The Australian Privacy Commissioner's Website
News and information
 
Privacy Act | What Are My Rights? | New Privacy Law | Private Sector | Public Sector | IT & Internet | News and Information | Publications | Speeches | Strategic Plan | Privacy Connections Network | About the Commissioner | Links | Sitemap | Feedback/Contact us | Privacy Policy | Copyright | Home |


Web Seals:
A Review of Online Privacy Programs


A Joint Project of
The Office of the Information and Privacy Commissioner/Ontario
and The Office of the Federal Privacy Commissioner of Australia


22nd International Conference on Privacy and Personal Data Protection
Venice, September 2000
Ann Cavoukian, Ph.D.
Information and Privacy Commissioner
Ontario, Canada		 Malcolm Crompton
Federal Privacy Commissioner
Australia
IPC Logo Australian Federal Privacy Commissioner
Information and Privacy
Commissioner/Ontario
80 Bloor Street West , Suite 1700
Toronto, Ontario  Canada  M5S 2V1
416-326-3333
1-800-387-0073
Fax: 416-325-9195
TTY (Teletypewriter): 416-325-7539
Web site: http://www.ipc.on.ca		 Office of the Federal Privacy Commissioner
Level 8 Piccadilly Tower
133 Castlereagh Street
Sydney NSW 2000 Australia
+61 2 9284 9600
Fax: +61 2 9284 9666
TTY (Teletypewriter): 1-800-620-241
Web site: http://www.privacy.gov.au


This publication also is available on the Web site of the Office of the Federal Privacy Commissioner of Australia.

Table of Contents

Executive Summary

1. Background
1.1 Why Online Privacy Seals?

2. Objective of the Web Seals Project
2.1 Seals Selected for Review

3. Methodology

4. Assessment of the Seal Programs
4.1 Privacy Principles
4.1.1 Selection of the OECD Guidelines as the standard
4.1.2 Template for analysis
4.1.3 BBBOnLine
4.1.4 TRUSTe
4.1.5 WebTrust
4.1.6 Conclusions
4.2 Dispute Resolution
4.2.1 Selection of the standard for dispute resolution assessment
4.2.2 Basis for seal assessment
4.2.3 Description of dispute resolution mechanisms
4.2.4 Assessment results
4.2.5 Summary of dispute resolution assessment results

4.3 Compliance/Enforcement
4.3.1 Need for compliance and enforcement
4.3.2 Comparison of the functions
4.3.3 Next steps		 5. Results
5.1 Summary of assessment of the seals
5.2 Effectiveness of seals as a tool online users can use to protect their personal data
5.3 The future of this project
5.4 Concluding remarks

Exhibit A - Comparison of BBBOnLine Privacy Seal with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Exhibit B - Comparison of TRUSTe Program to OECD Guidelines of Privacy and Transborder Flows of Personal Data

Exhibit C - Comparison of WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce to OECD Guidelines of Privacy and Transborder Flows of Personal Data

Exhibit D - Australian federal government Benchmarks for Industry-Based Customer Dispute Resolution Schemes

Exhibit E - Australian National Arbitration Forum Principles

Exhibit F - Compliance/Enforcement Activity of Privacy Seals

Notes

Executive Summary

Back to Table of Contents

Electronic commerce is often viewed as contributing to the development of a global economy - a world without borders. However, the reality is that all economic activity takes places within a given jurisdiction with a unique set of laws and regulations governing commercial transactions. While the buyer and seller may be located in different places, the sale itself takes place in one jurisdiction. This geographic separation often results in disputes over which jurisdiction takes precedence (the buyer's or the seller's) and can lead to difficulties in enforcement of contracts. In an effort to promote the growth and development of e-commerce, companies have sought ways to promote consumer confidence and trust.

It should be noted, however, that building consumer confidence in the world of e-commerce is no small matter. Virtually every major public interest survey over the last several years has shown that privacy is the No. 1 concern for people using the Internet, and the primary reason why most people continue to shop in traditional bricks-and-mortar stores rather than going online. Enforcing consumer protections during transactions between parties in different legal jurisdictions is a complicated undertaking. The issue is further exacerbated when it comes to the handling of personal information, especially in countries which have little or no legal protections in the area of privacy.

In many jurisdictions, people have the force of law to protect them, both in general consumer affairs and in the protection of their privacy. However, while many nations lack rigorous privacy protection legislation, the issue is most acute in the United States, which is the leading force behind electronic commerce. To address online privacy concerns, a number of organizations have developed Web seals designed to let their participants publicize that they adhere to certain privacy policies and practices. Yet without objective standards on which to evaluate these seals, their relative merits remain open to debate. The public requires a greater degree of certainty regarding the claims that a company, especially one unknown to them, bearing a Web privacy seal will in fact protect one's privacy.

The subject of Web privacy seals was raised in September 1999 at the 21st Conference of International Data Protection Commissioners. The Commissioners also recognized the benefits of acting in unison to address online data protection issues, in light of the global nature of the Web. It was felt that a preliminary assessment of the major Web seal programs would be a useful contribution to the global debate over online privacy. Two Data Protection Commissioners, one from Ontario, Canada and one from Australia, undertook to do the work on the project while a small group of other Commissioners from Europe and Asia provided informal advice as the project proceeded. The Commissioners believed that by evaluating Web seals, the expertise of the privacy community could assist in the development and possibly the promotion of Web seals, thereby advancing the promotion of privacy efforts around the world.

The objectives for evaluating Web seal programs were threefold. First, to assess the privacy, dispute resolution and compliance standards of the major Web seals. Second, to engage in open discussions with the seal programs to identify ways in which to enhance their overall privacy framework, as well as their dispute resolution and compliance and enforcement mechanisms. Third, to undertake a practical demonstration of co-operative effort between Privacy Commissioners representing different jurisdictions and legislative frameworks, in an effort to advance online privacy initiatives at a global level.

Methodology

Back to Table of Contents

The Web seal project evaluated the three leading online privacy seals: BBBOnLine, TRUSTe and WebTrust. The review is detailed and quite complex. The project identified three key components for an effective online seal program:

We believe the three seal organizations are to be commended for their efforts. This project is intended to highlight the strengths and weaknesses of each different approach. The work that each seal has put into its respective projects, in the areas noted above, is considerable and we welcome their efforts in attempting to develop an objective standard for fostering trust and consumer confidence.

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, an internationally-recognized code of fair information practices, was selected as the standard to evaluate the seals' privacy principles. The OECD Guidelines contain overlapping and cumulative principles that outline responsible information handling practices designed to protect the privacy of data subjects. Adherence to all of the practices in their totality is necessary in order to achieve full informational privacy. To evaluate the dispute resolution mechanisms of each seal program, the Australian Benchmark for Industry-based Customer Dispute Resolution Schemes was selected as the standard. It reflects well established and internationally recognized standards for dispute resolution. This project also reviewed the seals' compliance and enforcement mechanisms.

Results

Back to Table of Contents

The paper evaluates each seal program and includes highlights of correspondence with the seal organizations regarding our assessment. The evaluations conclude that, at the time of our review, each of the three seals addressed privacy protection, dispute resolution and compliance to varying degrees, although none of them completely satisfactorily. Regarding privacy standards, out of eight possible marks, the scores awarded were: BBBOnLine 6.25; TRUSTe 6.375 and; WebTrust 6.0. In the dispute resolution section, out of a total possible six points, the scores awarded were: BBBOnLine 5.05; TRUSTe 4.65; and WebTrust 4.58. The paper also contains a review of the compliance and enforcement components of the three seal programs.

