Understand Third-party Tracker Impact on Web Performance

Effectively managing website tracking technologies is fundamental to online channel marketing. In the increasingly complex and data-driven world of marketing and e-commerce, many organizations recognize the importance of how understanding and managing the digital environment are a key centerpiece of the business.

TRUSTe Website Monitoring Service is an in-depth web monitoring technology serving Publishers, Advertisers and Brands. It can identify all tracking activity, and clients use our Website Monitoring tracking reports to properly mitigate compliance risks and prevent revenue leakage. In addition, TRUSTe Website Monitoring collects valuable data that shows how trackers affect Web Performance. As companies add more 3rd party code for advertising, social media, or analytics purposes onto digital properties, it becomes more challenging to manage across departmental teams.

Screen Shot 2016-10-12 at 9.39.43 AM

Every new tracker added to a site can introduce additional latency and degrade the customer experience. It is the end user visiting the website who bears the brunt of this overhead when they load pages containing third-party code. Research has shown that as little as 250 milliseconds of latency can negatively impact the user experience. This can result in less time spent on your site and ultimately a loss in revenue (Optimizely Blog). It’s critical to identify the unique trackers that are negatively impacting page load time and take measures to address it. .

TRUSTe can first disclose all the tracking activity discovered on the digital properties via our in-house robust, proprietary crawler. The trackers are provided to our clients with additional important information to optimize page performance, such as reporting on how long the tracker took to load, where it was found, and how it got onto the page.

Screen Shot 2016-10-12 at 9.40.25 AM

TRUSTe encourages our clients to monitor their websites not only to help mitigate privacy risks but also to protect your revenue. Contact us today if you’d like to learn more about who is tracking users on your site and how they may be impacting performance.


Helping Ad Tech Companies Uncover and Mitigate Privacy Risks

Now that GDPR has been finalized, Privacy Shield is in place, EU regulators are turning to review the e-Privacy Directive including how companies are complying with the Cookie Directive (Section 5(3)c under the e-Privacy Directive). The Cookie Sweeps Round 2 conducted by the French Data Protection Authority, CNIL, is reviewing data companies in the ad technology, social media, and analytics industries. In about 18 months, May 2018, the EU General Data Protection Regulation [GDPR] will be in effect and require companies to have auditable documentation of data processing activities in place. Ad companies who are the biggest and most complex data aggregators, users, and processors need to figure out a scalable methodology to come into compliance.


(Interactive Advertising Bureau)

Data is collected and shared among various players in the ads ecosystem. As tracking technologies evolve and get more sophisticated, ad companies need to understand what data is collected; where it is stored; who it is shared with; and how long it is retained. It’s key that ad companies have proper data inventory and mapping processes, and a technology solution to support a scalable privacy and data governance framework to meet upcoming regulatory obligations.

TRUSTe recently released Data Inventory 2.0, a solution that combines robust software technologies, privacy consulting expertise, and proven methodology to help data companies prepare to meet privacy regulations including the EU GDPR. TRUSTe is spearheading innovation by creating actionable data inventories and mapping of your data flows.

Contact us to learn more about how TRUSTe can assist you.


Custom Approval Workflows in Assessment Manager

As TRUSTe’s Assessment Manager continues to get broader adoption by privacy and compliance teams we have seen that not all companies review assessments in the same way. There is no such thing as one size fits all when it comes to processes within the privacy teams.

For this reason TRUSTe Assessment Manager has evolved to support different approval workflows. Our customers choose the one that most closely follows their process and are able to customize workflow based on the assessment type.

I will describe each of the 3 main approval workflow options below.

Option 1: Simple Approval

This option allows the privacy reviewer(s) to approve the assessment at any time after all the questions have been answered. While the reviewer will be able to see and review all the issues that have been flagged on the assessment, she will be able to approve the assessment at any time. There is no system enforcement that the issues must be formally resolved prior to approval.

