehensive data collection across web properties. Our privacy pros use it today as part of their privacy assessments and certifications. Our customers are able to do so too. 

Oct
23

Do not Track Monitoring

January 1, 2014 is almost here. By that date in order to comply with the newly revised CalOPPA law companies must disclose in their privacy policies how they handle do not track (DNT) signals set in a user’s browser.

TRUSTe’s website monitoring service provides a wealth of website tracking analytics and has been extended to provide  Do Not Track site analytics.

For example, a sample DNT scan of a car rental website shows an overall reduction in third party tracking as compared to when DNT was not set – 32% fewer third parties resulting in a 38% reduction in third party cookies.

DNT Setting Number of third parties Number of cookies
DNT:1 43 66
DNT:0 63 106

Although there is not yet an industry standard for DNT, companies can still start evaluating how their third party vendors are responding to browser DNT signals.

 

Older posts «