At the time of our review, each of the seals had its own strengths. BBBOnLine offered the most customer-friendly dispute resolution system, while WebTrust offered the most rigorous compliance regime. In terms of privacy principles, while TRUSTe scored the highest in our assessment, it is clear that none of the seals required their participants to meet all of the OECD principles. This is a point of concern. Nonetheless, seals are playing a valuable educational role in promoting privacy awareness in the minds of both consumers and businesses alike. This educational role is, in our view, both positive and beneficial.

Conclusion

Back to Table of Contents

The future role that Web seals might play in e-commerce is unclear. Seals are only in their early stages of development and will likely evolve and improve over time. They could come into their own as a powerful facilitator of globalization of consumer transactions if they are able to provide acceptable and enforceable privacy protection across multiple jurisdictions. Objective assessments of the extent to which seals provide true privacy protection, dispute resolution and enforcement, may be a crucial factor in determining the degree and speed with which they become more accepted by consumers. Such assessment could assist consumers and business in differentiating between the competing claims put forward by various seal providers.

In the end, Data Protection Commissioners have a number of tools at their disposal to protect the privacy of their citizens: legal instruments, technical standards, public education, expert consultation and moral suasion. By working together, Commissioners can extend the reach of their offices and provide benefits to consumers beyond their individual borders. It is up to the global community of Commissioners to work together to advance the uniform goal of privacy protection - this joint project is only one small indication of what can be done.

1. Background

Back to Table of Contents

At the 21st International Data Protection Commissioners' Conference, held in September 1999 in Hong Kong, the Commissioners agreed that there was a need to act in unison to address online data protection issues. The recognition of the desirability for concerted, co-operative action was sparked by a number of factors. The global nature of the World Wide Web (the Web), in the face of the local jurisdiction of Data Protection Commissioners, highlighted the need for an international consensus regarding issues of online privacy protection. Also, while the efforts of Commissioners have significant impact in their respective jurisdictions, their individual effectiveness at the global level is currently relatively limited. By acting in unison, Commissioners may have greater influence over the online privacy debate and public opinion.

Commissioners focussed their attention on the rapidly developing area of online privacy seals. A working group was established with a mandate to identify and assess options available to Privacy Commissioners:

The Data Protection Commissioners recognized that the law is unable to keep up with the current pace of technological change. Internet users are looking for means of assurance that their privacy interests are being respected, or that redress is available should their personal information be misused. Standards and/or seals could potentially assist in providing such assurance.

After reviewing potential options for examining standards and seals, the Privacy Commissioners of Ontario (Ann Cavoukian) and Australia (Malcolm Crompton) decided to undertake an evaluation of online privacy seals. A small group of other Commissioners from Europe and Asia provided informal advice as the project proceeded. The assessment and its results, as well as conclusions drawn and potential next steps, are the subject of this paper.

1.1 Why Online Privacy Seals?

Back to Table of Contents

The Commissioners identified the assessment of online privacy seals as a valuable project based on a number of online realities:

The profile and potential importance of Web seals has been further heightened by the recently announced Safe Harbor Agreement reached between the European Union and the United States. The agreement identifies privacy self-regulatory organizations (such as Web seals) as acceptable mechanisms for determining compliance with its privacy principles.

2. Objective of the Web Seals Project

Back to Table of Contents

The Commissioners identified the following objectives for this project:

2.1 Seals Selected for Review

Back to Table of Contents

The Commissioners chose the three major privacy seal programs for review and assessment - BBBOnLine, TRUSTe, and WebTrust. Although there is a growing number of seals available, these programs were the most visible and most commonly used seals at the time of the assessment.


BBBOnLine

This program has been developed by the Council of Better Business Bureaus. According to BBBOnLine, its privacy program features verification, monitoring and review, consumer dispute resolution, a compliance seal, enforcement mechanisms and an educational component.

The BBBOnLine privacy program offers the following:

As of August 1, 2000, 324 companies had been awarded the BBBOnLine seal.

TRUSTe

Back to Table of Contents

This program regards itself as an independent, non-profit initiative dedicated to building users' trust and confidence on the Internet. It has developed a third-party oversight seal program designed to alleviate users' concerns about online privacy, while meeting the business needs of licensed Web sites. TRUSTe was originally founded by the Electronic Frontier Foundation and the CommerceNet Consortium. The sponsors of the program include many of the world's largest corporations, such as AOL, Intel, Excite and Microsoft.

The seal is awarded to sites that adhere to TRUSTe's established privacy policies of disclosure, choice, access and security. Web sites that display this seal agree to comply with ongoing TRUSTe oversight and alternative dispute resolution processes.

TRUSTe's goals are to provide:

TRUSTe has awarded more than 1,000 seals to qualifying companies. It is reportedly displayed on all the Internet's portal sites, 15 of the top 20 sites, and approximately half of the top 100 sites.

WebTrust

Back to Table of Contents

This seal was developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is offered by specially trained and licensed Certified Public Accountants (CPAs) in the United States, Canada, Hong Kong, Australia and a growing number of European countries. WebTrust claims to be part of a global effort by the accounting profession to bring effective e-commerce solutions to the Internet to protect businesses and consumers when shopping online.

The WebTrust seal of assurance is placed directly onto the Web site of the qualifying online business, indicating that the business is in compliance with WebTrust principles and criteria. WebTrust requires CPAs to conduct an independent examination of the site and all its business practices and procedures. The licensed CPA awards a seal to an online business only if it passes the examination.

According to WebTrust, the three fundamental areas of its principles and criteria reviewed by the CPA are:

As of August 1, 2000, a total of 28 Web sites had been awarded WebTrust seals.

3. Methodology

Back to Table of Contents

This joint project was undertaken as a one-year pilot, with the goal of reporting back to the 22nd International Data Protection Commissioners' Conference in September 2000. The Australian and Ontario Commissioners identified three key components for an effective online seal program, namely:

As discussed below in Section 4 of this paper, each of the seal programs was reviewed in these three areas. It is important to note that our intent was not to come up with a score for the seal programs that definitively claimed that one was better than another. The first purpose of this evaluation was to create a diagnostic tool to help us understand what was and was not covered by the seals. The second, and more important purpose, was to provide a means to initiate a dialogue with the seal programs. By providing them with our initial analysis, and asking for their comments, we began what we hoped to be an ongoing process of mutual education and information exchange. We wanted to be sure that we understood their programs fully and that they understood our concerns.

Readers of this paper may be surprised by the level of detail and complexity. By necessity, a thorough and fair analysis requires a clause-by-clause examination of the minutia of the three seals' policies. We rather have erred on being overly inclusive in our analysis than to have our work dismissed for being superficial. That being said, this level of review is not intended to find fault in the smallest detail but rather to illustrate the degree of comprehensiveness of the seal policies.

The three seal programs are to be commended for their efforts. Our review is not intended to diminish the value of the work that the seals have put into their projects but rather to highlight the strengths and weaknesses of each different approach. Each organization is to be commended for its efforts in developing an objective standard for fostering trust and consumer confidence.

The next section of this paper details the assessment process that has been undertaken and the dialogue that has occurred with the seal programs as of August 1, 2000. Following that, we offer some conclusions and recommendations as to potential next steps.

4. Assessment of the Seal Programs

Back to Table of Contents

4.1 Privacy Principles

4.1.1 Selection of the OECD Guidelines as the standard

The first step in this project was to identify an appropriate standard against which to evaluate the privacy principles of the seals. We believed the obvious choice was the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM.

Evaluating the online seal programs against the OECD Guidelines appealed to us for several reasons. Given the borderless nature of the online world and e-commerce, and the popularity of American sites for users in all jurisdictions, an internationally-recognized privacy standard seemed to be the most appropriate measure against which to compare the seals' privacy principles. In addition, the OECD Guidelines form the basis of data protection schemes around the world.

