• Home
• Seals & Services
  • Small & Medium Businesses
  • Enterprise
  • Consumer
• Why TRUSTe
  • Return on Investment
  • Case Studies
  • Privacy Best Practices
  • Dispute Resolution
  • Testimonials
  • Services Manager Portal
• Trusted Sites
  • Directory
  • Trusted Downloads
• Resources
  • Research
  • White Papers
  • Webinars
  • Video
  • Events
  • Newsletter Archive
• About TRUSTe
  • Contact Us
  • Press Room
  • Blog
  • Timeline
  • People
  • Careers
  • FAQs

Home Privacy Seals & Services Consumer Privacy Privacy Program Requirements

TRUSTe Privacy Program Requirements

TRUSTe’s program requirements are based upon the Federal Trade Commission’s Fair Information Principles:

• • Notice of how personal data is collected and used
• • Choice/Consent regarding uses of data,
• • Access by individuals to their personal information so that it can be reviewed and corrected
• • Security to protect against unauthorized access, destruction, use, or disclosure of the data
• • Redress/Enforcement to ensure compliance

Web Privacy Seal	EU Safe Harbor Seal
Email Privacy Seal	Children’s Privacy Seal
Trusted Download Program

Web Privacy Seal Requirements

Read the full Web Privacy Seal Requirements here.

ALL certified TRUSTe sites must provide:

User controls that include

• • A consent mechanism for any use or sharing of personally identifiable information (PII) for a third party’s marketing/promotional activities.
• • An unsubscribe function in marketing/promotional emails and newsletters
• • A mechanism for users to correct and/or update stored PII or request to have it updated by the TRUSTe Sealholder

Web site security

• • Secured Socket Layers (SSLs) or other comparable technology that encrypts pages that collect sensitive information such as a credit card number or social security number
• • The Web site and other sites linked to from the Web site must be free of Malware

Ongoing compliance monitoring verifying adherence to program requirements

• • Requires Sealholders to report key changes to the privacy statement, how collected personal information is used, and data management practices
• • Regular ongoing checks for changes to the site and privacy statement as they relate to the program  requirements
• • Review by a CIPP-certified Client Services Manager  to ensure program standards are met and maintained

The Watchdog Dispute Resolution Process that requires TRUSTe Sealholders to:

• • Have procedures in place for receiving and handling privacy related complaints
• • Show information on how to contact TRUSTe’s Watchdog for third-party dispute resolution
• • Participate in resolving complaints filed through TRUSTe’s Watchdog Dispute Resolution program, including making changes to processes and privacy practices to prevent future complaints

A privacy statement that discloses

• • What type of PII is collected and how it will be used
• • The identity of the party collecting the PII
• • Whether the PII is shared with third parties
• • The use of any user-tracking technology
• • Whether the PII is supplemented with information from other sources
• • Consent options available to users and how to exercise them
• • How consumers can access PII they have provided to correct and update it
• • That there are security measures in place
• • How users will be notified of any material changes in the Sealholder’s privacy practice
• • Accurate contact information for the Sealholder including both email and physical mailing addresses where users can submit a privacy-related complaint

The privacy statement must also

• • Represent the Sealholder’s privacy practices clearly and accurately
• • Be visible to maintain online trust among consumers accessible from the home page and every page collecting PII
• • Display the TRUSTe “Click to Verify” seal and link to a TRUSTe hosted validation page so users can verify that the site holds a valid TRUSTe seal

Once certified, TRUSTe Sealholders are required to

• • Undergo regular compliance monitoring by TRUSTe
• • Participate in TRUSTe’s Watchdog Dispute Resolution process, including cooperating with investigations regarding non-frivolous complaints
• • Get annual TRUSTe recertification to maintain online trust among consumers

Back to top

EU Safe Harbor Seal Requirements

Read the full EU Safe Harbor Privacy Seal Requirements here.

ALL TRUSTe EU Safe Harbor-certified sites must comply with TRUSTe’s Web Privacy Seal program requirements plus provide the following:
• User capability to request the correction or deletion of inaccuracies in their collected PII
• A response from the Sealholder within 30 days that
          * confirms that the PII has been updated or deleted;
          * contains a timeline by which the user request will be fulfilled; or
          * offers a reason why the request cannot be fulfilled

Back to top

Email Privacy Seal Requirements

Read the full Email Privacy Seal Requirements here.

TRUSTe Email Privacy Sealholders are all required to provide User controls that include

• Consent for receiving any commercial or promotional email
• An affirmative opt-in function for sharing of personally identifiable information (PII) with outside parties
• Access management permitting users to update stored email address or have it changed by the Sealholder

Disclosures on any page collecting email addresses (and in the privacy statement) regarding

• The nature of email messages to be sent
• If receiving commercial or promotional email is a condition of receiving a service
• Any sharing of email addresses with third parties other than service providers

In addition, pages on which email addresses are collected must display the TRUSTe “We Do Not Spam” seal and link to a TRUSTe hosted validation page so users can:

• Verify that the site is a valid TRUSTe Sealholder
• Get information on how to contact TRUSTe’s Watchdog for third-party dispute resolution

An unsubscribe option that is

• Clear, conspicuous, and easily understood
• Easy to use – typically clicking on an unsubscribe link
• Effective within 10 days and non-expiring
• Flexible in processing requests via alternate media (telephone, email or mail)

Mail infrastructure and technology accountability

• To reliably process bounces and other replies (bounces may not exceed 10% of all messages sent)
• Outbound email servers must have valid reverse-DNS entries
• Creation and maintenance of standard role email accounts including abuse and postmaster
• Must register with abuse.net and maintain accurate Whois database information
• Due diligence to ensure that clear and conspicuous notice was provided, and relevant consent obtained, if email addresses were obtained from a third party

Back to top

Children’s Privacy Seal Requirements

Read the full Children's Privacy Seal Requirements here.

