Web Seals: A Review of Online Privacy Programs · 2016-03-22 · developed Web seals designed to...

Web Seals:A Review of

Online Privacy Programs

A Joint Project of

The Office of the Information and Privacy Commissioner/Ontario

and

The Office of the Federal Privacy Commissioner of Australia

Ann Cavoukian, Ph.D.Information and Privacy Commissioner

Ontario, Canada

Malcolm CromptonFederal Privacy Commissioner

Australia

22nd International Conference on Privacy and Personal Data ProtectionVenice, September 2000

Information and PrivacyCommissioner/Ontario


2 Bloor Street East, Suite 1400Toronto, Ontario Canada M4W 1A8

416-326-33331-800-387-0073

Fax: 416-325-9195TTY (Teletypewriter): 416-325-7539

Website: www.ipc.on.ca

This publication also is available on the websites of the Offices of theInformation and Privacy Commissioner/Ontario and the Federal PrivacyCommissioner of Australia.

Office of theFederal Privacy Commissioner

Level 8 Piccadilly Tower133 Castlereagh Street

Sydney NSW 2000 Australia+61 2 9284 9600

Fax: +61 2 9284 9666TTY (Teletypewriter): 1-800-620-241

Website: www.privacy.gov.au

Executive Summary

Electronic commerce is often viewed as contributing to the development of a global economy – aworld without borders. However, the reality is that all economic activity takes places within a givenjurisdiction with a unique set of laws and regulations governing commercial transactions. While thebuyer and seller may be located in different places, the sale itself takes place in one jurisdiction. Thisgeographic separation often results in disputes over which jurisdiction takes precedence (the buyer’sor the seller’s) and can lead to difficulties in enforcement of contracts. In an effort to promote thegrowth and development of e-commerce, companies have sought ways to promote consumerconfidence and trust.

It should be noted, however, that building consumer confidence in the world of e-commerce is nosmall matter. Virtually every major public interest survey over the last several years has shown thatprivacy is the No. 1 concern for people using the Internet, and the primary reason why most peoplecontinue to shop in traditional bricks-and-mortar stores rather than going online. Enforcingconsumer protections during transactions between parties in different legal jurisdictions is acomplicated undertaking. The issue is further exacerbated when it comes to the handling of personalinformation, especially in countries which have little or no legal protections in the area of privacy.

In many jurisdictions, people have the force of law to protect them, both in general consumer affairsand in the protection of their privacy. However, while many nations lack rigorous privacyprotection legislation, the issue is most acute in the United States, which is the leading force behindelectronic commerce. To address online privacy concerns, a number of organizations havedeveloped Web seals designed to let their participants publicize that they adhere to certain privacypolicies and practices. Yet without objective standards on which to evaluate these seals, their relativemerits remain open to debate. The public requires a greater degree of certainty regarding the claimsthat a company, especially one unknown to them, bearing a Web privacy seal will in fact protect one’sprivacy.

The subject of Web privacy seals was raised in September 1999 at the 21st Conference ofInternational Data Protection Commissioners. The Commissioners also recognized the benefits ofacting in unison to address online data protection issues, in light of the global nature of the Web.It was felt that a preliminary assessment of the major Web seal programs would be a usefulcontribution to the global debate over online privacy. Two Data Protection Commissioners, onefrom Ontario, Canada and one from Australia, undertook to do the work on the project while a smallgroup of other Commissioners from Europe and Asia provided informal advice as the projectproceeded. The Commissioners believed that by evaluating Web seals, the expertise of the privacycommunity could assist in the development and possibly the promotion of Web seals, therebyadvancing the promotion of privacy efforts around the world.

i

The objectives for evaluating Web seal programs were threefold. First, to assess the privacy, disputeresolution and compliance standards of the major Web seals. Second, to engage in open discussionswith the seal programs to identify ways in which to enhance their overall privacy framework, as wellas their dispute resolution and compliance and enforcement mechanisms. Third, to undertake apractical demonstration of co-operative effort between Privacy Commissioners representing differ-ent jurisdictions and legislative frameworks, in an effort to advance online privacy initiatives at aglobal level.

Methodology

The Web seal project evaluated the three leading online privacy seals: BBBOnLine, TRUSTe andWebTrust. The review is detailed and quite complex. The project identified three key componentsfor an effective online seal program:

• sufficient privacy principles to which participating Web sites must adhere;

• a sound method for resolving disputes between consumers and Web sites; and

• a robust mechanism for ensuring that “sealed” Web sites complied with the seal’s standards.

We believe the three seal organizations are to be commended for their efforts. This project isintended to highlight the strengths and weaknesses of each different approach. The work that eachseal has put into its respective projects, in the areas noted above, is considerable and we welcometheir efforts in attempting to develop an objective standard for fostering trust and consumerconfidence.

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, aninternationally-recognized code of fair information practices, was selected as the standard toevaluate the seals’ privacy principles. The OECD Guidelines contain overlapping and cumulativeprinciples that outline responsible information handling practices designed to protect the privacyof data subjects. Adherence to all of the practices in their totality is necessary in order to achieve fullinformational privacy. To evaluate the dispute resolution mechanisms of each seal program, theAustralian Benchmark for Industry-based Customer Dispute Resolution Schemes was selected asthe standard. It reflects well established and internationally recognized standards for disputeresolution. This project also reviewed the seals’ compliance and enforcement mechanisms.

ii

Results

The paper evaluates each seal program and includes highlights of correspondence with the sealorganizations regarding our assessment. The evaluations conclude that, at the time of our review,each of the three seals addressed privacy protection, dispute resolution and compliance to varyingdegrees, although none of them completely satisfactorily. Regarding privacy standards, out of eightpossible marks, the scores awarded were: BBBOnLine 6.25; TRUSTe 6.375 and; WebTrust 6.0.In the dispute resolution section, out of a total possible six points, the scores awarded were:BBBOnLine 5.05; TRUSTe 4.65; and WebTrust 4.58. The paper also contains a review of thecompliance and enforcement components of the three seal programs.

At the time of our review, each of the seals had its own strengths. BBBOnLine offered the mostcustomer-friendly dispute resolution system, while WebTrust offered the most rigorous compli-ance regime. In terms of privacy principles, while TRUSTe scored the highest in our assessment, itis clear that none of the seals required their participants to meet all of the OECD principles. This isa point of concern. Nonetheless, seals are playing a valuable educational role in promoting privacyawareness in the minds of both consumers and businesses alike. This educational role is, in our view,both positive and beneficial.

Conclusion

The future role that Web seals might play in e-commerce is unclear. Seals are only in their early stagesof development and will likely evolve and improve over time. They could come into their own asa powerful facilitator of globalization of consumer transactions if they are able to provide acceptableand enforceable privacy protection across multiple jurisdictions. Objective assessments of the extentto which seals provide true privacy protection, dispute resolution and enforcement, may be a crucialfactor in determining the degree and speed with which they become more accepted by consumers.Such assessment could assist consumers and business in differentiating between the competingclaims put forward by various seal providers.

In the end, Data Protection Commissioners have a number of tools at their disposal to protect theprivacy of their citizens: legal instruments, technical standards, public education, expert consulta-tion and moral suasion. By working together, Commissioners can extend the reach of their officesand provide benefits to consumers beyond their individual borders. It is up to the global communityof Commissioners to work together to advance the uniform goal of privacy protection – this jointproject is only one small indication of what can be done.

iii

Table of Contents

1. Background................................................................................................. 11.1 Why Online Privacy Seals? ..................................................................................... 2

2. Objective of the Web Seals Project ............................................................... 32.1 Seals Selected for Review ....................................................................................... 3

3. Methodology .............................................................................................. 6

4. Assessment of the Seal Programs ................................................................. 74.1 Privacy Principles .................................................................................................. 7

4.1.1 Selection of the OECD Guidelines as the standard ..................................... 74.1.2 Template for analysis ................................................................................ 74.1.3 BBBOnLine ........................................................................................... 104.1.4 TRUSTe................................................................................................. 164.1.5 WebTrust ............................................................................................... 214.1.6 Conclusions........................................................................................... 23

4.2 Dispute Resolution .............................................................................................. 254.2.1 Selection of the standard for dispute resolution assessment ...................... 254.2.2 Basis for seal assessment ......................................................................... 264.2.3 Description of dispute resolution mechanisms ......................................... 264.2.4 Assessment results .................................................................................. 294.2.5 Summary of dispute resolution assessment results ................................... 34

4.3 Compliance/Enforcement .................................................................................... 344.3.1 Need for compliance and enforcement .................................................... 344.3.2 Comparison of the functions .................................................................. 354.3.3 Next steps ............................................................................................. 35

5. Results ....................................................................................................... 375.1 Summary of assessment of the seals ...................................................................... 375.2 Effectiveness of seals as a tool online users can use to protect their personal data .... 375.3 The future of this project ..................................................................................... 395.4 Concluding remarks ............................................................................................ 42

Exhibit A – Comparison of BBBOnLine Privacy Seal with the OECDGuidelines on the Protection of Privacy and Transborder Flows ofPersonal Data ............................................................................................ 43

Exhibit B – Comparison of TRUSTe Program with the OECD Guidelineson the Protection of Privacy and Transborder Flows of Personal Data ...... 60

Exhibit C – Comparison of WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce with the OECD Guidelines on theProtection of Privacy and Transborder Flows of Personal Data ................. 74

Exhibit D – Australian federal government Benchmarks for Industry-BasedCustomer Dispute Resolution Schemes ..................................................... 85

Exhibit E – Australian National Arbitration Forum Principles ...................... 93

Exhibit F – Compliance/Enforcement Activity of Privacy Seals ...................... 94

1

1. Background

At the 21st International Data Protection Commissioners’ Conference, held in September 1999 inHong Kong, the Commissioners agreed that there was a need to act in unison to address online dataprotection issues. The recognition of the desirability for concerted, co-operative action was sparkedby a number of factors. The global nature of the World Wide Web (the Web), in the face of the localjurisdiction of Data Protection Commissioners, highlighted the need for an international consensusregarding issues of online privacy protection. Also, while the efforts of Commissioners havesignificant impact in their respective jurisdictions, their individual effectiveness at the global level iscurrently relatively limited. By acting in unison, Commissioners may have greater influence over theonline privacy debate and public opinion.

Commissioners focussed their attention on the rapidly developing area of online privacy seals. Aworking group was established with a mandate to identify and assess options available to PrivacyCommissioners:

• to use standards and/or seals to improve the protection of personal information in theirjurisdictions, for example, by promoting or endorsing a particular seal; and

• to add value to standards or seals, for example, by participating in or contributing to theirdevelopment.

The Data Protection Commissioners recognized that the law is unable to keep up with the currentpace of technological change. Internet users are looking for means of assurance that their privacyinterests are being respected, or that redress is available should their personal information bemisused. Standards and/or seals could potentially assist in providing such assurance.

After reviewing potential options for examining standards and seals, the Privacy Commissioners ofOntario (Ann Cavoukian) and Australia (Malcolm Crompton) decided to undertake an evaluationof online privacy seals. A small group of other Commissioners from Europe and Asia providedinformal advice as the project proceeded. The assessment and its results, as well as conclusionsdrawn and potential next steps, are the subject of this paper.

2

1.1 Why Online Privacy Seals?

The Commissioners identified the assessment of online privacy seals as a valuable project based ona number of online realities:

• the exponential growth of the Internet and in business being conducted over the Internet;

• the global nature of the Internet and e-commerce means that consumers do not limit theironline activities to their local jurisdictions;

• the concern of online users about the release of their personal information to companies whenthey shop online; and

• the increasing efforts of commercial and not-for-profit organizations to respond to thepublic’s concerns about online privacy through seal programs.

The profile and potential importance of Web seals has been further heightened by the recentlyannounced Safe Harbor Agreement reached between the European Union and the United States.The agreement identifies privacy self-regulatory organizations (such as Web seals) as acceptablemechanisms for determining compliance with its privacy principles.

3

2. Objective of the Web Seals Project

The Commissioners identified the following objectives for this project:

• assess the privacy, dispute resolution and compliance/enforcement standards of the majorWeb seal programs;

• engage in open discussions with the seal programs to identify ways to enhance their overallprivacy framework, as well as their dispute resolution and compliance/enforcement mechanisms;

• undertake a practical demonstration of co-operative effort between Privacy Commissionersin order to advance online data protection efforts at a global level; and

• establish that Privacy Commissioners, representing a diversity of jurisdictions and legislativeframeworks, can work together to protect the privacy of personal information at a global level.

2.1 Seals Selected for ReviewThe Commissioners chose the three major privacy seal programs for review and assessment –BBBOnLine, TRUSTe, and WebTrust. Although there is a growing number of seals available, theseprograms were the most visible and most commonly used seals at the time of the assessment.