The OECD Guidelines contain overlapping and cumulative principles that outline responsible information handling practices designed to protect the privacy of data subjects. We believe adherence to all of the practices is necessary in order to achieve full informational privacy.

4.1.2 Template for analysis

Back to Table of Contents

The June 26, 1998 edition of Privacy Times, reported that Robert Gellman, a well known authority on privacy, had developed a scale for evaluating online privacy initiatives against the OECD Guidelines. Using his scale, a point was assigned to each principle, allowing for a perfect score of eight.

We decided to modify Mr. Gellman's general rating scheme somewhat. Most of the OECD principles contain several components, each of which we believed must be reflected by the seal programs in order to be considered equivalent.

The marking scheme outlined below was developed as a way to ensure that we were consistent in our approach and, more importantly, to ensure that all aspects of the OECD principles were considered. Each OECD principle was divided into its component parts, with separate marks allocated to each section. A total of one point was assigned to each principle as follows:

Evaluation Criteria Weighting
Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  • Limits to collection by lawful and fair means
  • Knowledge or consent of data subject
 .5
.5
Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
  • Relevant to purposes of use
  • Accurate, complete and kept up-to-date
.5
.5
Purpose Specification Principle: The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  • Specify purposes to data subject not later than time of collection
  • Uses limited to purposes or specified consistent purposes
 .5
.5
Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [Purpose Specification Principle] except:
a) with the consent of the data subject; or
b) by the authority of law.
  • Use and disclose in accordance with specified purposes
  • Except with data subject consent or by authority of law
 .5
.5
Security Safeguards Principle: Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
  • Reasonable security safeguards
 1
Openness Principle: There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
  • General policy of openness
  • Ready means for data subject to know about personal information, and purposes, including identity and location of data controller
 .5
.5
Individual Participation Principle: An individual should have the right:
a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
b) to have communicated to him data relating to him
i) within a reasonable time;
ii) at a charge, if any, that is not excessive;
iii) in a reasonable manner; and
iv) in a form that is readily intelligible to him;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge data relating to him and, if the challenge is successful, to have the data erased rectified, completed or amended.
  • Data subject able to know data controller has personal information
  • Data communicated in reasonable time and manner, & in intelligible form
  • Reasons for denial of access
  • Ability to challenge and correct
 .25
.25
.25
.25
Accountability Principle: A data controller should be accountable for complying with measures which give effect to the principles stated above.
  • Data controller accountable for compliance with principles
 1

For each seal program, we followed a basic methodology:

It is important to acknowledge, at the outset, that there were a number of limitations using this methodology. First, a quantitative assessment such as this does not necessarily reflect the full merits of a seal program. For example, it does not capture the fact that some seals stress business and consumer education, which we agree is extremely important and beneficial.

Also, it would be incorrect to assume that just because a reference to a particular facet of the OECD Guidelines was not included by a seal, that the opposite was true. For example, if there was no stated requirement to only collect personal information by lawful and fair means, it would have been misleading to interpret this omission to mean that the use of unlawful and unfair means were acceptable.

4.1.3 BBBOnLine

Back to Table of Contents

At the time of our review, one of BBBOnLine's threshold standards was that an applicant's site or online service must be directed at United States or Canadian residents. We felt this supported our selection of the OECD Guidelines as the standard for our review. Canada's new Personal Information Protection and Electronic Documents Act, which was being debated at that time, codifies the Canadian Standards Association's Model Code for the Protection of Personal Information, which in turn is based on the OECD Guidelines.

To arrive at our assessment of BBBOnLine's Privacy Seal, we reviewed the following Web pages and documents:

Following the methodology outlined above, we initially gave the BBBOnLine Privacy Seal six out of eight possible points (see Exhibit A for our analysis). For reasons outlined below, this has now been revised to 6.25. In November 1999, we did not find standards or requirements that explicitly addressed:

We also thought that the restrictions on "use" should be stronger. While a requirement for the site to limit its use of data to the purposes for which it was collected or "related uses or transfers" may be inferred from statements under the Choice and Consent section of the Privacy Policy Assessment Questionnaire, it did not appear to be explicitly stated anywhere. We believed this created a potential weakness in the BBBOnLine Privacy Seal relating to both the purpose specification and use limitation principles of the OECD Guidelines. However, we did acknowledge the existence of the requirement to restrict the use of information transferred to third parties, as specified in the eligibility criteria.

Prior to a meeting between Malcolm Crompton and Gary Laden, Director of BBBOnLine Privacy Program, and Russell Bodoff, Senior Vice President and Chief Operating Officer, on April 13, 2000, we sent BBBOnLine a copy of our assessment of its Privacy Seal. We asked BBBOnLine to indicate if, in its view, our evaluation was fair and accurate, or had we missed any critical information. We also asked if BBBOnLine was open to the idea of changing its eligibility criteria and program participation agreement to explicitly cover all aspects of the OECD Guidelines.

At the April 13, 2000 meeting, BBBOnLine indicated that its seal program had to evolve continuously in order to keep pace with developments, and that it welcomed our comments. At that time, its focus was on ensuring that its Privacy Seal was compliant with the Safe Harbor Agreement and the American Children's Online Privacy Protection Act. BBBOnLine thought that the changes it was making to its seal program as a result of these initiatives may address some of our concerns. BBBOnLine also said that it supported our "co-operative model" and welcomed our input.

On July 25, 2000, Mr. Laden provided us with some "preliminary feedback" on our review of BBBOnLine's standards for its Privacy Seal, as follows:

Limiting the collection of data by lawful and fair means

Back to Table of Contents

BBBOnLine noted that a Web site collecting data in violation of the law would not hold a BBBOnLine Privacy Seal, as one of its eligibility requirements is that "seal participants must be engaged in activity that is legal." According to the company, by definition, a Web site collecting data in violation of the law would not be able to hold the BBBOnLine seal. Due to this requirement, BBBOnLine maintained that consumers interacting with an approved site always would be in the position of preventing the use of their data in an unfair or unlawful manner. Mr. Laden asked us for clarification as to why BBBOnLine's threshold standard did not adequately address this part of the Collection Limitation Principle of the OECD Guidelines.

We recognize that this is a matter of fine tuning, however, we believe that our distinction between a business engaging in a lawful business activity, and a business collecting personal information in a lawful and fair means is more than merely a matter of semantics. A company may be involved in a legitimate business but still may collect personal information (knowingly or unknowingly) in a manner that may violate privacy legislation, or that is misleading or deceptive, thereby not permitting data subjects to exercise their rights in an effective manner.

One of the stated benefits of participating in the BBBOnLine privacy program is that the seal lets consumers know that the business "follows ethical practices in the treatment of personally identifiable information." Given that the purpose of a privacy seal is to establish a framework of responsibility for the entity collecting, using and disclosing personal information, we strongly encourage BBBOnLine to place an explicit onus on its participants to collect personal information only by lawful and fair means, and to disclose that obligation as part of their privacy policies.

Personal data should be relevant to purposes of use

Back to Table of Contents

Mr. Laden noted that BBBOnLine's assessment process requires organizations to "take reasonable steps to assure that the individually identifiable information and prospect information they collect is accurate, complete, and timely for the purposes for which it is used." We acknowledged this requirement in our initial assessment, which is why we gave BBBOnLine partial marks for the Data Quality Principle.

However, we believe that accuracy, completeness and timeliness are different from relevancy. It is not enough just to ensure that all the facts pertaining to a transaction are accurate. A central tenet of informational privacy is that the collection, use and disclosure of personal information be limited to only that which is necessary and relevant to a legitimate business function.

