TRUSTe Privacy Program Requirements

• Notice of how personal data is collected and used
• Choice/Consent regarding uses of data,
• Access by individuals to their personal information so that it can be reviewed and corrected
• Security to protect against unauthorized access, destruction, use, or disclosure of the data
• Redress/Enforcement to ensure compliance

TRUSTe Program Requirements

Web Privacy Seal Requirements

• A consent mechanism for any use or sharing of personally identifiable information (PII) for a third party’s marketing/promotional activities.
• An unsubscribe function in marketing/promotional emails and newsletters
• A mechanism for users to correct and/or update stored PII or request to have it updated by the TRUSTe Sealholder

• Secured Socket Layers (SSLs) or other comparable technology that encrypts pages that collect sensitive information such as a credit card number or social security number
• The Web site and other sites linked to from the Web site must be free of Malware

• Requires Sealholders to report key changes to the privacy statement, how collected personal information is used, and data management practices
• Regular ongoing checks for changes to the site and privacy statement as they relate to the program  requirements
• Review by a CIPP-certified Client Services Manager  to ensure program standards are met and maintained

• Have procedures in place for receiving and handling privacy related complaints
• Show information on how to contact TRUSTe’s Watchdog for third-party dispute resolution
• Participate in resolving complaints filed through TRUSTe’s Watchdog Dispute Resolution program, including making changes to processes and privacy practices to prevent future complaints

• What type of PII is collected and how it will be used
• The identity of the party collecting the PII
• Whether the PII is shared with third parties
• The use of any user-tracking technology
• Whether the PII is supplemented with information from other sources
• Consent options available to users and how to exercise them
• How consumers can access PII they have provided to correct and update it
• That there are security measures in place
• How users will be notified of any material changes in the Sealholder’s privacy practice
• Accurate contact information for the Sealholder including both email and physical mailing addresses where users can submit a privacy-related complaint

• Represent the Sealholder’s privacy practices clearly and accurately
• Be visible to maintain online trust among consumers accessible from the home page and every page collecting PII
• Display the TRUSTe “Click to Verify” seal and link to a TRUSTe hosted validation page so users can verify that the site holds a valid TRUSTe seal

• Undergo regular compliance monitoring by TRUSTe
• Participate in TRUSTe’s Watchdog Dispute Resolution process, including cooperating with investigations regarding non-frivolous complaints
• Get annual TRUSTe recertification to maintain online trust among consumers

EU Safe Harbor Seal Requirements

• User capability to request the correction or deletion of inaccuracies in their collected PII
• A response from the Sealholder within 30 days that
          * confirms that the PII has been updated or deleted;
          * contains a timeline by which the user request will be fulfilled; or
          * offers a reason why the request cannot be fulfilled

Email Privacy Seal Requirements

• Consent for receiving any commercial or promotional email
• An affirmative opt-in function for sharing of personally identifiable information (PII) with outside parties
• Access management permitting users to update stored email address or have it changed by the Sealholder

• The nature of email messages to be sent
• If receiving commercial or promotional email is a condition of receiving a service
• Any sharing of email addresses with third parties other than service providers

• Verify that the site is a valid TRUSTe Sealholder
• Get information on how to contact TRUSTe’s Watchdog for third-party dispute resolution

• Clear, conspicuous, and easily understood
• Easy to use – typically clicking on an unsubscribe link
• Effective within 10 days and non-expiring
• Flexible in processing requests via alternate media (telephone, email or mail)

• To reliably process bounces and other replies (bounces may not exceed 10% of all messages sent)
• Outbound email servers must have valid reverse-DNS entries
• Creation and maintenance of standard role email accounts including abuse and postmaster
• Must register with abuse.net and maintain accurate Whois database information
• Due diligence to ensure that clear and conspicuous notice was provided, and relevant consent obtained, if email addresses were obtained from a third party

Children’s Privacy Seal Requirements

• Verifiable parental consent for collection, use, or sharing of children's personal information
• Parental capability to review, correct, update, and have deleted their children’s personal information collected online at any time
• Parental right to refuse further collection and use of the child’s collected personal information

• Using games, prizes, or other enticements to encourage children to divulge more personal information than is reasonably necessary for an online activity
• Allowing children to publicly distribute personal information in the Web site through avenues such as message boards or chat rooms without verifiable parental consent
• Conditioning access to the site on a child's providing more personal information than is reasonably necessary

• A procedure for exercising parental consent, choice and access to children's personal information
• Disclosure of the names, addresses, telephone numbers and email addresses of all parties collecting or maintaining children's personal information on the site
• Disclosure of any sharing of children's personal information with third parties, including with whom and why

Trusted Download Progam Requirements

1. Take control of a user's computer deceptively
2. Modify a user computer’s security or other settings that protect user information in order to cause damage or harm to either the computer or the user
3. Collect user personally identifiable information through the use of a keystroke-logging function without consent of the computer’s owner.
4. Induce the user to provide their personally identifiable information to another person by intentionally misrepresenting the identity of the person seeking the information. This includes inducing the disclosure by means of a Web page or software unit that is substantially similar to a Web page or software unit established or provided by another person.
5. Induce the user to install the software onto the computer and prevent reasonable efforts to block the installation or disabling of the software.
6. Falsely state that installing the software or providing log-in and password information is necessary for security or privacy reasons unrelated to the software itself, or that installing the software is necessary to open, view or play a particular type of content online or offline (e.g., cannot falsely state software is necessary for accessing Web site).
7. Induce the user to install, download or execute software by misrepresenting the identity or authority of the person or entity providing the software to the user. This includes but is not limited to using domains with misspelling of frequently visited Web sites (i.e. 404 squatting).
8. Remove, disable or render inoperative by deceptive means a security, anti-spyware or anti-virus technology installed on a user’s computer without obtaining prior consent from the user.
9. Install or execute the software on the computer with the intent of causing a person to use the software in a way that violates any other provision of this section.
10. Allow any of their TRUSTe-certified software to be bundled with the software unit used in any of the prohibited activities listed in this section.