BBBOnLine

This program has been developed by the Council of Better Business Bureaus. According toBBBOnLine, its privacy program features verification, monitoring and review, consumer disputeresolution, a compliance seal, enforcement mechanisms and an educational component.

The BBBOnLine privacy program offers the following:

• awards a seal to businesses that post online privacy policies which meet the required “core”principles, such as disclosure, choice and security;

• provides for the settlement of consumer disputes;

• monitors compliance by requiring participating companies to undertake, at least annually, anassessment of their online privacy practices; and

• imposes specific consequences for non-compliance, such as seal withdrawal, negative publicityand referral to government enforcement agencies.

As of August 1, 2000, 324 companies had been awarded the BBBOnLine seal.

4

TRUSTe

This program regards itself as an independent, non-profit initiative dedicated to building users’ trustand confidence on the Internet. It has developed a third-party oversight seal program designed toalleviate users’ concerns about online privacy, while meeting the business needs of licensed Websites. TRUSTe was originally founded by the Electronic Frontier Foundation and the CommerceNetConsortium. The sponsors of the program include many of the world’s largest corporations, suchas AOL, Intel, Excite and Microsoft.

The seal is awarded to sites that adhere to TRUSTe’s established privacy policies of disclosure,choice, access and security. Web sites that display this seal agree to comply with ongoing TRUSTeoversight and alternative dispute resolution processes.

TRUSTe’s goals are to provide:

• online consumers with control over their personal information;

• Web publishers with a standardized, cost effective solution for both satisfying their businessmodel and addressing consumers’ anxiety over sharing personal information; and

• government regulators with demonstrable evidence that the industry can successfully self-regulate.

TRUSTe has awarded more than 1,000 seals to qualifying companies. It is reportedly displayed onall the Internet’s portal sites, 15 of the top 20 sites, and approximately half of the top 100 sites.

WebTrust

This seal was developed jointly by the American Institute of Certified Public Accountants (AICPA)and the Canadian Institute of Chartered Accountants (CICA). It is offered by specially trained andlicensed Certified Public Accountants (CPAs) in the United States, Canada, Hong Kong, Australiaand a growing number of European countries. WebTrust claims to be part of a global effort by theaccounting profession to bring effective e-commerce solutions to the Internet to protect businessesand consumers when shopping online.

The WebTrust seal of assurance is placed directly onto the Web site of the qualifying online business,indicating that the business is in compliance with WebTrust principles and criteria. WebTrustrequires CPAs to conduct an independent examination of the site and all its business practices andprocedures. The licensed CPA awards a seal to an online business only if it passes the examination.

5

According to WebTrust, the three fundamental areas of its principles and criteria reviewed by theCPA are:

• Business Practices and Information Privacy — to ensure that the site properly discloses itsbusiness practices for such matters as order processing, product returns, informationcollection, payment processing, product delivery and complaint resolution.

• Transaction Integrity — to ensure that the business can deliver on its sales promises bydelivering what was ordered at the agreed-upon price in the requested timeframe.

• Security — to ensure that the site maintains effective controls and practices to address privacyand security matters such as: encryption of private customer information, protection ofinformation once it reaches the site; requests for customer permission to use personalinformation; prevention of virus transmission, and customer approval before the site stores,alters or copies information on the customer’s computer.

As of August 1, 2000, a total of 28 Web sites had been awarded WebTrust seals.

6

3. Methodology

This joint project was undertaken as a one-year pilot, with the goal of reporting back to the 22nd

International Data Protection Commissioners’ Conference in September 2000. The Australian andOntario Commissioners identified three key components for an effective online seal program,namely:

• sufficient privacy principles to which participating Web sites must adhere;

• an effective method for resolving disputes between consumers and Web sites; and

• a robust mechanism for ensuring that sealed Web sites comply with the standards set.

As discussed below in Section 4 of this paper, each of the seal programs was reviewed in these threeareas. It is important to note that our intent was not to come up with a score for the seal programsthat definitively claimed that one was better than another. The first purpose of this evaluation wasto create a diagnostic tool to help us understand what was and was not covered by the seals. Thesecond, and more important purpose, was to provide a means to initiate a dialogue with the sealprograms. By providing them with our initial analysis, and asking for their comments, we beganwhat we hoped to be an ongoing process of mutual education and information exchange. Wewanted to be sure that we understood their programs fully and that they understood our concerns.

Readers of this paper may be surprised by the level of detail and complexity. By necessity, a thoroughand fair analysis requires a clause-by-clause examination of the minutia of the three seals’ policies.We rather have erred on being overly inclusive in our analysis than to have our work dismissed forbeing superficial. That being said, this level of review is not intended to find fault in the smallest detailbut rather to illustrate the degree of comprehensiveness of the seal policies.

The three seal programs are to be commended for their efforts. Our review is not intended todiminish the value of the work that the seals have put into their projects but rather to highlight thestrengths and weaknesses of each different approach. Each organization is to be commended for itsefforts in developing an objective standard for fostering trust and consumer confidence.

The next section of this paper details the assessment process that has been undertaken and thedialogue that has occurred with the seal programs as of August 1, 2000. Following that, we offersome conclusions and recommendations as to potential next steps.

7

4. Assessment of the Seal Programs

4.1 Privacy Principles

4.1.1 Selection of the OECD Guidelines as the standard

The first step in this project was to identify an appropriate standard against which to evaluate theprivacy principles of the seals. We believed the obvious choice was the OECD Guidelines on theProtection of Privacy and Transborder Flows of Personal Data <http://www.oecd.org//dsti/sti/it/secur/prod/PRIV-EN.HTM>.

Evaluating the online seal programs against the OECD Guidelines appealed to us for several reasons.Given the borderless nature of the online world and e-commerce, and the popularity of Americansites for users in all jurisdictions, an internationally-recognized privacy standard seemed to be themost appropriate measure against which to compare the seals’ privacy principles. In addition, theOECD Guidelines form the basis of data protection schemes around the world.

The OECD Guidelines contain overlapping and cumulative principles that outline responsibleinformation handling practices designed to protect the privacy of data subjects. We believeadherence to all of the practices is necessary in order to achieve full informational privacy.

4.1.2 Template for analysis

The June 26, 1998 edition of Privacy Times, reported that Robert Gellman, a well known authorityon privacy, had developed a scale for evaluating online privacy initiatives against the OECDGuidelines. Using his scale, a point was assigned to each principle, allowing for a perfect score ofeight.

We decided to modify Mr. Gellman’s general rating scheme somewhat. Most of the OECDprinciples contain several components, each of which we believed must be reflected by the sealprograms in order to be considered equivalent.

The marking scheme outlined below was developed as a way to ensure that we were consistent inour approach and, more importantly, to ensure that all aspects of the OECD principles wereconsidered. Each OECD principle was divided into its component parts, with separate marksallocated to each section. A total of one point was assigned to each principle as follows:

8

OECD Guidelines — Evaluation Criteria Weighting

Collection Limitation Principle: There should be limits to the collection of personal dataand any such data should be obtained by lawful and fair means and, where appropriate,with the knowledge or consent of the data subject.

• Limits to collection by lawful and fair means• Knowledge or consent of data subject

.5

.5

Data Quality Principle: Personal data should be relevant to the purposes for which theyare to be used, and, to the extent necessary for those purposes, should be accurate,complete and kept up-to-date.

• Relevant to purposes of use• Accurate, complete and kept up-to-date

.5

.5

Purpose Specification Principle: The purposes for which personal data are collected shouldbe specified not later than at the time of data collection and the subsequent use limited tothe fulfilment of those purposes or such others as are not incompatible with those purposesand as are specified on each occasion of change of purpose.

• Specify purposes to data subject not later than time of collection• Uses limited to purposes or specified consistent purposes

.5

.5

Use Limitation Principle: Personal data should not be disclosed, made available orotherwise used for purposes other than those specified in accordance with [PurposeSpecification Principle] except:

a) with the consent of the data subject; orb) by the authority of law.

• Use and disclose in accordance with specified purposes• Except with data subject consent or by authority of law

.5

.5

Security Safeguards Principle: Personal data should be protected by reasonable securitysafeguards against such risks as loss or unauthorised access, destruction, use, modificationor disclosure of data.

• Reasonable security safeguards 1

Openness Principle: There should be a general policy of openness about developments,practices and policies with respect to personal data. Means should be readily available ofestablishing the existence and nature of personal data, and the main purposes of their use,as well as the identity and usual residence of the data controller.

• General policy of openness• Ready means for data subject to know about personal information,

and purposes, including identity and location of data controller

.5

.5

9

For each seal program, we followed a basic methodology:

• Our evaluations were based solely on information that was publicly available on the sealprograms’ Web sites. In November 1999, we logged onto the three seal programs sites andreviewed all the pages and documents we thought provided information on the seals’ privacyrequirements for business participants.

• Using the above template, we created a separate chart for each seal that contained the relevantsections of text from the material available from the Web sites. We quoted the seal programstext so as not to misrepresent their statements. We attempted to include any statements wethought relevant to specific OECD principles. Our intent was to include as much informationas was available to us at the time.

• To determine if the seals covered all/some/none of the individual provisions of the OECDprinciples, we compared those fair information practices against the stated requirements ofthe seal programs. We attempted to be as broad in our interpretations as possible.

OECD Guidelines — Evaluation Criteria Weighting

Individual Participation Principle: An individual should have the right:a) to obtain from a data controller, or otherwise, confirmation of whether or not the

data controller has data relating to him;b) to have communicated to him data relating to him

i) within a reasonable time;ii) at a charge, if any, that is not excessive;

iii) in a reasonable manner; andiv) in a form that is readily intelligible to him;

c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, andto be able to challenge such denial; and

d) to challenge data relating to him and, if the challenge is successful, to have the dataerased rectified, completed or amended.

• Data subject able to know data controller has personal information• Data communicated in reasonable time and manner, and in

intelligible form• Reasons for denial of access• Ability to challenge and correct

.25

.25

.25

.25

Accountability Principle: A data controller should be accountable for complying withmeasures which give effect to the principles stated above.

• Data controller accountable for compliance with principles 1

10

It is important to acknowledge, at the outset, that there were a number of limitations using thismethodology. First, a quantitative assessment such as this does not necessarily reflect the full meritsof a seal program. For example, it does not capture the fact that some seals stress business andconsumer education, which we agree is extremely important and beneficial.

Also, it would be incorrect to assume that just because a reference to a particular facet of the OECDGuidelines was not included by a seal, that the opposite was true. For example, if there was no statedrequirement to only collect personal information by lawful and fair means, it would have beenmisleading to interpret this omission to mean that the use of unlawful and unfair means wereacceptable.

4.1.3 BBBOnLine

At the time of our review, one of BBBOnLine’s threshold standards was that an applicant’s site oronline service must be directed at United States or Canadian residents. We felt this supported ourselection of the OECD Guidelines as the standard for our review. Canada’s new PersonalInformation Protection and Electronic Documents Act, which was being debated at that time,codifies the Canadian Standards Association’s Model Code for the Protection of PersonalInformation, which in turn is based on the OECD Guidelines.

To arrive at our assessment of BBBOnLine’s Privacy Seal, we reviewed the following Web pages anddocuments:

• About Seals <http:www.bbbonline.org/about/about_seals.htm>, 11/4/99;

• BBBOnLine Privacy Program <http://www.bbbonline.org/businesses/privacy.index.html>,11/15/99

• Eligibility Criteria for BBBOnLine Privacy Seal <http://www.bbbonline.org/businesses/privacy/eligibility.html>, 11/4/99;

• BBBOnLine Privacy Program documents in Adobe PDF format [11/4/99];

• How the Privacy Program Works <http://www.bbbonline.org/businesses/privacy/self-regulation.html>, 11/4/99;

• BBBOnLine Privacy Program Participation Agreement in Adobe PDF format [11/2/99];

• BBBOnLine Privacy Program Dispute Resolution Process in Adobe PDF format [11/2/99];and

• Benefits of Participation; <http://www.bbbonline.org/businesses/privacy/benefits.html>,11/4/99;

• How Much Will it Cost? <http://www.bbbonline.org/businesses/privacy/cost.html>,11/4/99;

11

• How to Apply for the Privacy Seal (A Step by Step Guide) <http://www.bbbonline.org/businesses/privacy/guide.html>, 11/4/99;

• Sample Privacy Notice: Introduction <http://www.bbbonline.org/businesses/privacy/sample.html>, 11/4/99;

• BBBOnLine Privacy Seal Application <https:/www/bbbonline.org/database/papp/papp/cfm>,11/4/99;

• Standards for BBBOnLine Reliability Program Participation <http://www.bbbonline.org/businesses/reliability/standards.html>, 11/4/99; and

• BBBOnLine Privacy Policy Assessment Questionnaire, including Help notes,<http://www.bbbonline.org/businesses/privacy/assess-html.html>, 11/4/99.