A determination of relevancy is critical to limiting the collection of information. As Privacy Commissioners, we believe that the collection limitation is the first line of defence against privacy intrusions. Accordingly, we would encourage BBBOnLine to include a requirement for its participants to collect, use and disclose only that personal information which is relevant to the stated purpose(s).

This places an obligation on businesses to evaluate the bearing or impact that the collection, use or disclosure of personal data would have on a transaction. Ideally, if a piece of personal information was not absolutely required to complete a transaction, it should not be used. Alternatively, the purpose(s) of the optional data should be clearly defined and identified to the data subject prior to collection, use or disclosure.

It should not be left solely up to consumers to determine relevancy and then opt-in or out of the collection, use or disclosure of their personal information. We believe that responsibility should be placed on seal participants to clearly inform data subjects of the necessity and relevancy of each piece of personal information to be collected.

Pursuant to the Purpose Specification and Use Limitation Principles of the OECD Guidelines, we would like to see BBBOnLine more explicitly require its participants to limit the use of personal information to the defined purpose(s) for which it was collected. We acknowledge that this is addressed somewhat by statements under the Choice and Consent provisions. However, we do not think a requirement to provide "individuals the opportunity to opt-out or otherwise prohibit unrelated uses of individually identifiable information about them" is sufficient. Again, we do not believe it is enough just to provide the data subject with a choice regarding unrelated uses. We would prefer to see an explicit obligation placed on the business to limit its use of personal information to the purpose(s) identified.

Data subject's right to have related data communicated in a reasonable time and manner, without excessive costs, and in an intelligible form

Back to Table of Contents

In its response to our evaluation, BBBOnLine indicated that its assessment process requires that data subject access be provided not just to correct, but also to review related data. It also requires that any limits on frequency or cost be "reasonable" (e.g., frequency limits of more than one year or fees of more than $15 U.S. would not be considered reasonable). We agree that this constitutes reasonable time and without excessive cost and, following Mr. Laden's letter, reviewed our analysis to see why we had omitted this provision in our November assessment. We have amended our assessment to correct our initial oversight.

At the time of our review, BBBOnLine's Eligibility Criteria required a seal participant to "... provide individuals with access to individually identifiable information collected from them online if such information is retrievable in the ordinary course of business and providing access does not impose an unreasonable burden."

We gave BBBOnLine full marks for the parts of the Individual Participation Principle relating to the data subject's ability to know what information the data controller has on him or her. However, we did not initially give BBBOnLine marks for provisions relating to participants' obligation to communicate with the data subject in a reasonable time and manner, without excessive charge and in an intelligible manner.

In the Access section of the Privacy Policy Assessment Questionnaire, Question G-4 asks the applicant to describe the mechanism(s) the organization has in place to make available to individuals, upon reasonable request, the individually identifiable information or prospect information it maintains with respect to the individual.

The G-4 Help window currently states:

An organization must establish a mechanism whereby, upon request and proper identification of the individual, it makes available to the individual the individually identifiable information or prospect information it maintains with respect to the individual. The information subject to this requirement tends to be, but is not limited to, (i) account or application information, for example, name, address, and level of service subscribed to, and (ii) billing information and similar data about transactions conducted online, for example, date and amount of purchase, and credit card account used.

If an organization can not make information that it maintains available because it can not retrieve the information in the ordinary course of business, it must provide the individual with a reference to the provisions in its privacy notice that discuss the type of data collected, how it is used, and appropriate choices related to that data, or provide the individual with materials on these matters that are at least as complete as the information provided in the privacy notice.

Organizations have substantial flexibility in deciding how best to make the individually identifiable information or prospect information available to the individual. For example, an organization may choose the form in which it discloses this information to the individual. Monthly statements from banks and credit card companies are examples of appropriate mechanisms to satisfy this disclosure obligation, even though they may reveal more than the individually identifiable information that the individual submitted to the organization online. The organization also determines the reasonable terms under which it will make such information available such as limits on frequency and the imposition of fees. Frequency limits that require intervals of more than a year between requests and/or fees of more than $15 for a response to an annual request would not be reasonable except in extraordinary circumstances.

For reasons unknown, at the time of our review in November, we reviewed only the first paragraph of the Help text. As a consequence, we did not consider the remaining information in our November analysis.

We appreciate BBBOnLine bringing this omission to our attention (which highlights the benefits of ongoing exchange of information). The additional information indicates that BBBOnLine does indeed require its participants to communicate in a reasonable time and manner, and to set reasonable terms regarding timing and fees. Marks should have been awarded in this category and now have been.

Ideally, a right to challenge an organization's determination of what constitutes "the ordinary course of business" or "unreasonable burden" would give the data subject greater input into this process.

Reasons for denial of access

Back to Table of Contents

According to BBBOnLine, there is only one possible reason that a BBBOnLine seal holder could deny access and that would be when data cannot be retrieved in the ordinary course of business, otherwise access must be granted. BBBOnLine states that in such a case, the requester must be provided with a reference to the provisions of the privacy policy that discuss the types of data collected, how they are used, and appropriate choices related to that data, or with materials on these matters that are at least as complete as the information provided in the privacy notice. "Since there are no other acceptable reasons for denial, this does not become an issue for our seal holders."

At the time of our review, BBBOnLine's eligibility criteria required a seal participant to "establish effective and easy to use mechanisms to permit individuals access to correct inaccurate factual information." Accordingly, we gave BBBOnLine full marks for the parts of the Individual Participation Principle relating to the data subject's ability to challenge and correct. However, the fact that we did not review the full text of G-4 Help means that the requirement to provide the requester with the information described above was omitted in our analysis. Again, we have amended our assessment following receipt of Mr. Laden's letter.

However, on a general level, we would still prefer that an organization be required to do more than just refer the data subject to the provisions of the privacy policy. We would encourage BBBOnLine to require its participants to more fully explain the reasons for denial of access in a timely and understandable manner; to provide data subjects with an opportunity to prepare a "statement of disagreement" and have it, along with the reasons for denial, attached or linked to the data in question, if their challenge is unresolved; and to provide a fair opportunity for the data subject to challenge the decision. An explanation about how data subjects could avail themselves of BBBOnLine's dispute resolution process also should be linked to this provision.

While acknowledging our oversight, we think it illustrates a general problem we had with BBBOnLine's Web site. We found it very difficult to access all the relevant information. If we missed some very instructive information, we think others will as well. To help applicants and participants to more easily understand the requirements of the Privacy Seal program, we encourage BBBOnLine to examine the effectiveness of making some critical information only accessible through its Help Windows. We think the addition of an alternate access method would be most useful.

Next steps

Back to Table of Contents

In his July 25 letter, Mr. Laden noted that BBBOnLine is "a dynamic, not static, program that will continue to strive to improve the services that it offers." He indicated that BBBOnLine was in the process of implementing a new self-assessment tool that will incorporate a number of additional requirements, including requirements to be consistent with the new European Union-United States Safe Harbor Agreement. He thought that this new assessment tool would "likely address a number of the issues" we had raised.

As of the time of writing, we are awaiting receipt of BBBOnLine's new assessment tool, which is scheduled for release in late September 2000. BBBOnLine has stated that it welcomes our feedback and that it would like to learn from our assessment. It recognizes that we all need to "co-operate effectively to get the most out of our respective efforts." To date, both Commissioners have been very pleased with the responses received from BBBOnLine, and look forward to continuing to working together.

4.1.4 TRUSTe

Back to Table of Contents

In April 2000, a TRUSTe press release indicated that Nielsen/NetRatings had rated its trustmark the most visible symbol on the Internet.