Option 2: Issue resolution required prior to Approval 

This  workflow option requires all issues that have been flagged on the assessment to be resolved prior to approval. This is the most commonly used workflow. It requires the reviewer to formally resolve every issue and “accept” the assessment before she can perform the final approval.

resolve issues

Option 3: Ability to re-open completed assessments 

This option is an extension of option 2, and provides additional functionality for  the privacy reviewer to reassign  sections of the assessment back to users. E.g. if it is becomes obvious that Tony Berman is not the subject matter expert on a particular topic, the reviewer can assign those sections to the person who is – even after the assessment had been submitted by the original respondent.

reassign questions

For more information on customizing your approval workflows, please consult the Assessment Manager User Guide or speak to your account representative.


Assessment Manager August 2016 Release: Advanced collaboration, reporting and assessment logic

As an existing TRUSTe Assessment manager customer you are already managing many different Privacy Assessments through the platform.

TRUSTe Assessment Manager is predominantly used by organizations to assess their products, systems, businesses, vendors and assets against privacy standards, regulations and policies in order to identify and mitigate privacy risks. The latest Assessment Manager release further improves the assessment process with enhanced communication, follow-up question flow logic, and review experience. In addition, the new advanced reporting and tagging features allow you to create any number of custom fields, for example, countries or divisions, tailored to match your organization’s business needs, as well as to tie assessments to specific organizational entities within your company  and to use the new advanced project search for very complex search criteria.

The diagram below indicates how the newly added features fit into the overall Assessment Manager workflow.

AM flow

Click on the image to expand

Read on for a  more detailed description of these new features.

1. Program Reporting Using Advanced Search

The new advanced search feature allows you to perform very complex and granular project searches  based on multiple criteria. Click on ”Advanced Search” on the “Projects” page, to add as many search parameters as you need.

Advanced Search 2016-08-11_8-41-55

Click on the image to expand

Example Use Case: Program Reporting

Say your privacy team has run 60+ Privacy Shield assessments across your organization to understand EU-US data transfers (as some of our customers have). As a CPO you need to be able to quickly slice and dice the information you need. Two main features in the Assessment Manager make this now easier than ever. You can now (1) tie assessments back to specific organizational entities within your enterprise, and (2) use the new advanced search feature to drill down into specific assessment criteria.

For example, if you need to identify all assessments for the Human Resources Department where Sensitive PI is transferred from the EU to the US, you can run and save that query for future use.

2. Template Customization Options

a. “Prologue” and “Epilogue”
With “Prologue” you can provide your respondents with instructions they may need  in order to complete the assessment.

Click on the image to expand

With “Epilogue” you can provide your respondents with additional information at the end of the assessment and  have them attest to the accuracy of their answers.


Click on the image to expand

b. Additional answer options

Two additional answer options are now available:

  • “All of the above” – allows users to indicate that all options are applicable without the need to select them individually. It can be particularly useful for questions with many answer choices.
  • “None of the above” – allows users to indicate that none of the options apply.

Compliance expressions can refer to these new answer options directly.

c. Advanced follow-up question flow logic


With the addition of cross-section follow-up question flow logic, users now have the ability to create follow up questions based on the answers to the questions from the previous sections.

3. Real-time collaboration 

It is now possible to send a comment with a question to any user and non-user with an e-mail address. This is available for:

  • The comments section in the assessment survey
  • Comments on tasks
  • Comments in the assessment report
  • Comments in the project approvals.

The person will receive an email notification with your comment and will be able to reply to that email with their response. The response will be added as an additional comment for ease of review.