Following the methodology outlined above, we initially gave the BBBOnLine Privacy Seal six outof eight possible points (see Exhibit A for our analysis). For reasons outlined below, this has nowbeen revised to 6.25. In November 1999, we did not find standards or requirements that explicitlyaddressed:

• limiting the collection of personal data to lawful and fair means;

• requiring personal data to be relevant to the purposes for which they are to be used;

• giving the data subject the right to have data related to him communicated in a reasonable timeand manner, without excessive costs, and in an intelligible form;

• giving the data subject the right to be given the reasons for a denial of access.

We also thought that the restrictions on “use” should be stronger. While a requirement for the siteto limit its use of data to the purposes for which it was collected or “related uses or transfers” maybe inferred from statements under the Choice and Consent section of the Privacy Policy AssessmentQuestionnaire, it did not appear to be explicitly stated anywhere. We believed this created a potentialweakness in the BBBOnLine Privacy Seal relating to both the purpose specification and uselimitation principles of the OECD Guidelines. However, we did acknowledge the existence of therequirement to restrict the use of information transferred to third parties, as specified in the eligibilitycriteria.

Prior to a meeting between Malcolm Crompton and Gary Laden, Director of BBBOnLine PrivacyProgram, and Russell Bodoff, Senior Vice President and Chief Operating Officer, on April 13, 2000,we sent BBBOnLine a copy of our assessment of its Privacy Seal. We asked BBBOnLine to indicateif, in its view, our evaluation was fair and accurate, or had we missed any critical information. Wealso asked if BBBOnLine was open to the idea of changing its eligibility criteria and programparticipation agreement to explicitly cover all aspects of the OECD Guidelines.

12

At the April 13, 2000 meeting, BBBOnLine indicated that its seal program had to evolvecontinuously in order to keep pace with developments, and that it welcomed our comments. At thattime, its focus was on ensuring that its Privacy Seal was compliant with the Safe Harbor Agreementand the American Children’s Online Privacy Protection Act. BBBOnLine thought that the changesit was making to its seal program as a result of these initiatives may address some of our concerns.BBBOnLine also said that it supported our “co-operative model” and welcomed our input.

On July 25, 2000, Mr. Laden provided us with some “preliminary feedback” on our review ofBBBOnLine’s standards for its Privacy Seal, as follows:

Limiting the collection of data by lawful and fair means

BBBOnLine noted that a Web site collecting data in violation of the law would not hold aBBBOnLine Privacy Seal, as one of its eligibility requirements is that “seal participants must beengaged in activity that is legal.” According to the company, by definition, a Web site collecting datain violation of the law would not be able to hold the BBBOnLine seal. Due to this requirement,BBBOnLine maintained that consumers interacting with an approved site always would be in theposition of preventing the use of their data in an unfair or unlawful manner. Mr. Laden asked us forclarification as to why BBBOnLine’s threshold standard did not adequately address this part of theCollection Limitation Principle of the OECD Guidelines.

We recognize that this is a matter of fine tuning, however, we believe that our distinction betweena business engaging in a lawful business activity, and a business collecting personal information ina lawful and fair means is more than merely a matter of semantics. A company may be involved ina legitimate business but still may collect personal information (knowingly or unknowingly) in amanner that may violate privacy legislation, or that is misleading or deceptive, thereby notpermitting data subjects to exercise their rights in an effective manner.

One of the stated benefits of participating in the BBBOnLine privacy program is that the seal letsconsumers know that the business “follows ethical practices in the treatment of personallyidentifiable information.” Given that the purpose of a privacy seal is to establish a framework ofresponsibility for the entity collecting, using and disclosing personal information, we stronglyencourage BBBOnLine to place an explicit onus on its participants to collect personal informationonly by lawful and fair means, and to disclose that obligation as part of their privacy policies.

Personal data should be relevant to purposes of use

Mr. Laden noted that BBBOnLine’s assessment process requires organizations to “take reasonablesteps to assure that the individually identifiable information and prospect information they collectis accurate, complete, and timely for the purposes for which it is used.” We acknowledged thisrequirement in our initial assessment, which is why we gave BBBOnLine partial marks for the DataQuality Principle.

13

However, we believe that accuracy, completeness and timeliness are different from relevancy. It isnot enough just to ensure that all the facts pertaining to a transaction are accurate. A central tenetof informational privacy is that the collection, use and disclosure of personal information be limitedto only that which is necessary and relevant to a legitimate business function.

A determination of relevancy is critical to limiting the collection of information. As PrivacyCommissioners, we believe that the collection limitation is the first line of defence against privacyintrusions. Accordingly, we would encourage BBBOnLine to include a requirement for itsparticipants to collect, use and disclose only that personal information which is relevant to the statedpurpose(s).

This places an obligation on businesses to evaluate the bearing or impact that the collection, use ordisclosure of personal data would have on a transaction. Ideally, if a piece of personal informationwas not absolutely required to complete a transaction, it should not be used. Alternatively, thepurpose(s) of the optional data should be clearly defined and identified to the data subject prior tocollection, use or disclosure.

It should not be left solely up to consumers to determine relevancy and then opt-in or out of thecollection, use or disclosure of their personal information. We believe that responsibility should beplaced on seal participants to clearly inform data subjects of the necessity and relevancy of each pieceof personal information to be collected.

Pursuant to the Purpose Specification and Use Limitation Principles of the OECD Guidelines, wewould like to see BBBOnLine more explicitly require its participants to limit the use of personalinformation to the defined purpose(s) for which it was collected. We acknowledge that this isaddressed somewhat by statements under the Choice and Consent provisions. However, we do notthink a requirement to provide “individuals the opportunity to opt-out or otherwise prohibitunrelated uses of individually identifiable information about them” is sufficient. Again, we do notbelieve it is enough just to provide the data subject with a choice regarding unrelated uses. We wouldprefer to see an explicit obligation placed on the business to limit its use of personal information tothe purpose(s) identified.

Data subject’s right to have related data communicated in a reasonable time and manner,without excessive costs, and in an intelligible form

In its response to our evaluation, BBBOnLine indicated that its assessment process requires that datasubject access be provided not just to correct, but also to review related data. It also requires that anylimits on frequency or cost be “reasonable” (e.g., frequency limits of more than one year or fees ofmore than $15 U.S. would not be considered reasonable). We agree that this constitutes reasonabletime and without excessive cost and, following Mr. Laden’s letter, reviewed our analysis to see whywe had omitted this provision in our November assessment. We have amended our assessment tocorrect our initial oversight.

14

At the time of our review, BBBOnLine’s Eligibility Criteria required a seal participant to “... provideindividuals with access to individually identifiable information collected from them online if suchinformation is retrievable in the ordinary course of business and providing access does not imposean unreasonable burden.”

We gave BBBOnLine full marks for the parts of the Individual Participation Principle relating to thedata subject’s ability to know what information the data controller has on him or her. However, wedid not initially give BBBOnLine marks for provisions relating to participants’ obligation tocommunicate with the data subject in a reasonable time and manner, without excessive charge andin an intelligible manner.

In the Access section of the Privacy Policy Assessment Questionnaire, Question G-4 asks theapplicant to describe the mechanism(s) the organization has in place to make available to individuals,upon reasonable request, the individually identifiable information or prospect information itmaintains with respect to the individual.

The G-4 Help window currently states:

An organization must establish a mechanism whereby, upon request and properidentification of the individual, it makes available to the individual the individuallyidentifiable information or prospect information it maintains with respect to theindividual. The information subject to this requirement tends to be, but is not limited to,(i) account or application information, for example, name, address, and level of servicesubscribed to, and (ii) billing information and similar data about transactions conductedonline, for example, date and amount of purchase, and credit card account used.

If an organization can not make information that it maintains available because it can notretrieve the information in the ordinary course of business, it must provide theindividual with a reference to the provisions in its privacy notice that discuss the type ofdata collected, how it is used, and appropriate choices related to that data, or provide theindividual with materials on these matters that are at least as complete as the informationprovided in the privacy notice.

Organizations have substantial flexibility in deciding how best to make the individuallyidentifiable information or prospect information available to the individual. For example,an organization may choose the form in which it discloses this information to theindividual. Monthly statements from banks and credit card companies are examples ofappropriate mechanisms to satisfy this disclosure obligation, even though they mayreveal more than the individually identifiable information that the individual submittedto the organization online. The organization also determines the reasonable terms underwhich it will make such information available such as limits on frequency and theimposition of fees. Frequency limits that require intervals of more than a year betweenrequests and/or fees of more than $15 for a response to an annual request would not bereasonable except in extraordinary circumstances.

15

For reasons unknown, at the time of our review in November, we reviewed only the first paragraphof the Help text. As a consequence, we did not consider the remaining information in our Novemberanalysis.

We appreciate BBBOnLine bringing this omission to our attention (which highlights the benefits ofongoing exchange of information). The additional information indicates that BBBOnLine doesindeed require its participants to communicate in a reasonable time and manner, and to setreasonable terms regarding timing and fees. Marks should have been awarded in this category andnow have been.

Ideally, a right to challenge an organization’s determination of what constitutes “the ordinary courseof business” or “unreasonable burden” would give the data subject greater input into this process.

Reasons for denial of access

According to BBBOnLine, there is only one possible reason that a BBBOnLine seal holder coulddeny access and that would be when data cannot be retrieved in the ordinary course of business,otherwise access must be granted. BBBOnLine states that in such a case, the requester must beprovided with a reference to the provisions of the privacy policy that discuss the types of datacollected, how they are used, and appropriate choices related to that data, or with materials on thesematters that are at least as complete as the information provided in the privacy notice. “Since thereare no other acceptable reasons for denial, this does not become an issue for our seal holders.”

At the time of our review, BBBOnLine’s eligibility criteria required a seal participant to “establisheffective and easy to use mechanisms to permit individuals access to correct inaccurate factualinformation.” Accordingly, we gave BBBOnLine full marks for the parts of the Individual Partici-pation Principle relating to the data subject’s ability to challenge and correct. However, the fact thatwe did not review the full text of G-4 Help means that the requirement to provide the requester withthe information described above was omitted in our analysis. Again, we have amended ourassessment following receipt of Mr. Laden’s letter.

However, on a general level, we would still prefer that an organization be required to do more thanjust refer the data subject to the provisions of the privacy policy. We would encourage BBBOnLineto require its participants to more fully explain the reasons for denial of access in a timely andunderstandable manner; to provide data subjects with an opportunity to prepare a “statement ofdisagreement” and have it, along with the reasons for denial, attached or linked to the data inquestion, if their challenge is unresolved; and to provide a fair opportunity for the data subject tochallenge the decision. An explanation about how data subjects could avail themselves of BBBOnLine’sdispute resolution process also should be linked to this provision.

16

While acknowledging our oversight, we think it illustrates a general problem we had withBBBOnLine’s Web site. We found it very difficult to access all the relevant information. If we missedsome very instructive information, we think others will as well. To help applicants and participantsto more easily understand the requirements of the Privacy Seal program, we encourage BBBOnLineto examine the effectiveness of making some critical information only accessible through its HelpWindows. We think the addition of an alternate access method would be most useful.

Next steps

In his July 25 letter, Mr. Laden noted that BBBOnLine is “a dynamic, not static, program that willcontinue to strive to improve the services that it offers.” He indicated that BBBOnLine was in theprocess of implementing a new self-assessment tool that will incorporate a number of additionalrequirements, including requirements to be consistent with the new European Union-United StatesSafe Harbor Agreement. He thought that this new assessment tool would “likely address a numberof the issues” we had raised.

As of the time of writing, we are awaiting receipt of BBBOnLine’s new assessment tool, which isscheduled for release in late September 2000. BBBOnLine has stated that it welcomes our feedbackand that it would like to learn from our assessment. It recognizes that we all need to “co-operateeffectively to get the most out of our respective efforts.” To date, both Commissioners have beenvery pleased with the responses received from BBBOnLine, and look forward to continuing toworking together.

4.1.4 TRUSTe

In April 2000, a TRUSTe press release indicated that Nielsen/NetRatings had rated its trustmark themost visible symbol on the Internet.