To arrive at our assessment of TRUSTe's privacy requirements for its Web seal, we reviewed the following Web pages and documents:

After reviewing this information, we compared the privacy standards of the TRUSTe Trustmark against the OECD Guidelines (see Exhibit B). We gave TRUSTe 6.375 out of a possible eight marks. In the privacy principles, licensing agreement, and other data provided on TRUSTe's Web site, we did not find standards or requirements explicitly:

We also thought the requirements regarding a data subject's right to know what information a data controller had about him or her a little ambiguous. TRUSTe's program principle required the posting of a privacy statement, and we acknowledged that such a statement would enable a data subject to know, generally, what personal information a Web site had. However, we did not see a provision for the data controller to respond to specific requests for information by the data subject. Also, we thought the program requirement of 3G of Schedule A of the license agreement, relating to information collection and use practices, did not explicitly require access. To us, the wording seemed to give the impression that such access was optional.

Prior to an April 19, 2000 meeting between Malcolm Crompton and Bob Lewin, Executive Director and CEO of TRUSTe, we sent Paula Bruening, Director of Compliance and Policy, our evaluation and asked for comments. On April 17, Ms Bruening replied, disagreeing with our assessment, and providing specific responses to each of our concerns, as follows:

Limiting the collection of personal data to lawful and fair means

Back to Table of Contents

From our review, we did not find any requirements relating to this portion of the Collection Limitation Principles of the OECD Guidelines. Accordingly, we did not give TRUSTe any marks in this area. Ms Bruening wrote:

We must disagree with this appraisal.

While the TRUSTe license agreement does not explicitly state this requirement, the TRUSTe self assessment sheet, integral to the TRUSTe program and required of every TRUSTe licensee, enables TRUSTe to review data collection methods and assure that individuals are not subject to practices that would deceive them into supplying information. The self assessment sheet, a 16 page document that must be attested to and signed by an officer of the company, asks specific questions about a company's data practices and policies, and its personnel policies as they relate to data collection and privacy. It allows TRUSTe to assure that the privacy statement accurately reflects the company's actual data practices. As such, the company's failure to abide by its posted policy by engaging in unlawful or unfair collection practices would place it outside the bounds of its license agreement with TRUSTe and subject it to sanction.

For these reasons, we believe that the TRUSTe program does incorporate these criteria for data collection. The TRUSTe program in its implementation does require that data collection is carried out by fair and lawful means, and we therefore disagree with your assignment of a score of 0.

We did not review the self assessment sheet as part of our assessment. At the time of our review, as now, such a document does not appear to be publicly available on TRUSTe's Web site. We have contacted TRUSTe and asked for a copy of this document so we may more fully understand the privacy requirements of the TRUSTe trustmark.

Requiring personal data to be relevant to the purposes for which they are to be used

Back to Table of Contents

Again, we did not give TRUSTe any marks for this provision of the Data Quality Principle. Ms Bruening's response stated:

We disagree with this score.

At this time, TRUSTe relies upon its requirements for robust notice and meaningful choice to enable individuals to make sound decisions about the reasonableness of a company's request for information. Clear, concise notice allows individuals to understand what information is being required of them, for what purpose, and how that information may subsequently be used. When notice is well-stated, individuals may draw their own conclusions about the relevance of the data being required to the purposes for which it may be used, and can act accordingly by exercising choice. This approach is not only critical to the goal of empowering individuals to exercise control over their data, it also is fundamental to an effective approach to privacy protection.

We disagree with your quantitative assessment of TRUSTe's incorporation of this principle in its program. We believe the program provides an adequate process whereby a company provides consumers with sufficient information to determine the relevancy of the personal data to the purpose for which it is to be used.

As we indicated in our discussion of BBBOnLine's Privacy Seal, we do not think it is appropriate for the responsibility of determining relevancy to be left to the data subject alone. While individuals obviously have a responsibility to become informed in order to appropriately exercise their choices, we think that an obligation should be placed on privacy seal participants to identify the relevancy of the personal information they collect, use and disclose to the stated purpose(s), and to make their assessment known to consumers. Given that the purpose of a privacy seal is to define and enforce responsible online business practices, we would encourage TRUSTe to include an explicit requirement regarding the relevancy of personal information to be collected, used and disclosed by its licensees.

We believe that seal programs should encourage their participants to view the data subjects as the owners of their own personal information. A business acts as a temporary custodian of the individual's personal information. As such, businesses have an obligation to ensure its protection and to inform data subjects of their information handling practices.

Access

Back to Table of Contents

We gave TRUSTe partial marks for its provision relating to individuals being able to know what the data controller has on them, and no marks for the requirements for the data controller to communicate that data in a reasonable time and manner, without excessive charge and in an intelligible form, and to give reasons for denial of access. Responding to our assessment of .375 out of 1 for the Individual Participation Principle, Ms Bruening wrote:

TRUSTe's access requirement is based upon the Federal Trade Commission and Department of Commerce's requirement for reasonable access as set forth in its Elements of Effective Self Regulation for Protection of Privacy. As you know, the issue of access has been the subject of significant debate, not only with the U.S. but also in the U.S. negotiations with the European Union as it worked toward a mutually acceptable safe harbor program. Because the best manner of implementation of this principle is an issue that continues at this time to be debated, we cannot agree with your quantitative appraisal of the TRUSTe program on these points at .375.

TRUSTe has taken first steps in providing access by requiring that companies provide individuals with the opportunity to correct or amend information maintained about them by a website. However, TRUSTe is looking forward to guidance from the FTC on the question of access. While we are grateful for the opportunity to participate in the FTC's Advisory Committee on Online Access and Security and want to make a meaningful contribution to the committee's deliberations, we remain eager to learn the FTC's final decision on this issue. We look to the FTC to directly address the issues raised in the OECD Guidelines and in your letter related to the time and manner of access, the cost and form of access and the right of individuals to know the reasons for denial of access.

When the FTC has completed its inquiry and made its decision about this issue, TRUSTe will take immediate steps to implement the FTC's findings. As it has in the past, TRUSTe looks forward to evolving its program to closely track developing policy in this area. Until that time, we believe it is inappropriate to evaluate the implementation of these criteria in a quantitative manner.

We understand TRUSTe's point about the quantitative manner of our initial assessment. As we noted under Section 4.1.2 of this paper, we did not intend for the numbers to take on such weight. We were hoping to flag areas of concern and possible omissions for our discussions with the seal programs.

We also understand that TRUSTe, like the other seal programs operating in the United States, needs to be guided by the Federal Trade Commission and the Safe Harbor Agreement. We fully recognize there are requirements under legislation and international agreements that must be a priority for American seal programs. We look forward to seeing how TRUSTe, and the other seals, respond to these new developments.

Our choice of using the OECD Guidelines as the standard was in response to our recognition of the global reality of the Internet, and the international nature of e-commerce. Ontario or Australian residents do not restrict their surfing to Ontario or Australian Web sites. According to a survey from Nielsen NetRatings, MSN and Yahoo! properties are the most popular destinations for Web surfers around the world. MSN is the most popular site in the United Kingdom, New Zealand and Australia, and is the second-most popular after Yahoo! in Singapore and Ireland.1 Microsoft Corporation operates Canada's most popular Web sites. In April 2000, more than 6.2 million Canadians visited a Microsoft Internet property from their home computers, including Hotmail, MSN.ca, Microsoft.com, and MSN Instant Messenger. Sites operated by America Online Inc. were the second most popular among Canadians, while properties owned by Yahoo! Inc. (e.g., Yahoo.com, Yahoo.ca and Geocities) ranked third.2

We believe that improving online privacy in all jurisdictions directly impacts the privacy of residents in our jurisdictions. Our comparison of the requirements of TRUSTe's Trustmark against the OECD Guidelines - internationally accepted fair information practices - illuminates areas where we, as Privacy Commissioners, would encourage greater privacy protection.

