Federal regulators said a respected internet-privacy company gave its seal of approval to commercial websites and mobile apps but failed to check whether they were indeed meeting standards for safeguarding customers’ data.
The company known as TRUSTe describes itself as a leading independent authority on consumer privacy. But the Federal Trade Commission said it deceived consumers by not following through on annual reviews of websites and apps that carried its privacy seal. The FTC also said the San Francisco-based company let websites describe TRUSTe as a nonprofit service, even after it became a for-profit business in 2008.
“Seals and certifications are persuasive to consumers,” the FTC said in a blog post, after announcing Monday that TRUSTe had agreed to a legal settlement in the case. “So it’s important that representations conveyed by those remarks are truthful.”
TRUSTe agreed to a legal settlement without admitting wrongdoing. It will pay $200,000 to the FTC and file detailed reports on some of its practices in the future. In a company blog post, CEO Chris Babel said TRUSTe regrets not living up to “our own standards,” but characterized the problems as isolated. He said the company conducted compliance reviews in a majority of cases.
The company’s privacy seal is displayed by a variety of popular websites and mobile apps. TRUSTe also certifies such products as downloadable software and cloud-computing services.
But from 2006 to early 2013, according to the FTC, the company failed to conduct more than 1,000 annual reviews of companies to which it had already granted a TRUSTe seal, even though TRUSTe promised in its literature that it checks every year for continued compliance with its standards.
“TRUSTe promised to hold companies accountable for protecting consumer privacy, but it fell short of that pledge,” FTC Chairwoman Edith Ramirez said in a statement. While TRUSTe told clients that it was no longer a nonprofit, she added, it did not ensure that clients changed the way they described TRUSTe’s service.
Babel said the failure to conduct follow-up reviews involved companies that had signed multiyear contracts with TRUSTe. He said “the vast majority” were reviewed every other year.
TRUSTe now requires companies to remove any reference to TRUSTe’s former nonprofit status before they can be re-certified, Babel said.
Under the settlement, the FTC said future violations could be subject to civil penalties. TRUSTe is also required to make detailed annual reports to the FTC about the steps it takes to make sure clients comply with standards for a special certification that TRUSTe offers for websites and apps that collect data from children under 13. The FTC considers children to be especially in need of protection online.