To arrive at our assessment of TRUSTe’s privacy requirements for its Web seal, we reviewed thefollowing Web pages and documents:

• How the TRUSTe Program Works <http://www.truste.org/webpublishers/pub_how.html>,11/3/99;

• How to Join the TRUSTe Program <http://www.truste.org/webpublishers/pub_join.html>,11/3/99;

• TRUSTe Program Principles for Web Publishers <http://www.truste.org/webpublishers/pub_principles.html>, 11/3/99;

• TRUSTe Oversight for Web Publishers <http://www.truste.org/webpublishers/pub_oversight.html>, 11/3/99;

17

• Frequently Asked Questions <http://www.truste.org/webpublishers/pub_faqs.html>,11/3/99;

• Privacy Central <http://www.truste.org/webpublishers/pub_privacy.html>, 11/3/99;

• Resolution Process for Web Publishers <http://www.truste.org/webpublishers/pub_recourse.html>, 11/3/99;

• Privacy Statement Wizard <http://www.truste.org/wizard>, 11/3/99; and

• TRUSTe License Agreement Rev 5.0 <http://www.truste.org/webpublishers/pub_agreement.html>, 11/3/99.

After reviewing this information, we compared the privacy standards of the TRUSTe Trustmarkagainst the OECD Guidelines (see Exhibit B). We gave TRUSTe 6.375 out of a possible eight marks.In the privacy principles, licensing agreement, and other data provided on TRUSTe’s Web site, wedid not find standards or requirements explicitly:




• giving the data subject the right to be given the reasons for any denial of access.

We also thought the requirements regarding a data subject’s right to know what information a datacontroller had about him or her a little ambiguous. TRUSTe’s program principle required theposting of a privacy statement, and we acknowledged that such a statement would enable a datasubject to know, generally, what personal information a Web site had. However, we did not see aprovision for the data controller to respond to specific requests for information by the data subject.Also, we thought the program requirement of 3G of Schedule A of the license agreement, relatingto information collection and use practices, did not explicitly require access. To us, the wordingseemed to give the impression that such access was optional.

Prior to an April 19, 2000 meeting between Malcolm Crompton and Bob Lewin, Executive Directorand CEO of TRUSTe, we sent Paula Bruening, Director of Compliance and Policy, our evaluationand asked for comments. On April 17, Ms Bruening replied, disagreeing with our assessment, andproviding specific responses to each of our concerns, as follows:

18

Limiting the collection of personal data to lawful and fair means

From our review, we did not find any requirements relating to this portion of the CollectionLimitation Principles of the OECD Guidelines. Accordingly, we did not give TRUSTe any marks inthis area. Ms Bruening wrote:

We must disagree with this appraisal.

While the TRUSTe license agreement does not explicitly state this requirement, theTRUSTe self assessment sheet, integral to the TRUSTe program and required of everyTRUSTe licensee, enables TRUSTe to review data collection methods and assure thatindividuals are not subject to practices that would deceive them into supplyinginformation. The self assessment sheet, a 16 page document that must be attested to andsigned by an officer of the company, asks specific questions about a company’s datapractices and policies, and its personnel policies as they relate to data collection andprivacy. It allows TRUSTe to assure that the privacy statement accurately reflects thecompany’s actual data practices. As such, the company’s failure to abide by its postedpolicy by engaging in unlawful or unfair collection practices would place it outside thebounds of its license agreement with TRUSTe and subject it to sanction.

For these reasons, we believe that the TRUSTe program does incorporate these criteriafor data collection. The TRUSTe program in its implementation does require that datacollection is carried out by fair and lawful means, and we therefore disagree with yourassignment of a score of 0.

We did not review the self assessment sheet as part of our assessment. At the time of our review, asnow, such a document does not appear to be publicly available on TRUSTe’s Web site. We havecontacted TRUSTe and asked for a copy of this document so we may more fully understand theprivacy requirements of the TRUSTe trustmark.

Requiring personal data to be relevant to the purposes for which they are to be used

Again, we did not give TRUSTe any marks for this provision of the Data Quality Principle.Ms Bruening’s response stated:

We disagree with this score.

At this time, TRUSTe relies upon its requirements for robust notice and meaningfulchoice to enable individuals to make sound decisions about the reasonableness of acompany’s request for information. Clear, concise notice allows individuals to under-stand what information is being required of them, for what purpose, and how thatinformation may subsequently be used. When notice is well-stated, individuals may

19

draw their own conclusions about the relevance of the data being required to thepurposes for which it may be used, and can act accordingly by exercising choice. Thisapproach is not only critical to the goal of empowering individuals to exercise controlover their data, it also is fundamental to an effective approach to privacy protection.

We disagree with your quantitative assessment of TRUSTe’s incorporation of thisprinciple in its program. We believe the program provides an adequate process wherebya company provides consumers with sufficient information to determine the relevancyof the personal data to the purpose for which it is to be used.

As we indicated in our discussion of BBBOnLine’s Privacy Seal, we do not think it is appropriate forthe responsibility of determining relevancy to be left to the data subject alone. While individualsobviously have a responsibility to become informed in order to appropriately exercise their choices,we think that an obligation should be placed on privacy seal participants to identify the relevancyof the personal information they collect, use and disclose to the stated purpose(s), and to make theirassessment known to consumers. Given that the purpose of a privacy seal is to define and enforceresponsible online business practices, we would encourage TRUSTe to include an explicit require-ment regarding the relevancy of personal information to be collected, used and disclosed by itslicensees.

We believe that seal programs should encourage their participants to view the data subjects as theowners of their own personal information. A business acts as a temporary custodian of theindividual’s personal information. As such, businesses have an obligation to ensure its protectionand to inform data subjects of their information handling practices.

Access

We gave TRUSTe partial marks for its provision relating to individuals being able to know what thedata controller has on them, and no marks for the requirements for the data controller tocommunicate that data in a reasonable time and manner, without excessive charge and in anintelligible form, and to give reasons for denial of access. Responding to our assessment of .375 outof 1 for the Individual Participation Principle, Ms Bruening wrote:

TRUSTe’s access requirement is based upon the Federal Trade Commission andDepartment of Commerce’s requirement for reasonable access as set forth in itsElements of Effective Self Regulation for Protection of Privacy. As you know, the issueof access has been the subject of significant debate, not only with the U.S. but also in theU.S. negotiations with the European Union as it worked toward a mutually acceptablesafe harbor program. Because the best manner of implementation of this principle is anissue that continues at this time to be debated, we cannot agree with your quantitativeappraisal of the TRUSTe program on these points at .375.

20

TRUSTe has taken first steps in providing access by requiring that companies provideindividuals with the opportunity to correct or amend information maintained aboutthem by a website. However, TRUSTe is looking forward to guidance from the FTC onthe question of access. While we are grateful for the opportunity to participate in theFTC’s Advisory Committee on Online Access and Security and want to make ameaningful contribution to the committee’s deliberations, we remain eager to learn theFTC’s final decision on this issue. We look to the FTC to directly address the issuesraised in the OECD Guidelines and in your letter related to the time and manner ofaccess, the cost and form of access and the right of individuals to know the reasons fordenial of access.

When the FTC has completed its inquiry and made its decision about this issue, TRUSTewill take immediate steps to implement the FTC’s findings. As it has in the past, TRUSTelooks forward to evolving its program to closely track developing policy in this area.Until that time, we believe it is inappropriate to evaluate the implementation of thesecriteria in a quantitative manner.

We understand TRUSTe’s point about the quantitative manner of our initial assessment. As wenoted under Section 4.1.2 of this paper, we did not intend for the numbers to take on such weight.We were hoping to flag areas of concern and possible omissions for our discussions with the sealprograms.

We also understand that TRUSTe, like the other seal programs operating in the United States, needsto be guided by the Federal Trade Commission and the Safe Harbor Agreement. We fully recognizethere are requirements under legislation and international agreements that must be a priority forAmerican seal programs. We look forward to seeing how TRUSTe, and the other seals, respond tothese new developments.

Our choice of using the OECD Guidelines as the standard was in response to our recognition of theglobal reality of the Internet, and the international nature of e-commerce. Ontario or Australianresidents do not restrict their surfing to Ontario or Australian Web sites. According to a survey fromNielsen NetRatings, MSN and Yahoo! properties are the most popular destinations for Web surfersaround the world. MSN is the most popular site in the United Kingdom, New Zealand and Australia,and is the second-most popular after Yahoo! in Singapore and Ireland.1 Microsoft Corporationoperates Canada’s most popular Web sites. In April 2000, more than 6.2 million Canadians visiteda Microsoft Internet property from their home computers, including Hotmail, MSN.ca,Microsoft.com, and MSN Instant Messenger. Sites operated by America Online Inc. were thesecond most popular among Canadians, while properties owned by Yahoo! Inc. (e.g., Yahoo.com,Yahoo.ca and Geocities) ranked third.2

1 “NielsenNetRatings: MSN, Yahoo Top Global Traffic Ratings,” May 08 2000, <http://www.nua.ie/surveys/?f=VS&art_id=905355764&rel=true>, 06/06/00.

2 David Akin, “Microsoft has Canada’s pet Web sites: Media Metrix Survey,” Financial Post, May 25, 2000, p. C9.

21

We believe that improving online privacy in all jurisdictions directly impacts the privacy of residentsin our jurisdictions. Our comparison of the requirements of TRUSTe’s Trustmark against theOECD Guidelines – internationally accepted fair information practices – illuminates areas where we,as Privacy Commissioners, would encourage greater privacy protection.

Next steps

In her letter of April 17, Ms Bruening indicated that:

… the TRUSTe program is an evolutionary one. As the debate about privacy movesforward, TRUSTe acts to respond to the demands of consumers, government andindustry, while at the same time maintaining a practical, viable program that works forconsumers and business.

We acknowledge the continued evolution of the TRUSTe program. As an example, we think theResource Guide, with its Model Privacy Statement and a Site Co-ordinator’s Guide, is a usefuladdition to the TRUSTe Web site. We look forward to being part of the debate that moves privacyforward, and to an ongoing working relationship with TRUSTe, however that may be defined in thefuture.

4.1.5 WebTrust

Of all the privacy seal programs WebTrust has the most established international presence. Germanyhas joined England, France, Scotland, Ireland and Wales in the European Union in offering theWebTrust seal. WebTrust is also available in Australia, Canada and Puerto Rico, in addition to theUnited States where it originated.

The Office of the Information and Privacy Commissioner/Ontario (IPC/O) had an establishedworking relationship with WebTrust prior to the beginning of this review. In March 1999, theIPC/O provided WebTrust with its comments on Version 1.1 of the AICPA/CICA WebTrustPrinciples and Criteria for Business-to-Consumer Electronic Commerce and WebTrust Principlesand Criteria with Proposed Privacy Additions (Preliminary Draft #5).

On November 15, 1999, the CICA announced that WebTrust Principles and Criteria, Version 2.0had just been released. We requested and received a copy of the full AICPA/CICA WebTrustPrinciples and Criteria for Business-to-Consumer Electronic Commerce, dated October 15, 1999,Version 2.0, from Bryan Walker, Principal, Studies & Standards, The Canadian Institute ofChartered Accountants. In addition to that document, which was also available on the AICPA Website, we looked at:

22

• The CPA WebTrust Seal means greater consumer confidence <http://www.cpawebtrust.org/developer/dlvp_content.html>, 11/16/99;

• The CPA WebTrust Program: What it does, how it works <http://www.cpawebtrust.org/developer/program/dlvp_prog_over.html>, 11/16/99;

• The thinking behind the CPA WebTrust Program <http://www.cpawebtrust.org/shared/details/det-over.html>, 11/16/99;

• The CPA WebTrust Seal means greater security <http://www.cpawebtrust.org/shared/eval/eval.html>, 11/16/99; and

• About WebTrust Services <http://www.cica.ca/cica/cicawebsite.nsf/public/SPASWebTrust.html>, 11/16/99.

After reviewing the principles and criteria, and comparing them against the OECD Guidelines, wegave WebTrust six out of eight (see Exhibit C for our assessment). Like the other two seal programs,we did not find explicit standards or requirements:




• giving the data subject the right to be given the reasons for denial of access.

We also thought that the requirements regarding use and disclosure in accordance with specifiedpurposes under the Use Limitation Principle, and the provision of data controller contact informationunder the Openness Principle, should have been stronger.

On November 24, 1999, the Australian Privacy Commissioner gave a presentation entitledThe New Privacy Legislation and How it Affects Seal Providers, at a roundtable on ElectronicCommerce Seals of Assurance. That presentation outlined our assessment of the three privacy sealprograms. Attending that talk was Michael Nugent, Director Professional Services, The Institute ofChartered Accountants in Australia. This began an ongoing dialogue between Malcolm Cromptonand Mr. Nugent that culminated in a meeting in February 2000. Representing WebTrust at thatmeeting were Mr. Nugent, Brian Hollingworth, Director, Global Risk Management Solutions,PriceWaterhouse Coopers, and Dean Kingsley, Partner, Enterprise Risk Services, Deloitte ToucheTohmatsu.