Next steps

Back to Table of Contents

In her letter of April 17, Ms Bruening indicated that:

... the TRUSTe program is an evolutionary one. As the debate about privacy moves forward, TRUSTe acts to respond to the demands of consumers, government and industry, while at the same time maintaining a practical, viable program that works for consumers and business.

We acknowledge the continued evolution of the TRUSTe program. As an example, we think the Resource Guide, with its Model Privacy Statement and a Site Co-ordinator's Guide, is a useful addition to the TRUSTe Web site. We look forward to being part of the debate that moves privacy forward, and to an ongoing working relationship with TRUSTe, however that may be defined in the future.

4.1.5 WebTrust

Back to Table of Contents

Of all the privacy seal programs WebTrust has the most established international presence. Germany has joined England, France, Scotland, Ireland and Wales in the European Union in offering the WebTrust seal. WebTrust is also available in Australia, Canada and Puerto Rico, in addition to the United States where it originated.

The Office of the Information and Privacy Commissioner/Ontario (IPC/O) had an established working relationship with WebTrust prior to the beginning of this review. In March 1999, the IPC/O provided WebTrust with its comments on Version 1.1 of the AICPA/CICA WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce and WebTrust Principles and Criteria with Proposed Privacy Additions (Preliminary Draft #5).

On November 15, 1999, the CICA announced that WebTrust Principles and Criteria, Version 2.0 had just been released. We requested and received a copy of the full AICPA/CICA WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce, dated October 15, 1999, Version 2.0, from Bryan Walker, Principal, Studies & Standards, The Canadian Institute of Chartered Accountants. In addition to that document, which was also available on the AICPA Web site, we looked at:

After reviewing the principles and criteria, and comparing them against the OECD Guidelines, we gave WebTrust six out of eight (see Exhibit C for our assessment). Like the other two seal programs, we did not find explicit standards or requirements:

We also thought that the requirements regarding use and disclosure in accordance with specified purposes under the Use Limitation Principle, and the provision of data controller contact information under the Openness Principle, should have been stronger.

On November 24, 1999, the Australian Privacy Commissioner gave a presentation entitled The New Privacy Legislation and How it Affects Seal Providers, at a roundtable on Electronic Commerce Seals of Assurance. That presentation outlined our assessment of the three privacy seal programs. Attending that talk was Michael Nugent, Director Professional Services, The Institute of Chartered Accountants in Australia. This began an ongoing dialogue between Malcolm Crompton and Mr. Nugent that culminated in a meeting in February 2000. Representing WebTrust at that meeting were Mr. Nugent, Brian Hollingworth, Director, Global Risk Management Solutions, PriceWaterhouse Coopers, and Dean Kingsley, Partner, Enterprise Risk Services, Deloitte Touche Tohmatsu.

At that meeting, Mr. Crompton outlined the objectives of the Privacy Commissioners' seal project and provided WebTrust with a copy of our full analysis. WebTrust agreed to contact its North American counterpart to ensure a consistent global approach, to review our analysis, and to provide us with an indication of its position regarding revising their privacy criteria.

On March 23, Mr. Nugent advised the Australian Commissioner that the U.S./Canadian WebTrust Task Force had "agreed in principle to make appropriate changes to the Principles and Criteria that address the concerns raised by the comparison to the OECD Guidelines." The specific wording of the changes was to be worked out between Bryan Walker, CICA, and the IPC/O.

At the beginning of April, Mr. Crompton advised Mr. Nugent that the Privacy Commissioners of Hong Kong, Berlin, Brandenburg, and British Columbia had "all endorsed the work" undertaken by the Australian and Ontario Commissioners, and were expecting contact from WebTrust to pursue this initiative.

On June 20, Mr. Walker and Gregory Shields, Director, Assurance Services Development, CICA, met with representatives of the IPC/O. At that meeting, WebTrust indicated that the WebTrust E-Commerce Task Force was in the process of revising its seal program to create a number of separate modules (e.g., one for security, one for privacy, etc.). WebTrust also was revising its privacy criteria. We reviewed our analysis of Version 2.0 with Mr. Walker. He committed to bringing our concerns forward to his working group and providing the IPC/O with a draft of the revised privacy criteria.

Next steps

Back to Table of Contents

WebTrust has indicated its willingness to continue to work with us on its privacy seal. As of the time of writing, the Ontario and Australian Commissioners are reviewing the draft report on WebTrust's Program for On-Line Privacy, and will provide WebTrust with comments. As with the other seal programs, we have been very pleased by the interest and responsiveness shown by WebTrust.

4.1.6 Conclusions

most significant concern related to the lack of a requirement on seal participants to restrict their use of personal information to that which was relevant and necessary for the purposes for which the data was collected.

On the positive side, the three seals reflected the United States Federal Trade Commission's 1998 four basic information practices:

From the time that we first started to follow the seal programs in 1998, until our review in late 1999, we noted a number of improvements:

We clearly see that the seals' evolutionary process is continuing. In response to the recent approval of the Safe Harbor Agreement and to various market forces, the three seal programs are currently working to revise and enhance their privacy requirements.

Realistically, we recognize it is these external pressures, rather than our evaluations, that is moving the seal privacy agenda forward. Nonetheless, the seal programs have expressed interest in our project, and have been receptive to our comments.

We believe the three seal programs have every intention of requiring compliance with fair information practices from their participants. The area of ongoing discussion between us focusses on what exactly constitutes appropriate fair information practices.

We have been most encouraged by our discussions with BBBOnLine, TRUSTe, and WebTrust, and hope to continue our work together. As the purpose of the privacy seal programs is to elevate online business practices, we think our review has served a useful purpose in identifying areas where Data Protection Commissioners would like the standards and requirements of online privacy seals to be enhanced.

It is particularly important to note that as seals move beyond the United States, as WebTrust is attempting to do, the review and comments of the Commissioners will take on greater significance. Rather than voluntary compliance with the OECD Guidelines, it will be essential for the seals to be in compliance with the privacy provisions of the legislative schemes in our various jurisdictions. Hopefully, our joint project will have started to build working relationships of value to all of us in the future.

4.2 Dispute Resolution

Back to Table of Contents

4.2.1 Selection of the standard for dispute resolution assessment

Around the world, there is a substantial level of agreement about the attributes of a satisfactory customer dispute resolution scheme. So, while there are a large number of different sets of standards for such schemes, they have much in common. The themes of fairness, accessibility, independence and accountability regularly appear. Therefore, we thought there was a measure of latitude in the choice of a particular standard for this exercise.

The Australian federal government's Benchmarks for Industry-Based Customer Dispute Resolution Schemes well covers the common content of international dispute resolution standards. The federal Minister for Customs and Consumer Affairs first released the Benchmarks in August 1997.

The Australian Privacy Amendment (Private Sector) Bill 2000 requires that the Australian Privacy Commissioner approve any entity that wishes to be a code adjudicator for codes approved under the Bill. The Australian Government has announced that the Benchmarks will be prescribed as the standard to be met before such an approval can be given. This makes the Benchmarks particularly relevant in the Australian context.

