- "Company(ies)" is the entity classified as a third party data collector which collects data through Domains it does not own.
- "Domain(s)" is a subdivision of the internet by which a specific web property or computer can be identified.
- "Individual" means the discrete person to whom the collected information pertains.
- "First Party" is the entity that owns and controls the Domain
- "Personally Identifiable Information [PII]" means any information or combination of information that can be used to identify, contact, or locate a discrete Individual. PII does not include Pseudonymous Information.
- "Pseudonymous Information" means information that may correspond to a person, account, or profile but is not sufficient, either on its own, or through combination with other easily accessible public information, to contact or locate the Individual to whom such information pertains. Examples include but are not limited to a user’s IP address, machine ID other than MAC address and persistent mobile device identifiers such as IMEI, and the web pages a user views.
- "Third Party" is an entity(ies) other than the First Party or the Individual which is not directly affiliated with the First Party; and, if affiliated with the First Party, where such affiliation is not reasonably known to the Individual
There are different types of Third Party Data Collectors not all of which collect data for the purposes of targeting. The focus of these principles are on Third Party Data Collectors such as Advertisers, Ad Exchanges, Ad Networks, Ad Platforms, Data Aggregators/Exchanges, Market Research companies, and the like. TRUSTe recognizes not all Third Party Data Collectors collect data for the purposes of targeting but rather provide a fundamental service for the functioning of websites. Some of these types of Third Party Data Collectors include Publishers, Service Providers, Web Analytics Providers, and Widget Providers. These Principles do not apply to these types of Third Party Data Collectors and will simply be placed on the IGNORE List. However, Companies that provide these types of services and also provide ad-based targeting services will need to comply with these Principles.
Below are the core principles of this program providing the foundation for developing detailed requirements Companies will need to comply with in order to be certified and added to TRUSTe's Tracking Protection ALLOW List.
ALLOW List Criteria:
Notice and Choice
- The Company when collecting data on Third Party Domains may not;
- Collect any PII as part of its data collection on Third Party Domains; or
- Link its collected behavioral data to any data that can personally identify a discrete Individual unless Choice has been first provided to the Individual.
- What the Company's data collection practices are (e.g. what type of data is being collected, how used);
- Whether the Company uses targeting techniques for collecting and using information about an Individual's behavior and Web usage activity, and all the uses of the collected data including whether that data is used for targeted advertising;
- Whether the collected data is shared with Third Parties and what types of Third Parties the data is shared with;
- How Individuals can opt-out of such use and obtain access to the opt-out mechanism; and
- How long collected data is retained.
- The Company must utilize the DAA approved notice and choice framework: http://www.aboutads.info/.
- The Company must provide a clear, conspicuous, and easy-to-use opt-out mechanism for cookies and all other technologies it employs on Domains where it collects data.
- The mechanism should be a one-click-one-step process.
- The Individual shall not be required to provide PII or any other information to use the opt-out mechanism.
- The opt-out mechanism must be tested regularly to ensure it is operating properly.
- The Company must limit its retention of the data to no longer than commercially useful to carry out its business purpose, or legally required.
- The Company must have a plan in place for accepting DNT headers from Firefox and other browsers using similar technologies.
Criteria for Adding a Third Party Data Collector to the TRUSTe Tracking Protection BLOCK List
The Company will be added to TRUSTe’s Tracker Protection BLOCK List if any one of the following criteria is met:
- The Company does not offer an opt-out mechanism whereby consumers can opt-out of having collected data used for targeting purposes;
- The Company has not utilized a DAA approved notice and choice solution and has not sufficiently demonstrated they have implemented a solution or has no third party industry oversight mechanism such as TRUSTe 3rd Party Data Collection or other similar program; or
- Is linking collected data to PII without first providing the Individual notice and obtaining the Individual’s express consent.