The following parental controls must be included on a site displaying the Children’s Privacy Seal:
• Verifiable parental consent for collection, use, or sharing of children's personal information
• Parental capability to review, correct, update, and have deleted their children’s personal information collected online at any time
• Parental right to refuse further collection and use of the child’s collected personal information

The following practices are prohibited on a site displaying the Children’s Privacy Seal:
• Using games, prizes, or other enticements to encourage children to divulge more personal information than is reasonably necessary for an online activity
• Allowing children to publicly distribute personal information in the Web site through avenues such as message boards or chat rooms  without verifiable parental consent
• Conditioning access to the site on a child's providing more personal information than is reasonably necessary

A site displaying the Children’s Privacy Seal must include a privacy statement that allows for:
• A procedure for exercising parental consent, choice and access to children's personal information
• Disclosure of the names, addresses, telephone numbers and email addresses of all parties collecting or maintaining children's personal information on the site
• Disclosure of any sharing of children's personal information with third parties, including with whom and why

Back to top

Trusted Download Progam Requirements

Read the full Trusted Download Requirements here.

Key Requirements
Please note: the following does not represent complete TRUSTe Trusted Download Program (TDP) requirements. For all requirements, see the TRUSTe TDP requirements in the TDP certification agreement.

Notice
The TRUSTe Trusted Download Program (TDP) requires its licensees to provide a layered set of notices to the user, including a primary notice, and then reference notices such as the End User License Agreement (EULA) and the privacy statement. The primary notice must be unavoidable for the user and fully explain functionalities of the software that impact the consumer experience. The EULA and "opt-out" mechanisms are not enough to provide such notice or obtain user consent. For example, the TDP requires its licensees to provide unavoidable notice to the user of any material changes to certain specified consumer settings. Further, all ads that TDP licensees deliver in certified advertising software must be labeled, and licensees must provide unavoidable notice of certain ad features.

Consent to Download
TDP licensees must offer consumers a clear, prominently displayed choice in plain language to consent to download or not download. Licensees may not obtain consent to download via either a pre-selected option, a EULA, or "opt-out" mechanisms.

Easy Uninstall
TDP licensees must make uninstall instructions easy to find and understand. Methods for uninstalling must be available in places where consumers are accustomed to finding them, such as the Add/Remove Programs feature in the Windows Control Panel. Uninstallation must remove all software associated with the particular application being uninstalled, and cannot be contingent on a consumer's providing personally identifiable information, unless that information is required for account verification.

Special Protections for Children
TDP licensees must prevent the distribution of their advertising or tracking software on children's Web sites, and must prohibit their distribution partners and affiliates from such distribution.

Affiliate Controls
Since many advertising and tracking applications are distributed through second and third-party affiliates and/or bundled with other programs, TDP licensees must disclose such relationships in attestations. Certified software is subject to random testing on instances found wherever an individual might encounter them.

Prior Behavior
The TDP includes provisional certification for companies that have previously engaged in prohibited activities. In order to be certified, these companies are both subject to additional oversight (including enhanced monitoring), and required to obtain opt-in consent from all users who downloaded an uncertified version of the software application.

Segregated Ad Inventory
TDP licensees must maintain segregated ad inventory in certified versus uncertified applications. The application provider must be able to serve ads to users from whom consent was obtained instead of users from whom consent has not been acceptably obtained.

Monitoring
TRUSTe monitors certified applications for ongoing compliance with TDP's strict standards. A company risks termination from the program if any one of its certified applications violates the standards.

Enforcement
If monitoring uncovers suspected non-compliance, TRUSTe will subject the application (or in some cases all of a company's applications) to enforcement procedures. Depending on both the severity of the licensee’s non-compliance and the results of a TRUSTe investigation, TRUSTe may suspend or remove an application from the TDP whitelist. In certain cases, TRUSTe may terminate a company or application from the program and the fact of its termination made public.
For complete requirements, see the TRUSTe Trusted Download Program requirements in the TDP certification agreement.

Back to top

Prohibited Activities
Trusted Download Program licensees are prohibited from doing any of the following, and must ensure that their distribution partners or affiliates do not do any of the following:

1. Take control of a user's computer deceptively
2. Modify a user computer’s security or other settings that protect user information in order to cause damage or harm to either the computer or the user
3. Collect user personally identifiable information through the use of a keystroke-logging function without consent of the computer’s owner.
4. Induce the user to provide their personally identifiable information to another person by intentionally misrepresenting the identity of the person seeking the information. This includes inducing the disclosure by means of a Web page or software unit that is substantially similar to a Web page or software unit established or provided by another person.
5. Induce the user to install the software onto the computer and prevent reasonable efforts to block the installation or disabling of the software.
6. Falsely state that installing the software or providing log-in and password information is necessary for security or privacy reasons unrelated to the software itself, or that installing the software is necessary to open, view or play a particular type of content online or offline (e.g., cannot falsely state software is necessary for accessing Web site).
7. Induce the user to install, download or execute software by misrepresenting the identity or authority of the person or entity providing the software to the user. This includes but is not limited to using domains with misspelling of frequently visited Web sites (i.e. 404 squatting).
8. Remove, disable or render inoperative by deceptive means a security, anti-spyware or anti-virus technology installed on a user’s computer without obtaining prior consent from the user.
9. Install or execute the software on the computer with the intent of causing a person to use the software in a way that violates any other provision of this section.
10. Allow any of their TRUSTe-certified software to be bundled with the software unit used in any of the prohibited activities listed in this section.

For complete and detailed prohibited activities, see the TRUSTe Trusted Download Program requirements in the certification agreement.

 

Back to top

---

---