This study assesses the three seals against the Australian benchmarks. The benchmarks are structured around six main principles - accessibility, independence, fairness, accountability, efficiency and effectiveness. Each of these is accompanied by a number of "key practices" that flesh out the principle itself. The six principles and their accompanying key practices are set out at Exhibit D. The six principles are:

4.2.2 Basis for seal assessment

Back to Table of Contents

This is a preliminary assessment only and has been based primarily on information available from the seals' Web sites. While the sites provide a good deal of information, it may not cover all aspects of the seals' operations in sufficient detail to allow a definitive assessment to be made. It would be surprising if the assessment presented in this document were beyond refinement and we would expect to revise this preliminary assessment in the light of more detailed discussions with the seal programs.

Preliminary assessments of the seals' dispute resolution mechanisms were sent to the seal organizations on July 2, 2000. BBBOnLine responded to its preliminary assessment on July 25 and WebTrust on August 11. The comments of both organizations have been taken into account in this assessment of dispute resolution mechanisms.

As this paper was being finalized, an error in communications was revealed. Apparently TRUSTe did not receive our assessment at the beginning of July. Recent comments by TRUSTe have drawn our attention to a document -- Learn About TRUSTe's Dispute Resolution Process at http://www.truste.org/users/compliance%20docuement-final.doc -- published on its Web site since our preliminary assessment. Efforts have been made to take this document into account, but short time lines did not permit a complete reworking of our TRUSTe evaluation.

4.2.3 Description of dispute resolution mechanisms

Back to Table of Contents

BBBOnLine

The BBBOnLine Privacy Program Participation Agreement requires a licensee to participate in the dispute resolution process. BBBOnLine has an internal dispute resolution scheme in two parts: the Privacy Policy Review Service (PPRS) and the Privacy Review Appeals Board (PRAB). Before the PPRS will take any action, the complainant must have made a good faith attempt to resolve the matter with the respondent company. If these efforts fail and the complaint meets BBBOnLine's eligibility criteria, which are spelled out on its Web site, PPRS staff will evaluate, analyse, investigate and adjudicate the complaint. Time limits apply to both sides during the investigation process. If the complaint is substantiated, PPRS may decide that corrective action is required; no monetary compensation is available.

Either the complainant or respondent can appeal to the PRAB. PRAB will reconsider the matter and make a final decision, including if necessary, referring the matter to the relevant government agency, or discontinuing its review if either party has failed to abide by its commitment to keep complaint related information in confidence http://www.bbbonline.org/download/DR.PDF.

TRUSTe

Back to Table of Contents

This description of TRUSTe's dispute resolution process is taken from its Web site, as it stood in July 2000:

To resolve privacy concerns or complaints raised by consumers or by TRUSTe during our program oversight process, Web site licensees agree to cooperate with all our reviews and inquiries. We work with licensees, as well as with consumers, to resolve privacy-related issues quickly and fairly.

As a licensee in the TRUSTe program, a Web site agrees to provide consumers with simple, effective means to submit their privacy concerns directly to the Web site. At a minimum, all privacy statements contain TRUSTe contact information so that consumers may direct their questions or concerns to us. We request users to contact Web sites directly before filing a report with us.

If the Web site has not acknowledged the receipt of the consumer's complaint, or if a satisfactory response is not provided, we step in as the liaison between the consumer and Web site to resolve the issue. This process entails:

In the unlikely event that TRUSTe has reason to believe a licensee has violated its posted privacy practices or other TRUSTe program requirements, we will conduct an escalating investigation. This process may include an on-site compliance review by one of TRUSTe's official auditors, PriceWaterhouseCoopers LLP or KPMG Peat Marwick LLP. If the on-site review finds that a licensee is non-compliant, TRUSTe will advise and guide the licensee on the steps to remedy the problem.

If no action is taken by the licensee - depending on the severity of the breach - our investigation may also result in revocation of the TRUSTe trustmark, termination from the program, or in extreme cases, referral to the appropriate government agency http://www.truste.org/webpublishers/pub_recourse.html.

WebTrust

Back to Table of Contents

WebTrust itself does not play a role in complaint resolution but its criteria for obtaining the WebTrust seal require signatories or licensees to give customers access to a third party arbitration process. In other words, to gain the WebTrust seal, a business must give its customers access to a dispute arbitration process that meets certain standards. WebTrust's Criterion A4.1 reads:

The entity [i.e., the signatory] discloses information to enable customers to file claims, ask questions and register complaints, including, but not limited to, the following: ... in the event outside dispute resolution is necessary, the process by which these disputes are resolved. These complaints may relate to any part of a customer's e-commerce transaction, including complaints related to ... accuracy, completeness, and distribution of private customer information and the consequences for failure to resolve such complaints. This resolution process should have the following attributes:

WebTrust endorses the 12 principles for arbitration processes developed by the National Arbitration Forum (NAF) (http://www.aicpa.org/webtrust/wtpcfaqs.htm, see also Exhibit E). These cover much of the same ground as the six Australian benchmark principles. Any third party arbitrator selected by the signatory must follow these 12 principles. That they do so is part of the assurance process that WebTrust carries out. WebTrust also recommends that the arbitrator selected by the licensee follow the more detailed NAF Code of Procedure.

4.2.4 Assessment results

Back to Table of Contents

Benchmark 1 -- Accessibility: the scheme makes itself readily available to customers by promoting knowledge of its existence, being easy to use and having no cost barriers.

Promoting knowledge of its existence. All three seals require display of the seal on participating sites. The seal logo on the participating site links back to the seal's own Web site, which contains information about the available dispute resolution mechanism.

Easy to use. All three seals require consumers to make bona fide attempts to resolve their concerns with the participating business before turning to the seal's dispute resolution mechanism. This is consistent with the benchmark principles. BBBOnLine and TRUSTe then have complaints mechanisms accessible directly from their Web sites. WebTrust does not, but does require its licensees to provide "information to enable customers to file claims, ask questions and register complaints."

No cost barriers. Neither BBBOnLine nor TRUSTe charges customers for dealing with complaints. In the case of WebTrust, NAF principle 6 is "Reasonable Cost -- The cost of an arbitration should be proportionate to the claim." But the NAF's services are available free of cost to those who are not able to pay. Since WebTrust participants can choose a dispute resolution mechanism other than the National Arbitration Forum, there is less assurance that a mechanism under the auspices of WebTrust will meet this element of Benchmark 1.

The elements of this principle have been weighted equally. It seems fair to say that all three seals meet the first two elements. The possibility of cost barriers in the case of WebTrust suggests that it falls short of meeting this element entirely: it has been tentatively rated at 0.22 out of a possible 0.33.

This yields the following indicative ratings (out of one):

Benchmark 2 -- Independence: the decision-making process and administration of the scheme are independent from scheme members.

Back to Table of Contents

BBBOnLine's first line of complaint handling, the Privacy Policy Review Service, is overseen by the Privacy Review Appeals Board. Each PRAB panel has a "public" member, a "data expert" member and a "company" member.

TRUSTe's comments on the preliminary assessment made in July 2000 indicate that its initial decision in a complaint now may be appealed to the TRUSTe Appeals Board, which "shall consist of (1) a representative from TRUSTe's Board of Directors designated by its Chairman; (2) a privacy expert from the academic/university community; (3) a representative chosen by a consumer/privacy advocacy group designated by TRUSTe's CEO/Executive Director." If there is reason to believe that a site has not complied with its posted privacy commitments, TRUSTe may require an on-site compliance review by PriceWaterhouseCoopers or KPMG Peat Marwick. This process appears independent from the seal bearers. This suggests adequately independent oversight of the TRUSTe complaints mechanism and should meet Benchmark 2.