To send a comment to a particular person, put this person’s email address at the beginning of your comment   enclosed into “[~ ]”, for example, [~tberman@truste.com]. Thus, your comment might be: ”[~tberman@truste.com] Tony, have you updated the privacy statement?”

comments on project

Click on the image to expand

4. Customized Organizational Group Tags

You can add any number of custom fields to your projects tailored to your organizational needs. The list of the available values for each of those fields can be configured separately through “Tag Groups” in the Admin area of your account.  For example, you may create a Tag Group called “Brand” with  different brand values. If you then associate this new Tag Group with a “Project” entity, your Projects will have an additional “Brand” field, where you will be able to select one or more of the brands from  the drop down list during project creation.

Brand screenshot

Click on the image to expand

5. Additional Assessment Participants

You now have the ability to add additional participants to the project. Project Participants are able to access the project report , to track the progress of the assessment. Typically they are stakeholders who have an interest in the assessment outcome.

Project participantss

Click on the image to expand

For more information on any of these new features please refer to the TRUSTE Assessment Manager user guide available from your account.



GDPR Consent Requirements

Your Tactical Guide to Compliance with GDPR Consent Requirements

GDPR is bringing a long-awaited standard regulatory approach to user data privacy and control in the EU. Global companies are paying close attention since the GDPR applies to any company collecting data on residents in the EU regardless of where the company is located. With the current initiative of the e-Privacy Directive Working Group, the privacy industry is analyzing how these heightened requirements will play out and complement the existing user data privacy and control regulations which broaden scope and address data collection points outside of digital tracking technologies.

GDPR codifies an increased level of protection and control for the user by expanding the consumers’ rights:

  • Consumers may access their data (Article 15[1]).
  • Consumers may request information on where and when their data is processed (Article 15).
  • Consumers may request a digital copy of their data and transfer that data to another data controller in a relatively seamless manner (Article 18[2]).
  • Consumers may request erasure of their data and receive confirmation of the erasure (Article 16[3] & 17[4]).
  • In addition, the data subjects’ consent must be freely-given, specific and informed…either by a statement or by a clear affirmative action, signifying agreement to processing their personal data (Article 7[5]).
    • “Personal data” is defined as “any information relating to an identified or identifiable natural person. Under GDPR, “personal data” profiling is further expanded for example, to biometric data and other unique persistent identifiers that were ambiguous before such as IDFA and GAID. (Article 4[6]).

Although the deadline of May 28th, 2018 feels far away, the schedule to come into compliance with the new GDPR consent requirements is tight. Reference guided timeline below.

Screen Shot 2016-08-12 at 12.27.39 PM

  1. Scope Definition: A company must first determine scope of the internal consent initiative in order to make strategic resource calculations.
  2. In-House Build or Vendor Selection: A company then makes a business decision on whether to build the consent solution in-house or select a consent vendor. Selecting the right consent vendor could take some time depending on internal organization procurement procedures.
  3. Scope Definition continues: The company kicks off the project by identifying data collection points and analyze where the consent integrations have to be completed. TRUSTe has a Data Discovery system with PII/SPII detection technology for digital properties to help companies automate this process.
  4. Project Design: Often, consumer-facing touch points involve legal, marketing, and engineering stakeholder approvals.
  5. Project Implementation: Once scope and design deliverables are approved, the engineering team needs to bake the consent integration into internal sprint release cycles.

TRUSTe is evaluating the GDPR consent requirements in order to evolve our existing consent solutions and help companies achieve compliance by the May 28th, 2018 deadline. Working with TRUSTe provides all our resources and guidance within a hand’s reach:

  • A software technology that helps companies come into compliance with the notice, consent, and audit requirements of GDPR.
  • A software technology that works on desktop and mobile devices. Not only is TRUSTe’s consent notice mobile-optimized, TRUSTe’s solution is tracking technology agnostic and can save consent with ID’s and/or emails.
  • A dedicated Technical Account Management team to facilitate implementation and provide post support maintenance.
  • A customer-facing portal to manage user consent choices at any point in the data collection and sharing process.
  • A client-facing portal to analyze consent metrics and maintain a database of informed consent for regulatory audits. The data can be exported and manipulated for custom reporting metrics.