23

At that meeting, Mr. Crompton outlined the objectives of the Privacy Commissioners’ seal projectand provided WebTrust with a copy of our full analysis. WebTrust agreed to contact its NorthAmerican counterpart to ensure a consistent global approach, to review our analysis, and to provideus with an indication of its position regarding revising their privacy criteria.

On March 23, Mr. Nugent advised the Australian Commissioner that the U.S./Canadian WebTrustTask Force had “agreed in principle to make appropriate changes to the Principles and Criteria thataddress the concerns raised by the comparison to the OECD Guidelines.” The specific wording ofthe changes was to be worked out between Bryan Walker, CICA, and the IPC/O.

At the beginning of April, Mr. Crompton advised Mr. Nugent that the Privacy Commissioners ofHong Kong, Berlin, Brandenburg, and British Columbia had “all endorsed the work” undertakenby the Australian and Ontario Commissioners, and were expecting contact from WebTrust topursue this initiative.

On June 20, Mr. Walker and Gregory Shields, Director, Assurance Services Development, CICA,met with representatives of the IPC/O. At that meeting, WebTrust indicated that the WebTrustE-Commerce Task Force was in the process of revising its seal program to create a number ofseparate modules (e.g., one for security, one for privacy, etc.). WebTrust also was revising its privacycriteria. We reviewed our analysis of Version 2.0 with Mr. Walker. He committed to bringing ourconcerns forward to his working group and providing the IPC/O with a draft of the revised privacycriteria.

Next steps

WebTrust has indicated its willingness to continue to work with us on its privacy seal. As of the timeof writing, the Ontario and Australian Commissioners are reviewing the draft report on WebTrust’sProgram for On-Line Privacy, and will provide WebTrust with comments. As with the other sealprograms, we have been very pleased by the interest and responsiveness shown by WebTrust.

4.1.6 Conclusions

While the seal programs offered by BBBOnLine, TRUSTe and WebTrust are different in terms ofscope and costs, such differences are not reflected in the privacy standards. Our November snapshotrevealed that, at that time, they very closely parallelled one another in the privacy requirements theyhad set for their privacy seals.

The above discussion indicates that there was also great consistency in the deficits we identified inthe three programs. Our most significant concern related to the lack of a requirement on sealparticipants to restrict their use of personal information to that which was relevant and necessaryfor the purposes for which the data was collected.

24

On the positive side, the three seals reflected the United States Federal Trade Commission’s 1998four basic information practices:

• notice/awareness: Web sites should provide consumer notice of their information practices;

• choice/consent: Web sites should offer consumers choices as to how that information is usedbeyond the use for which the information was provided;

• access/participation: Web sites should offer consumers reasonable access to that informationand an opportunity to correct inaccuracies; and

• security/integrity: Web sites should to take reasonable steps to protect the security andintegrity of that information.

From the time that we first started to follow the seal programs in 1998, until our review in late 1999,we noted a number of improvements:

• BBBOnLine added a provision on accuracy, made some progress on placing limits on use, andimproved its requirements about contact information;

• TRUSTe added further provisions on data quality, limitations on use and disclosure, andsecurity; and

• WebTrust addressed the issue of accuracy of data, as well as specifying purposes, and addedan ability to challenge and correct information.

We clearly see that the seals’ evolutionary process is continuing. In response to the recent approvalof the Safe Harbor Agreement and to various market forces, the three seal programs are currentlyworking to revise and enhance their privacy requirements.

Realistically, we recognize it is these external pressures, rather than our evaluations, that is movingthe seal privacy agenda forward. Nonetheless, the seal programs have expressed interest in ourproject, and have been receptive to our comments.

We believe the three seal programs have every intention of requiring compliance with fairinformation practices from their participants. The area of ongoing discussion between us focusseson what exactly constitutes appropriate fair information practices.

We have been most encouraged by our discussions with BBBOnLine, TRUSTe, and WebTrust, andhope to continue our work together. As the purpose of the privacy seal programs is to elevate onlinebusiness practices, we think our review has served a useful purpose in identifying areas where DataProtection Commissioners would like the standards and requirements of online privacy seals to beenhanced.

25

It is particularly important to note that as seals move beyond the United States, as WebTrust isattempting to do, the review and comments of the Commissioners will take on greater significance.Rather than voluntary compliance with the OECD Guidelines, it will be essential for the seals to bein compliance with the privacy provisions of the legislative schemes in our various jurisdictions.Hopefully, our joint project will have started to build working relationships of value to all of us inthe future.

4.2 Dispute Resolution

4.2.1 Selection of the standard for dispute resolution assessment

Around the world, there is a substantial level of agreement about the attributes of a satisfactorycustomer dispute resolution scheme. So, while there are a large number of different sets of standardsfor such schemes, they have much in common. The themes of fairness, accessibility, independenceand accountability regularly appear. Therefore, we thought there was a measure of latitude in thechoice of a particular standard for this exercise.

The Australian federal government’s Benchmarks for Industry-Based Customer Dispute Resolu-tion Schemes well covers the common content of international dispute resolution standards. Thefederal Minister for Customs and Consumer Affairs first released the Benchmarks in August 1997.

The Australian Privacy Amendment (Private Sector) Bill 2000 requires that the Australian PrivacyCommissioner approve any entity that wishes to be a code adjudicator for codes approved underthe Bill. The Australian Government has announced that the Benchmarks will be prescribed as thestandard to be met before such an approval can be given. This makes the Benchmarks particularlyrelevant in the Australian context.

This study assesses the three seals against the Australian benchmarks. The benchmarks arestructured around six main principles – accessibility, independence, fairness, accountability,efficiency and effectiveness. Each of these is accompanied by a number of “key practices” that fleshout the principle itself. The six principles and their accompanying key practices are set out atExhibit D. The six principles are:

• Benchmark 1 — Accessibility: the scheme makes itself readily available to customers bypromoting knowledge of its existence, being easy to use and having no cost barriers.

• Benchmark 2 — Independence: the decision-making process and administration of thescheme are independent from scheme members.

• Benchmark 3 — Fairness: the scheme produces decisions which are fair and seen to be fairby observing the principles of procedural fairness, by making decisions on the informationbefore it and by having specific criteria upon which its decisions are based.

26

• Benchmark 4 — Accountability: the scheme publicly accounts for its operations by publish-ing its determinations and information about complaints and highlighting any systemicindustry problems.

• Benchmark 5 — Efficiency: the scheme operates efficiently by keeping track of complaints,ensuring complaints are dealt with by the appropriate process or forum and regularlyreviewing its performance.

• Benchmark 6 — Effectiveness: the scheme is effective by having appropriate and comprehen-sive terms of reference and periodic independent reviews of its performance.

4.2.2 Basis for seal assessment

This is a preliminary assessment only and has been based primarily on information available fromthe seals’ Web sites. While the sites provide a good deal of information, it may not cover all aspectsof the seals’ operations in sufficient detail to allow a definitive assessment to be made. It would besurprising if the assessment presented in this document were beyond refinement and we wouldexpect to revise this preliminary assessment in the light of more detailed discussions with the sealprograms.

Preliminary assessments of the seals’ dispute resolution mechanisms were sent to the seal organiza-tions on July 2, 2000. BBBOnLine responded to its preliminary assessment on July 25 andWebTrust on August 11. The comments of both organizations have been taken into account in thisassessment of dispute resolution mechanisms.

As this paper was being finalized, an error in communications was revealed. Apparently TRUSTedid not receive our assessment at the beginning of July. Recent comments by TRUSTe have drawnour attention to a document — Learn About TRUSTe’s Dispute Resolution Process at <http://www.truste.org/users/compliance%20docuement-final.doc> — published on its Web site sinceour preliminary assessment. Efforts have been made to take this document into account, but shorttime lines did not permit a complete reworking of our TRUSTe evaluation.

4.2.3 Description of dispute resolution mechanisms

BBBOnLine

The BBBOnLine Privacy Program Participation Agreement requires a licensee to participate in thedispute resolution process. BBBOnLine has an internal dispute resolution scheme in two parts: thePrivacy Policy Review Service (PPRS) and the Privacy Review Appeals Board (PRAB). Before thePPRS will take any action, the complainant must have made a good faith attempt to resolve the matterwith the respondent company. If these efforts fail and the complaint meets BBBOnLine’s eligibility

27

criteria, which are spelled out on its Web site, PPRS staff will evaluate, analyse, investigate andadjudicate the complaint. Time limits apply to both sides during the investigation process. If thecomplaint is substantiated, PPRS may decide that corrective action is required; no monetarycompensation is available.

Either the complainant or respondent can appeal to the PRAB. PRAB will reconsider the matter andmake a final decision, including if necessary, referring the matter to the relevant government agency,or discontinuing its review if either party has failed to abide by its commitment to keep complaintrelated information in confidence <http://www.bbbonline.org/download/DR.PDF>.

TRUSTe

This description of TRUSTe’s dispute resolution process is taken from its Web site, as it stood inJuly 2000:

To resolve privacy concerns or complaints raised by consumers or by TRUSTe duringour program oversight process, Web site licensees agree to cooperate with all ourreviews and inquiries. We work with licensees, as well as with consumers, to resolveprivacy-related issues quickly and fairly.

As a licensee in the TRUSTe program, a Web site agrees to provide consumers withsimple, effective means to submit their privacy concerns directly to the Web site. At aminimum, all privacy statements contain TRUSTe contact information so that consum-ers may direct their questions or concerns to us. We request users to contact Web sitesdirectly before filing a report with us.

If the Web site has not acknowledged the receipt of the consumer’s complaint, or if asatisfactory response is not provided, we step in as the liaison between the consumer andWeb site to resolve the issue. This process entails:

- Notifying the licensee of the consumer’s complaint and working with the site fora speedy, satisfactory resolution.

- Notifying the consumer of the resolution or other relevant findings.

- Pursuing the issue further if we are unable to reach a mutual resolution with thelicensee.

In the unlikely event that TRUSTe has reason to believe a licensee has violated its postedprivacy practices or other TRUSTe program requirements, we will conduct an escalatinginvestigation. This process may include an on-site compliance review by one ofTRUSTe’s official auditors, PriceWaterhouseCoopers LLP or KPMG Peat Marwick

28

LLP. If the on-site review finds that a licensee is non-compliant, TRUSTe will advise andguide the licensee on the steps to remedy the problem.

If no action is taken by the licensee – depending on the severity of the breach – ourinvestigation may also result in revocation of the TRUSTe trustmark, termination fromthe program, or in extreme cases, referral to the appropriate government agency<http://www.truste.org/webpublishers/pub_recourse.html>.

WebTrust

WebTrust itself does not play a role in complaint resolution but its criteria for obtaining theWebTrust seal require signatories or licensees to give customers access to a third party arbitrationprocess. In other words, to gain the WebTrust seal, a business must give its customers access to adispute arbitration process that meets certain standards. WebTrust’s Criterion A4.1 reads:

The entity [i.e., the signatory] discloses information to enable customers to file claims,ask questions and register complaints, including, but not limited to, the following: … inthe event outside dispute resolution is necessary, the process by which these disputes areresolved. These complaints may relate to any part of a customer’s e-commerce transac-tion, including complaints related to … accuracy, completeness, and distribution ofprivate customer information and the consequences for failure to resolve such complaints.This resolution process should have the following attributes:

- Management’s commitment to use a specified third party dispute resolutionservice or other process mandated by regulatory bodies in the event thecustomer is not satisfied with the entity’s proposed resolution of such acomplaint together with a commitment from such third party to handle suchunresolved complaints

- Procedures to be followed in resolving such complaints, first with the entity and,if necessary, with the designated third party

- What use or other action will be taken with respect to the private information,which is the subject of the complaint, until the complaint is satisfactorilyresolved <http://www.aicpa.org/webtrust/princrit.htm>.

WebTrust endorses the 12 principles for arbitration processes developed by the National Arbitra-tion Forum (NAF) (<http://www.aicpa.org/webtrust/wtpcfaqs.htm>, see also Exhibit E). Thesecover much of the same ground as the six Australian benchmark principles. Any third partyarbitrator selected by the signatory must follow these 12 principles. That they do so is part of theassurance process that WebTrust carries out. WebTrust also recommends that the arbitratorselected by the licensee follow the more detailed NAF Code of Procedure.

29

4.2.4 Assessment results

Benchmark 1 — Accessibility: the scheme makes itself readily available to customers bypromoting knowledge of its existence, being easy to use and having no cost barriers.

Promoting knowledge of its existence. All three seals require display of the seal on participating sites.The seal logo on the participating site links back to the seal’s own Web site, which containsinformation about the available dispute resolution mechanism.