WebTrust recommends reliance on the National Arbitration Forum. If other bodies are used, they must comply with the NAF principles, which include "3 Competent and Impartial Arbitrators -- The arbitrators should be both skilled and neutral" and "4 Independent Administration -- An arbitration should be administered by someone other than the arbitrator or the parties themselves." NAF arbitrators are legal professionals who take an oath of independence.

In summary, BBBOnLine, with its tripartite review board, and WebTrust, with its third party arbitrator, appear to meet this benchmark. TRUSTe lacks either safeguard and appears considerably weaker in terms of independence, although possible recourse to independent auditor provides some assurance. This yields the following indicative ratings (out of one):

Benchmark 3 -- Fairness: the scheme produces decisions which are fair and seen to be fair by observing the principles of procedural fairness, by making decisions on the information before it and by having specific criteria upon which its decisions are based.

Back to Table of Contents

Decisions are fair. Without scrutinizing a sample of particular complaints and assessing the process gone through, it is not possible to make a judgment about whether decisions in complaints against seal licensees are fair. Accordingly, this element of the benchmark cannot be effectively assessed.

Seen to be fair. Given the sources for these assessments, it is not possible to judge whether the decisions made under the three seal programs are actually perceived by complainants and respondents as fair. Again, this element of the benchmark cannot be effectively assessed.

Procedural fairness. So far as the "principles of procedural fairness are concerned," the key practices associated with Benchmark 3 specify that a dispute resolution scheme should be structured so that:

3.2 The scheme's staff advise complainants of their right to access the legal system or other redress mechanisms at any stage if they are dissatisfied with any of the scheme's decisions or with the decision-maker's determination.
3.3 Both parties can put their case to the decision-maker.
3.4 Both parties are told the arguments, and sufficient information to know the case, of the other party.
3.5 Both parties have the opportunity to rebut the arguments of, and information provided by, the other party.
3.6 Both parties are told of the reasons for any determination.
3.7 Complainants are advised of the reasons why a complaint is outside jurisdiction or is otherwise excluded.

In relation to BBBOnLine, decisions by the Privacy Policy Review Service may be appealed to the Privacy Review Appeals Board. Either the complainant or the respondent may request that particular information they supply to BBBOnLine remain confidential, but BBBOnLine will provide the other party with a summary of the material they need to put forward their side of the case. PPRS and PRAB present written determinations.

TRUSTe's document, TRUSTe Web site Privacy Seal Program Watchdog Compliance and Escalation Process, downloaded from its Web site at <http://www.truste.org/users/compliance%20document-final.doc>, August 28, 2000, suggests that TRUSTe substantially meets this element of Benchmark 3. It provides for each party to receive information about the arguments of the other, advises complainants of other avenues if any are available, and to be told the reasons for TRUSTe's decision.

The National Arbitration Forum, which WebTrust recommends its licensees employ as an independent dispute arbitrator, abides by a Code of Procedure that requires the principles of procedural fairness in Benchmark 3 be followed. WebTrust signatories are able to use other mechanisms than the NAF, but they must follow the 12 NAF principles. Following the National Arbitration Forum Code of Procedure is recommended, but not compulsory. WebTrust comments that its auditors would require a participant using a dispute resolution mechanism other than NAF to justify departure from the Code of Procedure.

BBBOnLine and TRUSTe's process appears substantially to meet the principles of procedural fairness set out in this benchmark. WebTrust's arrangements would appear to meet the benchmark if National Arbitration Forum is employed as the arbitrator, though some doubt remains about other dispute resolution mechanisms.

This yields the following indicative ratings (out of one):

WebTrust scored slightly lower only because of the doubt surrounding the procedures followed by complaint mechanisms other than the National Arbitration Forum.

Benchmark 4 -- Accountability: the scheme publicly accounts for its operations by publishing its determinations and information about complaints and highlighting any systemic industry problems.

Back to Table of Contents

Publishing determinations and information about complaints. BBBOnLine posts dispute resolution decisions and complaint statistics, with brief summaries of the issues raised, on its Web site quarterly. It appears to meet this element of Benchmark 4. No public reporting is mentioned on the TRUSTe Web site. On the available evidence, TRUSTe would not appear to meet this element of Benchmark 4. The National Arbitration Forum does not publish details of its decisions. WebTrust has advised that it is unlikely, for reasons of confidentiality, to require publication of complaint decisions. WebTrust appears relatively weak in this regard.

Highlighting systemic problems. None of the seals are industry-based but it is still realistic to expect them to identify systemic issues that arise in the course of resolving complaints. BBBOnLine's Web site does not refer to systemic issues although it does provide "consumer tips" on spam, "knock-off sites," kids in cyberspace, etc. BBBOnLine has advised that as experience builds it intends to publish information on systemic issues. TRUSTe has a quarterly newsletter with stories about high profile online privacy incidents. It does not appear (on the available evidence) to identify systemic issues arising from its complaints. The NAF site does not comment on systemic issues, except for occasional press releases on cybersquatting and the like. The two elements of this benchmark have been weighted equally, yielding the following tentative ratings (out of one):

Benchmark 5 -- Efficiency: the scheme operates efficiently by keeping track of complaints, ensuring complaints are dealt with by the appropriate process or forum and regularly reviewing its performance.

Back to Table of Contents

Keeping track of complaints. BBBOnLine has time frames written into its rules to ensure timely complaint resolution. It advises that internal systems are in place to keep track of complaints. It is difficult to give TRUSTe a rating against this element of Benchmark 5, since information about its complaint tracking and performance reviews has not been available. The National Arbitration Forum's Principle 10 provides that "hearings should be convenient, efficient and fair for all." WebTrust advises that the NAF employs tracking software and case co-ordinators to keep track of all matters being dealt with. A lesser degree of assurance is available in relation to other potential dispute resolution mechanisms.

Appropriate forum. BBBOnLine's Web site makes no statements about referrals to other forums, although it does contain a clear description of what complaints BBBOnLine will and will not deal with. TRUSTe indicates that it will, if necessary, refer complaints to the appropriate regulatory authority. The NAF Code of Procedure explains what can be brought under it. If a party attempts to inappropriately bring an action, NAF co-ordinators will not allow the case to proceed. Inappropriate disputes include, but are not limited to, cases where there has not been an agreement to arbitrate and where the issues go beyond the scope of the agreement.

Regular performance reviews. This element is dealt with under Benchmark 6 below.

Equally weighting the first two elements of this benchmark yields the following indicative ratings (out of one):

Benchmark 6 -- Effectiveness: the scheme is effective by having appropriate and comprehensive terms of reference and periodic independent reviews of its performance.

Back to Table of Contents

Appropriate and comprehensive terms of reference. All seals have clear terms of reference.

Regular independent performance reviews. Neither BBBOnLine nor TRUSTe refers to regular external reviews of the dispute resolution mechanism. WebTrust advises that it audits the National Arbitration Forum regularly as well as signatories. Non-NAF mechanisms may not be able to be subjected to the same scrutiny.

The indicative ratings (out of one) are:

4.2.5 Summary of dispute resolution assessment results

Back to Table of Contents

The following table summarizes tentative ratings against the six benchmarks. Ratings for individual benchmarks are out of one. Overall ratings are out of six.

Benchmark BBBOnLine TRUSTe WebTrust
Accessibility 1.00 1.00 0.88
Independence 1.00 1.00 1.00
Fairness 1.00 1.00 0.75
Accountability 0.80 0.40 0.40
Efficiency 0.75 0.75 0.75
Effectiveness 0.50 0.50 0.80
Overall 5.05 4.65 4.58

4.3 Compliance/Enforcement

Back to Table of Contents

4.3.1 Need for compliance and enforcement

There is a growing concern from consumers about online security and privacy protection. This has been exacerbated by high