Contact TRUSTe to learn more and participate in our GDPR Consent Program.

[1] http://www.privacy-regulation.eu/en/15.htm
[2] http://www.privacy-regulation.eu/en/18.htm
[3] http://www.privacy-regulation.eu/en/16.htm
[4] http://www.privacy-regulation.eu/en/17.htm
[5] http://www.privacy-regulation.eu/en/7.htm
[6] http://www.privacy-regulation.eu/en/4.htm


Advanced Assessment search and Reporting – TRUSTe Assessment Manager

Assessment Manager allows organizations to run more assessments across their organization than ever before. The challenge you now face as a privacy professional is knowing what assessment information you have, and and be able to query it for your internal and external reporting needs. For example, you may suddenly have a need to identify all assessments touching China that collect health information. How do you get to that information?

With the latest release of Assessment Manager, you now have the ability to query your entire  assessment database. This is achieved by leveraging a combination of one or more of the following features: filters; labels and search strings. For the first time, no assessment information is beyond your reach.

Using Filters
Projects contain metadata e.g. organization divisions, business units, countries etc. Assessments can be filtered by one or more of these fields. Assessments may also be labelled (either automatically based on question answers) or manually by a user. These labels can be added to a filter.

For example if you wanted to filter all your assessments for only those in China for your business Administration Division where credit card information is being collected you can filter by those parameters.

Filter 2016-07-26_14-28-37


Using Search

Users can use the advanced search query to build out queries to meet their criteria. Search allows you to query your assessments for any assessment content. It is possible to search for particular question and answer combinations. All metadata and questions and answers are searchable and the search interface allows users to build out as many search parameters as needed.

Searches can be saved and re-used at any time simply by clicking on the saved search.

advanced search UX

In addition, users are able to use to write and run lucene searches from the search box. E.g., to run a search on  all assessments using third party vendors.  this search a user would search as follows :

join% question:”vendor” AND answer:”yes”

If you also wanted to know which vendors have not agreed to your model contractual clauses you could add that to query too by adding:

join% question:”model clauses” AND Answer:”No”

Your full query would be as follows:

join% question:”vendor” AND answer:”yes” join% question:”model clauses” AND Answer:”No”

Combining Filters and Search

If you wanted to know this for a particular country or division specfifically then you can add the appropriate filter. To your search.

Finally you can save your query in your account to run at any time

save search 2016-07-26_14-40-12

Having this level of information available at one’s fingertips addresses the challenge currently faced by most privacy professionals – that they cannot  easily access all the information they have collected through their assessment process, for internal and external reporting purposes.


TRUSTe in Atlas Solutions (by Facebook) System and Partner Directory

TRUSTe Ads Compliance Manager has long been compatible with major ad serving systems in the industry. To make the deployment experience more seamless for our clients, we’ve continued to push for deeper integrations with our valued partners.

Recently, Atlas by Facebook launched a Partner Directory listing TRUSTe under “Verification & Privacy” solutions. TRUSTe is excited to be a part of this list and considered a valued partner of Atlas by Facebook.

If any campaigns are trafficked in the Atlas platform, TRUSTe Ads Compliance customers simply enter three parameters: pid, aid, and cid parameter as shown below to activate the back-end integration TRUSTe has with Atlas. This template allows customers to pull in the TRUSTe tag and append the OBA icon onto campaign creatives in an easy way.

Atlas_TRUSTe Integration

TRUSTe customers can enter macros in the parameters. For example, an ad operations manager can enter campaign macros in the cid param in order to receive granular reporting by campaign. This feature helps our clients verify that all campaigns have the OBA icon appended properly.

If you are an ad server and interested in a deeper integration with TRUSTe, please email hhuange@truste.com. Thank you.


TRUSTe Preference Manager

By Jannette Cabardo

Online Behavioral Advertising is an online activity wherein ad companies collect behavioral data so advertisements can be tailored to consumer preferences. Technologies such as beacons, cookies and tracking pixels are used for such activities.