Easy to use. All three seals require consumers to make bona fide attempts to resolve their concernswith the participating business before turning to the seal’s dispute resolution mechanism. This isconsistent with the benchmark principles. BBBOnLine and TRUSTe then have complaints mechan-isms accessible directly from their Web sites. WebTrust does not, but does require its licensees toprovide “information to enable customers to file claims, ask questions and register complaints.”

No cost barriers. Neither BBBOnLine nor TRUSTe charges customers for dealing with complaints.In the case of WebTrust, NAF principle 6 is “Reasonable Cost — The cost of an arbitration shouldbe proportionate to the claim.” But the NAF’s services are available free of cost to those who are notable to pay. Since WebTrust participants can choose a dispute resolution mechanism other than theNational Arbitration Forum, there is less assurance that a mechanism under the auspices ofWebTrust will meet this element of Benchmark 1.

The elements of this principle have been weighted equally. It seems fair to say that all three seals meetthe first two elements. The possibility of cost barriers in the case of WebTrust suggests that it fallsshort of meeting this element entirely: it has been tentatively rated at 0.22 out of a possible 0.33.

This yields the following indicative ratings (out of one):

• BBBOnLine: 1.00• TRUSTe: 1.00• WebTrust: 0.88

Benchmark 2 — Independence: the decision-making process and administration of thescheme are independent from scheme members.

BBBOnLine’s first line of complaint handling, the Privacy Policy Review Service, is overseen by thePrivacy Review Appeals Board. Each PRAB panel has a “public” member, a “data expert” memberand a “company” member.

TRUSTe’s comments on the preliminary assessment made in July 2000 indicate that its initialdecision in a complaint now may be appealed to the TRUSTe Appeals Board, which “shall consistof (1) a representative from TRUSTe’s Board of Directors designated by its Chairman; (2) a privacyexpert from the academic/university community; (3) a representative chosen by a consumer/privacy

30

advocacy group designated by TRUSTe’s CEO/Executive Director.” If there is reason to believe thata site has not complied with its posted privacy commitments, TRUSTe may require an on-sitecompliance review by PriceWaterhouseCoopers or KPMG Peat Marwick. This process appearsindependent from the seal bearers. This suggests adequately independent oversight of the TRUSTecomplaints mechanism and should meet Benchmark 2.

WebTrust recommends reliance on the National Arbitration Forum. If other bodies are used, theymust comply with the NAF principles, which include “3 Competent and Impartial Arbitrators —The arbitrators should be both skilled and neutral” and “4 Independent Administration — Anarbitration should be administered by someone other than the arbitrator or the parties themselves.”NAF arbitrators are legal professionals who take an oath of independence.

In summary, BBBOnLine, with its tripartite review board, and WebTrust, with its third partyarbitrator, appear to meet this benchmark. TRUSTe lacks either safeguard and appears considerablyweaker in terms of independence, although possible recourse to independent auditor provides someassurance. This yields the following indicative ratings (out of one):


Benchmark 3 — Fairness: the scheme produces decisions which are fair and seen to be fairby observing the principles of procedural fairness, by making decisions on the informationbefore it and by having specific criteria upon which its decisions are based.

Decisions are fair. Without scrutinizing a sample of particular complaints and assessing the processgone through, it is not possible to make a judgment about whether decisions in complaints againstseal licensees are fair. Accordingly, this element of the benchmark cannot be effectively assessed.

Seen to be fair. Given the sources for these assessments, it is not possible to judge whether thedecisions made under the three seal programs are actually perceived by complainants and respond-ents as fair. Again, this element of the benchmark cannot be effectively assessed.

Procedural fairness. So far as the “principles of procedural fairness are concerned,” the key practicesassociated with Benchmark 3 specify that a dispute resolution scheme should be structured so that:

3.2 The scheme’s staff advise complainants of their right to access the legalsystem or other redress mechanisms at any stage if they are dissatisfied withany of the scheme’s decisions or with the decision-maker’s determination.

3.3 Both parties can put their case to the decision-maker.

31

3.4 Both parties are told the arguments, and sufficient information to know thecase, of the other party.

3.5 Both parties have the opportunity to rebut the arguments of, and informationprovided by, the other party.

3.6 Both parties are told of the reasons for any determination.

3.7 Complainants are advised of the reasons why a complaint is outsidejurisdiction or is otherwise excluded.

In relation to BBBOnLine, decisions by the Privacy Policy Review Service may be appealed to thePrivacy Review Appeals Board. Either the complainant or the respondent may request thatparticular information they supply to BBBOnLine remain confidential, but BBBOnLine will providethe other party with a summary of the material they need to put forward their side of the case. PPRSand PRAB present written determinations.

TRUSTe’s document, TRUSTe Web site Privacy Seal Program Watchdog Compliance and EscalationProcess, downloaded from its Web site at <http://www.truste.org/users/compliance%20document-final.doc>, August 28, 2000, suggests that TRUSTe substantially meets this element of Benchmark3. It provides for each party to receive information about the arguments of the other, advisescomplainants of other avenues if any are available, and to be told the reasons for TRUSTe’s decision.

The National Arbitration Forum, which WebTrust recommends its licensees employ as an indepen-dent dispute arbitrator, abides by a Code of Procedure that requires the principles of proceduralfairness in Benchmark 3 be followed. WebTrust signatories are able to use other mechanisms thanthe NAF, but they must follow the 12 NAF principles. Following the National Arbitration ForumCode of Procedure is recommended, but not compulsory. WebTrust comments that its auditorswould require a participant using a dispute resolution mechanism other than NAF to justifydeparture from the Code of Procedure.

BBBOnLine and TRUSTe’s process appears substantially to meet the principles of proceduralfairness set out in this benchmark. WebTrust’s arrangements would appear to meet the benchmarkif National Arbitration Forum is employed as the arbitrator, though some doubt remains about otherdispute resolution mechanisms.

This yields the following indicative ratings (out of one):


WebTrust scored slightly lower only because of the doubt surrounding the procedures followed bycomplaint mechanisms other than the National Arbitration Forum.

32

Benchmark 4 — Accountability: the scheme publicly accounts for its operations bypublishing its determinations and information about complaints and highlighting anysystemic industry problems.

Publishing determinations and information about complaints. BBBOnLine posts dispute resolu-tion decisions and complaint statistics, with brief summaries of the issues raised, on its Web sitequarterly. It appears to meet this element of Benchmark 4. No public reporting is mentioned on theTRUSTe Web site. On the available evidence, TRUSTe would not appear to meet this element ofBenchmark 4. The National Arbitration Forum does not publish details of its decisions. WebTrusthas advised that it is unlikely, for reasons of confidentiality, to require publication of complaintdecisions. WebTrust appears relatively weak in this regard.

Highlighting systemic problems. None of the seals are industry-based but it is still realistic to expectthem to identify systemic issues that arise in the course of resolving complaints. BBBOnLine’s Website does not refer to systemic issues although it does provide “consumer tips” on spam, “knock-off sites,” kids in cyberspace, etc. BBBOnLine has advised that as experience builds it intends topublish information on systemic issues. TRUSTe has a quarterly newsletter with stories about highprofile online privacy incidents. It does not appear (on the available evidence) to identify systemicissues arising from its complaints. The NAF site does not comment on systemic issues, except foroccasional press releases on cybersquatting and the like. The two elements of this benchmark havebeen weighted equally, yielding the following tentative ratings (out of one):


Benchmark 5 — Efficiency: the scheme operates efficiently by keeping track of complaints,ensuring complaints are dealt with by the appropriate process or forum and regularlyreviewing its performance.

Keeping track of complaints. BBBOnLine has time frames written into its rules to ensure timelycomplaint resolution. It advises that internal systems are in place to keep track of complaints. It isdifficult to give TRUSTe a rating against this element of Benchmark 5, since information about itscomplaint tracking and performance reviews has not been available. The National ArbitrationForum’s Principle 10 provides that “hearings should be convenient, efficient and fair for all.”WebTrust advises that the NAF employs tracking software and case co-ordinators to keep track ofall matters being dealt with. A lesser degree of assurance is available in relation to other potentialdispute resolution mechanisms.

33

Appropriate forum. BBBOnLine’s Web site makes no statements about referrals to other forums,although it does contain a clear description of what complaints BBBOnLine will and will not dealwith. TRUSTe indicates that it will, if necessary, refer complaints to the appropriate regulatoryauthority. The NAF Code of Procedure explains what can be brought under it. If a party attemptsto inappropriately bring an action, NAF co-ordinators will not allow the case to proceed.Inappropriate disputes include, but are not limited to, cases where there has not been an agreementto arbitrate and where the issues go beyond the scope of the agreement.

Regular performance reviews. This element is dealt with under Benchmark 6 below.

Equally weighting the first two elements of this benchmark yields the following indicative ratings(out of one):


Benchmark 6 — Effectiveness: the scheme is effective by having appropriate andcomprehensive terms of reference and periodic independent reviews of its performance.

Appropriate and comprehensive terms of reference. All seals have clear terms of reference.

Regular independent performance reviews. Neither BBBOnLine nor TRUSTe refers to regularexternal reviews of the dispute resolution mechanism. WebTrust advises that it audits the NationalArbitration Forum regularly as well as signatories. Non-NAF mechanisms may not be able to besubjected to the same scrutiny.

The indicative ratings (out of one) are:


34

4.2.5 Summary of dispute resolution assessment results

The following table summarizes tentative ratings against the six benchmarks. Ratings for individualbenchmarks are out of one. Overall ratings are out of six.

4.3 Compliance/Enforcement

4.3.1 Need for compliance and enforcement

There is a growing concern from consumers about online security and privacy protection. This hasbeen exacerbated by high profile breaches of public trust at several brand name Web sites, as well asexamples of the vulnerability of Web sites to attacks from hackers. Current research also indicatesthat Internet shoppers are looking beyond benefits such as quality and price, and are requiring areasonable amount of assurance that the sites are safe and secure, and that their personal informationwill be kept private.

Rigorous compliance and enforcement functions of the seal programs will provide some degree ofreassurance to consumers in this regard. Strong compliance and enforcement regimes augment theprivacy principles and dispute resolution mechanisms adopted by the seals by strengthening theconsumer’s trust in the seal.

Compliance functions refer to those processes designed to ensure that the assertions made by theWeb sites are adequate, and that the Web sites are complying with the assertions they have made totheir customers relating to information protection, transaction integrity, business and informationpractices. Enforcement functions come into play when the compliance process has gatheredsufficient evidence that a Web site has been unable to adhere to the assertions made to its customersin a significant manner.

Benchmark BBBOnLine TRUSTe WebTrust

Accessibility 1.00 1.00 0.88

Independence 1.00 1.00 1.00

Fairness 1.00 1.00 0.75

Accountability 0.80 0.40 0.40

Efficiency 0.75 0.75 0.75

Effectiveness 0.50 0.50 0.80

Overall 5.05 4.65 4.58

35

4.3.2 Comparison of the functions

We compared the primary elements of the compliance and enforcement functions of the three sealprograms based on information posted on their Web sites (see Exhibit F). These elements are:

• Obtaining the seal• Standards• Objectives• Processes• Enforcement.

To ensure that our understanding of the seals’ compliance and enforcement programs was factuallycorrect before we undertook a detailed comparative analysis, we sent each of the seal programs asummary of our review, and asked them to correct any inaccuracies or oversights.

From our preliminary review, there appears to be some similarities but a greater number ofdifferences in the approaches taken by the three seals. Some salient points include:

• All of the three seal programs require some form of self assessment by the Web sites, generallyby way of a questionnaire, to be completed by the Web sites as a preparatory step to obtainingand maintaining the seal and for the compliance function.

• WebTrust clearly discloses the required compliance standards, while TRUSTe and BBBOnLinedo not.

• Independence is a fundamental basis of compliance and enforcement activity. All of the threeseal programs could qualify as a third party compliance activity and, therefore, there is somedegree of independence. In our opinion, WebTrust clearly meets the highest level ofindependence, as this function is conducted in accordance with established and recognizedstandards of a national accounting body and conducted by a licensed accounting firm.

4.3.3 Next steps

We are awaiting response from the seal programs as to the accuracy of our initial review of theirrespective programs. From our preliminary analysis, it would appear that WebTrust provides acomprehensive compliance and enforcement mechanism that is suitable and cost effective for largerWeb sites. However, the WebTrust standard may not be necessary, or affordable for smaller Weboperations. In this case, a “one size fits all” approach to compliance may not be effective given thediverse and evolving online world. By requiring a compliance regime that is costly and complex,some Web sites will be discouraged from applying for this seal.

36

Some prudent principles that should be considered in assessing the strength of a seal’s complianceand enforcement function have emerged from our review, including:

• Compliance standards should be set by an independent and recognized body. The proposedAssurance Engagement standard of the International Federation of Accountants may providean objective basis.

• Compliance and enforcement functions should be conducted by a professional and qualifiedbody.

• There may be a need to provide cost effective solutions for smaller Web sites and those sitesthat do not collect a great deal of personal information. This could be done by providing thecompliance function on a modular basis. For example, by assessing compliance separately forprivacy, security and transaction integrity.

As a next step, the project could identify an appropriate internationally-accepted standard forassessing the compliance and enforcement function, similar to using the OECD Guidelines to assessthe seal’s privacy principles. An assessment could then be undertaken and reported upon. As noted,such a standard will need to reflect the diversity of Web sites and the range of personal informationthat may be collected.

37

5. Results

5.1 Summary of assessment of the seals

At this stage of this pilot project, we can offer more conclusive results on our privacy standardassessment than we can on the dispute resolution and enforcement provisions of the seal programs,for the reasons outlined in this paper.

However, in general, we can conclude that each of the three assessed seals addressed privacyprotection, dispute resolution and compliance/enforcement to some degree, although none of themcompletely satisfactorily. It must be emphasized that our preliminary assessment was based oninformation available to us at that time.

At the time of our review, each of the seals had its own strengths. For example, although all of theseals performed well in relation to our dispute resolution assessment, BBBOnLine probably offeredthe most customer-friendly dispute resolution system (scoring five out of six in our assessment).WebTrust probably offered the most rigorous compliance regime. In terms of privacy principles,while TRUSTe scored the highest in our assessment, it was clear that none of the seals required theirparticipants to meet all of the OECD principles.

5.2 Effectiveness of seals as a tool online users can use to protect theirpersonal data

The precise role that seals can fill in providing acceptable and enforceable privacy protection for aconsumer’s transaction on a Web site is still unclear. The role will depend, in part, on:

• whether or not the three parties involved in an online transaction (the consumer, the seal andthe licensed Web site) are in the same jurisdiction; and

• whether an acceptable and enforceable privacy law applies to the transaction between theconsumer and the seal participant.

In circumstances where the transaction is protected by an enforceable privacy law, then that lawwould provide the primary protection. In such circumstances, the role of a seal may be more limited.However, the seal could provide additional protection if its standards exceed those required by law.

In circumstances where the transaction is not protected by an enforceable privacy law, but where allthree parties are located in the same jurisdiction, the seal may be an effective privacy protectionmechanism available to the consumer, especially if there are laws regulating commerce andproviding protection against misleading and deceptive conduct.

38

A particular challenge arises when the consumer and the seal licensee are in different jurisdictions,and there is no single privacy law covering their transaction. By some estimates, about half of theonline purchases made by Australians for Christmas 1999 were made from offshore Web sites3 andmany other jurisdictions would report similar statistics.

The OECD has undertaken research into effective means of protecting consumers under thesecircumstances, particularly looking at whether contracts could provide efficient and effectiveprotection.4 However, the utility of contracts as a means to protect online business-to-consumertransactions across multiple jurisdictions is largely untested in practice, including in the case of Webseals.

Seals could come into their own as a powerful facilitator of globalization of consumer transactionsif indeed they are able to provide acceptable and enforceable privacy protection across jurisdictions.However, e-commerce on the Web is still in its infancy. A recent Statistics Canada report indicatedthat Internet sale of goods and services in 1999 amounted to only 0.2% of the companies’ totaleconomic activity. Estimates published by the Australian National Office for the InformationEconomy indicated that only 0.4% of total Australian retail sales were transacted through theInternet, while the comparable figure for the United States was 0.64%.5

One current limitation with some seals is that, at this stage at least, they formally cover only the Web-based component of business-to-consumer transactions. They do not cover other elements of thatrelationship. This has been the source of some criticism in the past. For example, complaints wereraised when TRUSTe did not revoke Microsoft’s seal after it was found that Microsoft’s registrationprocess generated a secret hardware identification number.6 TRUSTe concluded that the identifi-cation number had nothing to do with Microsoft’s Web site under its license. On the other hand,even though a similar conclusion was reached about RealNetworks’ collection of customer userdata, TRUSTe proved that it could work with RealNetworks to improve its privacy practices.7

The proliferation of seals may weaken their impact, both in terms of their individual “brand” impact,and in terms of whether it becomes too easy to pick up another seal if the original one delists a Website.

3 “Shoppers flock to Cyberspace”, The Australian Financial Review, December 29, 1999, at <www.afr.com.au/content/991229/news/news3.html>.

4 Report On Transborder Data Flow Contracts In The Wider Framework Of Mechanisms For Privacy Protection In Global Networks,OECD DSTI/ICCP/REG(99)15.

5 “Current State of Play – July 2000,” A Quarterly NOIE Information Economy Statistical Report, <www.noie.gov.au/projects/information_economy/ecommerce_analysis/ie_stats/StateOfPlay/index.htm>.

6 Watchdog #1723 -- Microsoft Statement of Finding, TRUSTe finding, at <www.truste.org/users/users_w1723.html>.

7 Privacy Times, Volume 19, Number 21, November 23, 1999.

39

To be effective, seals need to gain acceptance among consumers on the Web. There is conflictingevidence as to the current level of awareness and impact of seals.8 Again, though, this situation islikely to evolve very rapidly. TRUSTe, for example, recently announced a consumer awarenesscampaign called Privacy Partnership 2000 that is intended to raise consumer awareness of seals.9

Objective assessment of the extent to which seals provide acceptable and enforceable privacyprotection may be a crucial factor in determining the degree and speed with which they become moreaccepted by consumers. Such assessment could help consumers differentiate between seals that offereffective privacy protection and those that offer only a compromise – in effect, a “seal of seals.” Itis probably too early to say whether the proliferation of seals is a short term development that willbe followed by a period of consolidation as consumers learn which ones offer true privacyprotection and which ones do not.

Once again, it is essential to remember just how recently online business-to-consumer transactionshave developed. With some notable exceptions, almost all such transactions have been establishedin only the last few years. In that time, some of the seals have already been subject to a number ofimprovements, with informal discussions indicating that more are to be expected.

5.3 The future of this project

It is against this background that this project should be assessed. Focussing on privacy, we havefound that the three seals do provide some protection, but they have some way to go. We believethat Data Protection Commissioners have considerable potential to influence the privacy protectionstandards of the seal programs, as well as the consumers’ perception of seals.

Overall, as a result of our efforts, we conclude that Data Protection Commissioners should continueto monitor the development of seals and, where possible, assist in the development of acceptable andenforceable privacy protection standards. In particular, seals may offer a way of providing a degreeof privacy protection for consumers in their transactions with Web sites in other jurisdictions.

Extent to which we expect to reach agreement with the seals

All three seals indicated early in this project that they were interested in working with DataProtection Commissioners in these assessments and in seeing if a common ground could be reachedon meeting any concerns we may raise.

8 Beyond Concern: Understanding Net Users’ Attitudes about Online Privacy, AT&T Labs-Research Technical Report TR 99.4.3,April 14, 1999, at <www.research.att.com/resources/trs/TRs/99/99.4/99.4.3/report.htm>.

9 TRUSTe Kicks Off Privacy Partnership 2000, TRUSTe Press Release, July 25, 2000, at <www.truste.com/about/about_campaign.html>.

40

However, the demands on each of the seals have meant that, so far in practice, they have not all beenable to give much time to this project. Some have been heavily involved in other work, includingcontributing to the development of the Safe Harbor Agreement, and the Children’s Online PrivacyProtection Act, during a year of particularly rapid developments in the privacy debate in the UnitedStates.

Nevertheless, we would like to think that the seals would continue to work with Data ProtectionCommissioners in the future should this project be continued beyond the pilot stage completed inthis first year.

Extent to which other jurisdictions might become involved

Two Data Protection Commissioners, one from Ontario, Canada and one from Australia, undertookthe principal work on this project. A small group of other Commissioners from Europe and Asia(Berlin, Brandenburg, Netherlands and Hong Kong), as well as British Columbia, provided informaladvice. A limited number of other interested Commissioners were kept informed of our progress.

As it was a pilot project, the arrangements were deliberately kept informal in order to keep it asstreamlined as possible. Nevertheless, it became clear that the number of Data Protection Commis-sioners supporting the project is critical to the impact it will have in ensuring co-operation with theseal programs. One question that consistently arose in our discussions with the seals was: “Howmany Commissioners do you represent?” Additionally, the number of Commissioners supportingseals is likely to be equally critical to the perception of seals by consumers.

Assessment of the co-operative arrangements

To date, the informal co-operative arrangements have worked very well. The two offices that havecarried out the work have been able to reach common ground on most of the issues very easily. Thekey issue was the selection of the set of criteria to assess the acceptable standards. For privacy, theinternational use and acceptance of the OECD principles made this choice easy for our two offices,but it was the cause of some concern in dealing with the seals. The American-based programs wereprimarily focussed on the four fair information practices, as they are understood in the United States:notice, choice, access and security.10

The current loose arrangement, however, is probably insufficient if the pilot project is scaled up, forexample, to cover more seals or to provide a more continuous monitoring and developmentprogram.

10FTC Recommends Congressional Action to Protect Consumer Privacy Online, US Federal Trade Commission Press Release, May22, 2000, at <www.ftc.gov/opa/2000/05/privacy2k.htm>.

41

Data Protection Commissioners appear to be in a strong position to influence the development ofseals. Seals also may be one of the means of delivering acceptable and enforceable privacy protectionfor consumer transactions with Web sites in other jurisdictions. Consequently, we believe DataProtection Commissioners should give consideration to continuing the current project.

A possible modus operandi for future co-operation among Data Protection Commissioners

A project such as this is likely to be more successful if a small group conducts the basic work. A wideradvisory group is necessary to undertake the advice and consultation role, with the aim of gainingendorsement of the findings by the larger community of Data Protection Commissioners.

The Advisory Group would need to be constructed carefully:

• first, it would have maximum credibility among the seal programs and consumers if itcomprises only Data Protection Commissioners or equivalent regulators; and

• second, it should reflect the views of the different approaches to regulation around the world– European, North American, Asian and others.

Should the Data Protection Commissioners decide to continue this project, terms of reference willneed to be defined specifically. For the pilot project, it was acceptable to have a general understandingof intent and to define specifics as we went along. Issues such as whether Data ProtectionCommissioners could legitimately endorse seals that do not meet the letter of the law in their ownjurisdictions have not yet been addressed. The terms of reference may have to formalize the processfor the Commissioners to review and endorse the conclusions reached from the basic workundertaken.

The work of Commissioners also may be more effective if they worked with other groups that havesimilar interests. The Global Business Dialogue on Electronic Commerce, for example, has workedwith the OECD and has established a Global Confidence/GBDe Trustmark working group.11 TheTransatlantic Business Dialogue <www.tabd.org>, the Trans Atlantic Consumer Dialogue<www.tacd.org>, and Consumers International <www.consumersinternational.org> are otherpossibilities.

11See the GBDe Web site at <http://gbde.org/structure/working/trustmark.html>.

42

5.4 Concluding remarks

The Commissioners from Ontario and Australia believe that our pilot project to review the threemajor Web seals has been effective in making a preliminary assessment of the programs, which weacknowledge are in their early stages of development.

If the work that has been commenced is continued, we believe that involvement by additional DataProtection Commissioners will likely contribute to improved privacy protection for consumers inour respective jurisdictions, as well as others. Regulators with a primary focus on privacy have muchwork to do to improve privacy in global transactions as opposed to those that simply fall within ourown jurisdictions.

Finally, this joint project may be taken as further evidence that it is possible for Commissioners fromdifferent jurisdictions to work together and deliver effective results. We have hopefully identifiedsome of the characteristics of the arrangement that might advance such work in the future.

The pilot project undertaken by Ontario and Australia will need to be taken up by other DataProtection Commissioners if we want to increase the impact we can have on seals in terms of effectiveand appropriate privacy protection, dispute resolution, and compliance/enforcement.

43

Exhibit A

Comparison of BBBOnLine Privacy Seal with the OECD Guidelineson the Protection of Privacy and Transborder Flows of Personal Data

OECDEvaluation Criteria

Pts BBBOnLine Pts

Collection Limitation Principle: There should be limits to the collection of personal data and any such datashould be obtained by lawful and fair means and, where appropriate, with the knowledge or consent ofthe data subject.