Most companies that are engaged in OBA have opt-out mechanisms where users can say no to the collection of personal information. Opting out from these ad-related activities will stop the online collection of individual’s behavioral data thus no tailored advertisements will be delivered. As a solution, TRUSTe offers Ads Compliance Manager where users can opt-out from known ad companies.

How does this work? TRUSTe has a core data team that maintains data validity and makes sure the opt-out mechanism for each company is up-to-date. This evaluation is done on a regular basis.

When looking into the opt-out mechanism of each company, the data team tries to see if there is an API that can be used so TRUSTe can integrate. The team looks for commonly a GET or POST method URL

pm_1 pm_2 pm_3

In the case TRUSTe isn’t able to integrate due to the absence of an API or is in process of integrating the custom opt-out mechanism available, TRUSTe provides a link to the privacy policy or to the landing page where the opt-out mechanism is found. In these cases, TRUSTe will contact the ad companies and work with them in order to integrate an opt-out mechanism.


Why do some opt-outs fail? There are several instances when a call to company’s API fails. When this happens, a link to the privacy policy or opt-out landing page is still available so users can continue to opt-out.

pm_6The server on the ad company side does not respond to the request. When TRUSTe does not get any response from the ad company’s server during the specified time threshold, an error message will be returned. Sometimes, the server responds when opting out the second time. So we encourage users to try again.

Internet connectivity is slow thus no opt-out process will be completed.  No opt-out process is being done and the error message will be displayed.

TRUSTe is currently committed to specific versions in the following browsers: Firefox, Chrome, Opera, Safari and IE. There are opt-outs that do not work on specific browsers. When a certain opt-out does not work on a supported browser, TRUSTe redirects the users to the privacy policy page or the landing page. As part of the periodic maintenance, our data team reaches out to these specific vendors.

If you have any feedback regarding this solution or would like to integrate with TRUSTe, please email jannette.cabardo@truste.com.


Privacy Risk Assessment for Mobile Applications

Mobile application privacy management is now more important than ever—at least half of Fortune 500 companies have internal mobile applications. But managing mobile application privacy risk goes beyond the applications on your employees’ devices. As companies’ presence, products, and services increasingly shift into the mobile space, mobile privacy is drawing increasing attention—both internally and from the Federal Trade Commission. In particular, the healthcare industry had the highest privacy payout in 2014, and the FTC and FDA’s additional scrutiny into wellness and health services should increase management’s focus on improving mobile application development tools and processes.

Product managers in different business units in different companies often develop mobile applications within a single global organization. Adding to this complexity, companies often leverage outsourced mobile developers, putting mobile applications still another step away from the oversight of the privacy officer.

According to Forrester Mobile Study 2015, “Companies had no idea they were gathering the data because they used third-party advertising libraries that were capturing the data without the original developers having any knowledge of the activity.” If developers are not aware of third parties and their activities, privacy officers are left in the dark on transparency and data minimization. The privacy and enforcement risks are real—the FTC fined the Path social networking service $800,000 for collecting users’ data without their consent.

Insecure transmission of data also poses a risk to both users’ privacy and corporate reputations. The FTC has ordered that Fandango and Credit Karma undergo security assessments every other year for the next 20 years because of their insecure transmission of data. The privacy officer to prevent possible public backlash in the event of a user perceived privacy violation should review other mobile application designs and implementations. For example, privacy officers should analyze whether an application contains an overly broad set of requested permissions, which may indicate high privacy risk or be considered suspicious activity.

To manage data privacy risk, privacy officers must have a handle on the data that’s collected, the security of data transfer, and all third parties accessing the mobile application across all their companies’ mobile applications. Privacy officers can leverage in-house technology or hire a vendor to provide the information to which the privacy officer can map against in-house guidelines and regulations to determine if there is a privacy risk. Depending on how many applications a company have and how often the company updates the mobile application, this could drain a lot of resources. To efficiently manage privacy risk of mobile applications across the company, a privacy officer needs:

  1. Condensed, relevant and actionable data to assess privacy risk. The report should either be a standalone privacy report or a comprehensive separate section within a security report.
  2. An automated or partially automated tool to generate the information
  3. Sufficient resources internally or outsourced to analyze the findings and flag any privacy risks.

TRUSTe Mobile App Assessments

The time is right to streamline the discovery of any privacy risks within your company’s mobile applications. TRUSTe mobile assessments help you analyze applications by gathering information within network traffic, system API calls, log activities, and application source code to find the data flows, security safeguards, and third-party data access within the application. These comprehensive scanning tools produce an accurate, detailed, and actionable mobile risk assessment report.

TRUSTe Standard Mobile Assessments provide the privacy officer with all the information necessary to analyze the privacy risk of a mobile application. The discovery report lists:

  • Third-party domains, frameworks, and SDKs attached with company metadata and the Privacy Sensitivity Score from the proprietary TRUSTe Vendor Database
  • The data collected
  • Which third party is collecting data and/or what data the third party is collecting
  • What data is stored on the device
  • Any insecure transmissions (those that are unencrypted or that use misconfigured encryption)
  • The permissions an app is requesting

With this information, a privacy officer can easily analyze whether internal enterprise or consumer applications are following regulatory or internal guidelines and whether application behavior is consistent with the app’s purpose.

In addition, TRUSTe offers a mobile assessment premium service that provides manual technical analysis to generate an even more detailed report. This identifies any areas in the mobile application that pose privacy risks and provide intelligent remediation recommendations. TRUSTe can also compare the mobile app findings against applicable regulations to highlight any noncompliance risks.

To help privacy officers manage mobile application data privacy globally, TRUSTe is expanding its mobile offerings to include privacy risk scanning and assessment solutions. To learn more about these new TRUSTe scanning offerings, contact hhuang@truste.com.



Cookie Consent and It’s Relationship with Tag Management Systems (TMS)

TRUSTe’s Cookie Consent solution has been helping global companies comply with the EU Cookie Directive and continues to evolve into the most robust platform that is completed by TRUSTe’s privacy brand.

TRUSTe’s Cookie Consent integrates with leading Tag Management Systems (TMS) in order to help companies comply with the “zero-cookie” load requirement, specifically under CNIL’s laws. The “zero-cookie” requires that no trackers, outside of the exceptions, are dropped until user has consented. TRUSTe has a preferred partnership w/ Signal and already developed an integration with Google TMS. (You may have also seen us in Tealium’s portal.)

TRUSTe has a Cookie Consent API that provides Tag Management Systems the ability to digest the user-level of consent in order to respect the user’s preferences.

The newest addition to TRUSTe’s TMS system family is Adobe DTM (Dynamic Tag Manager). TRUSTe has been working closely with the Adobe DTM team to ensure clients that use Adobe DTM is able to seamlessly leverage TRUSTe Cookie Consent in their system.

The Cookie Consent integrates with Adobe DTM in a three step process:

  1. The first process is just to add the Cookie Consent script, like you would any other Third Party Tag in DTM.
  2. The second step is to apply a special Tag which will reload the page when a user has changed their preference, thereby loading any newly allowed Tags/Rules.
  3. The third step is applying a Condition to any Rule you wish covered by the Cookie Consent.
    1. Adobe DTM is able to leverage the Cookie Name and Cookie Value to communicate the user-level consent back to the TMS for compliance.

TRUSTe has a flexible Cookie Consent API that is ready to integrate with any TMS system to enable an easy tag integration. If you have a TMS partner you would like to integrate with TRUSTe Cookie Consent, please email us for next steps! CNIL just did cookie sweep. If you’re not yet prepared for the next one, please email us now @ hhuang@truste.com.

Older posts «