Limits to collection bylawful and fair means

0.5

Knowledge or consentof data subject

0.5 Eligibility Criteria for BBBOnLine Privacy Seal

Policy Content

The privacy policy must be easy to read and disclose in clearand simple language:

1. the collector(s) of the information

2. the type(s) and intended use(s) of the individuallyidentifiable information being collected

7. any corporate subsidiaries, operating divisions or relatedproduct lines which are excluded from seal coverage

12. if access to any or all of the website is conditioned on thedisclosure of individually identifiable information,individuals must be informed of the consequences ofrefusing to disclose such data

14. if any other organization collects individually identifiableinformation at the site as the result of transacting businesswith the individual at the site

16. any information collection that is not covered by theprivacy policy, including, but not limited to, informationcollection where the individual submitting the informationis clearly acting only in his/her business capacity

Choice & Consent

… Where the site conditions the granting of access to some orall of its website or online services based on the disclosure ofindividually identifiable information, the participant mustinform individuals in its privacy notice or at the point ofcollection of the consequences of refusing to provide suchinformation.

0.5

44


Pts BBBOnLine Pts

Knowledge or consentof data subject(cont’d)

BBBOnLine Privacy Policy Assessment Questionnaire

Information Collection

C12 HELP. An important function of a privacy notice is toinform individuals about what information is being collectedabout them with sufficient specificity for them to know andunderstand what that information is so that they can makeinformed choices about the use of the website(s) or onlineservice(s).

Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used,and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Relevant to purposesof use

0.5

Accurate, completeand kept up-to-date


Policy Content

10. the steps the seal participant takes to assure the accuracy ofindividually identifiable information that it maintains inidentifiable form

Additionally, the correction process (#10) must employ anauthentication mechanism, which is to be disclosed in theCompliance Assessment.

Access

A seal participant must assure that information collected onlineis accurate, complete and timely for the purpose(s) for which itis to be used …

A seal participant must establish effective and easy to usemechanisms to permit individuals access to correct inaccuratefactual information. A seal participant must take steps to helpassure the accuracy of the individually identifiable informationit is maintaining.

0.5

45


Pts BBBOnLine Pts

Accurate, completeand kept up-to-date(cont’d)


Access

G2 HELP. Organizations must take reasonable steps to assurethat the individually identifiable information and prospectinformation they collect is accurate, complete, and timely forthe purposes for which it is used. They must also establishappropriate processes or mechanisms so that factualinaccuracies in individually identifiable information may becorrected.

Purpose Specification Principle: The purposes for which personal data are collected should be specifiednot later than at the time of data collection and the subsequent use limited to the fulfilment of thosepurposes or such others as are not incompatible with those purposes and as are specified on each occasionof change of purpose.

Specify purposes todata subject not laterthan time of collection


Policy Content

2. the type(s) and intended use(s) of the individually identifiableinformation being collected

8. any individually identifiable information collected at the sitewhich is shared with contractors, corporate affiliates or otherthird party agents not covered by a common privacy policy

13. if the organization merges and/or enhances individuallyidentifiable information with data from third parties for thepurposes of marketing products or services to the individual


0.5

46


Pts BBBOnLine Pts

Specify purposes todata subject not laterthan time of collection(cont’d)


Information Use and Transfer

D5 HELP. A website or online service must disclose in itsprivacy notice all of the types of uses and transfers ofindividually identifiable information then applicable to theindividually identifiable information being collected (actively orpassively) at the site or service. It is not necessary for each useto be spelled out in detail but there must be sufficientinformation for the individual to be reasonably informed as towhat uses will be made of the information … In addition, if thesite(s) or service(s) transfers any of this information tounaffiliated third parties or corporate affiliates not governed bya common privacy policy for the marketing purposes of thoseparties, that fact must be specifically stated in its privacy notice.

Uses limited topurposes or specifiedconsistent purposes

0.5 BBBOnLine Privacy Policy Assessment Questionnaire

Choice/Consent

E1 HELP. … Uses or transfers of individually identifiableinformation that are specified in the notice at the time theinformation is collected are related uses. Uses necessarilyincident to carrying out a use disclosed in the privacy noticealso constitute related uses or transfers …

E2 HELP. Any use of information that was not permitted in theprivacy notice in effect at the time the information wascollected, and is not a use necessarily incident to carrying out ause that was disclosed in the privacy notice at that time, isunrelated to the purpose for which the information wascollected …

0.25

Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used forpurposes other than those specified in accordance with [Purpose Specification Principle] except: a) withthe consent of the data subject; or b) by the authority of law.

Use and disclose inaccordance withspecified purposes


Transfer of Third Party Information

Seal participants must have a process in place to makeunaffiliated third parties or corporate affiliates not covered bya common policy practice aware of the site's privacy policieswhen transferring individually identifiable information to suchparties, and must describe that process in their ComplianceAssessment.

0.25

47


Pts BBBOnLine Pts

Use and disclose inaccordance withspecified purposes(cont’d)

Seal participants must require agents or contractors who haveaccess to individually identifiable information and prospectinformation to keep the information confidential and not use itfor any other purpose than to carry out the services they areperforming for the organization.

Seal participants may not rent, sell, exchange, or in any mannertransfer information about a prospect submitted by anotherparty to any third party, unless the third party is an agent orcontractor involved in carrying out the transaction for whichthe prospect's information was submitted. This prohibition onsuch transfers applies without regard to any choices about thirdparty transfers made by the individual submitting theinformation.

Except with datasubject consent or byauthority of law


Policy Content


3. the choices individuals have about the way such informationis used and to whom it is disclosed

9. the choices available to users with regard to informationshared with affiliates or third party agents not covered by acommon privacy policy

Choice & Consent

A seal participant must allow individuals the opportunity toopt-out or otherwise prohibit unrelated uses of individuallyidentifiable information about them, that is, uses not disclosedin the privacy policy at the time the information is collected.

A seal participant must provide individuals with a choiceregarding the transfer of information to third parties formarketing purposes. This may be accomplished through one ormore of the following:1. an opt-out opportunity

2. an opt-in opportunity

3. through a technological tool for individuals to make choicesabout such transfers (The method(s) used must be disclosedin the Compliance Assessment.) …

0.5

48


Pts BBBOnLine Pts

Except with datasubject consent or byauthority of law(cont’d)


Choice/Consent

E1 HELP. … there are three uses that are permitted whether ornot they are specified in the notice. The first is where theorganization is required by law to divulge the information, forexample, in response to a court order or a subpoena or therequirements of agency rules. The second exception is wherethe information is used for research activities, including theproduction of statistical reports, where the individuallyidentifiable information is not published, divulged, or used tocontact the individuals. The third is in situations where theinformation is shared in the context of a business transactionsuch as a divestiture pursuant to a pledge of confidentialityunder which the recipient agrees to use the information for nopurpose other than carrying out the transaction …

E2 HELP. Any use of information that was not permitted in theprivacy notice in effect at the time the information wascollected, and is not a use necessarily incident to carrying out ause that was disclosed in the privacy notice at that time, isunrelated to the purpose for which the information wascollected. Organizations intending to use individuallyidentifiable information for an unrelated use, other than a usethat falls within one of the three exceptions noted in the helpscreen for E1 above, must provide the affected individuals withthe opportunity to opt out or otherwise prohibit these new usesof the information about them.

E8 HELP. Regardless of the disclosure an organization makesin the privacy notice about its practice of renting, selling, orexchanging or in any way providing individually identifiableinformation for marketing purposes, an organization that makessuch transfers to outside parties must provide individuals withthe ability to prevent these transfers in connection withindividually identifiable information about them. Providingindividuals with an opt out will satisfy this requirement. It canalso be satisfied by an opt in or, when technological tools thatenable individuals to make choices about transfers becomeavailable, by the use of such tools as are determined byBBBOnLine to satisfy its requirements.

49


Pts BBBOnLine Pts

Security Safeguards Principle: Personal data should be protected by reasonable security safeguards againstsuch risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Reasonable securitysafeguards

1 Eligibility Criteria for BBBOnLine Privacy Seal

Adoption of Policy

A seal participant must demonstrate that it has adopted andimplemented (including an effective date) a privacy policy anddata security measures. The policy must be clearly displayed ona website's homepage and linked to any page on which the sitecollects individually identifiable information.

Server Security

A seal participant must take reasonable steps to ensure thatindividually identifiable information it collects online is securefrom unauthorized access. This includes but is not limited to theuse of a secure environment for the server (such as doors, locks,and electronic security), as well as the use of encryption forsensitive personal, medical or financial data.

Seal participants must have security policies protecting againstunauthorized access to individually identifiable information.Logs or other appropriate documentation must be maintainedpertaining to security procedures, and organizations mustundertake periodic reviews of their security policies, certifyingthem at least once prior to each annual seal renewal. Employeesshould receive adequate training on the privacy policies andinformation practices of the company.

Policy Content


4. the collector's commitment to data security

1

50


Pts BBBOnLine Pts

Reasonable securitysafeguards(cont’d)


Data Security

HELP F1. … Although an organization is not required toprovide a description in its privacy notice(s) of the data securitymeasures it undertakes to protect individually identifiableinformation, it is required to take appropriate data securitymeasures and to inform the public that such measures are inplace by a statement in its privacy notice. The security measuresmust include physical security measures such as doors, locks,etc., electronic security and managerial controls that limit thepotential for misuse of information by employees andcontractors. The security measures necessary to protectinformation sufficiently will vary based on the risks presentedto the individual by the organization’s collection and use of thedata.

HELP F5. For information being transferred between theindividual and the organization, the use of encryption satisfiesthat appropriate security measures have been taken. While notrequired in all instances, encryption must be used for the mostsensitive of information including the transfer of health careinformation, social security numbers, and financial transactionalinformation (e.g. credit card number).

HELP: F7. In order to demonstrate managerial controls, theorganization must maintain written security polices to protectindividually identifiable information and prospect informationfrom unauthorized individuals. Employees who routinely haveaccess to such information must receive adequate training andmust be familiar with the organization’s information practices.

51


Pts BBBOnLine Pts

Openness Principle: There should be a general policy of openness about developments, practices andpolicies with respect to personal data. Means should be readily available of establishing the existence andnature of personal data, and the main purposes of their use, as well as the identity and usual residence ofthe data controller.

General policy ofopenness


Adoption of Policy

A seal participant must demonstrate that it has adopted andimplemented (including an effective date) a privacy policy anddata security measures. The policy must be clearly displayed ona website's homepage and linked to any page on which the sitecollects individually identifiable information.

Policy Content

The privacy policy must be easy to read and disclose in clear andsimple language:

1. the collector(s) of the information

6. the seal participant's participation in the BBBOnLinePrivacy Program and information on how individuals maylearn more about that program

7. any corporate subsidiaries, operating divisions or relatedproduct lines which are excluded from seal coverage



Privacy Notice: General

B4 HELP. An organization’s privacy notice must be easy to find.At the very least, the privacy notice must be accessible by a linkfrom (i) the organization’s homepage or entry point and (ii) atevery subsequent point where the organization elicitsindividually identifiable information online through meansother than passive data collection. The terms of the privacynotice are very important because they substantially determinean individual’s understanding of how information will be usedand what steps the individual may choose to take to protect hisor her privacy.

0.5

52


Pts BBBOnLine Pts

Ready means for datasubject to know aboutpersonal information,and purposes,including identity andlocation of datacontroller


Policy Content

1. the collector(s) of the information2. the type(s) and intended use(s) of the individually

identifiable information being collected3. the choices individuals have about the way such information

is used and to whom it is disclosed5. an appropriate contact method regarding the website's

privacy policy14. if any other organization collects individually identifiable

information at the site as the result of transacting businesswith the individual at the site

15. that individuals must contact third party collectors ofindividually identifiable information directly forinformation on the use of their data



B2. Please provide the name(s) and position(s), or the positiontitle(s), of the individual(s) charged with the responsibility forimplementation and oversight of the privacy policy for thecovered website(s) or online service(s) …

B2 HELP. Since a privacy policy is not self-implementing,assurance that the information practices prescribed in the policyare being followed depends on there being some assignment ofresponsibility for implementation and oversight of the policy.

B6. Does the privacy notice(s) explain how an individual cancontact the organization to express questions or concerns aboutthe organization's privacy policies and practices? …

B6 HELP. The explanation should include contact information,e.g., a phone number or email address, that will lead a personwith a complaint about the treatment of his/her information toa person responsible for the receipt of such complaints withoutundue delay. In most cases, this means that a person callingduring normal business hours should be able to speak to such aperson during that first call or by the end of the next businessday. This does not require that the complaint be resolved in thattimeframe but simply that the individual have an opportunity tomake an initial contact with a person authorized to takeinformation about the complaint and begin the process ofresolving it …

0.5

53


Pts BBBOnLine Pts

Individual Participation Principle: An individual should have the right:a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has

data relating to him;b) to have communicated to him data relating to him



c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able tochallenge such denial; and

d) to challenge data relating to him and, if the challenge is successful, to have the data erased rectified,completed or amended.

Data subject able toknow data controllerhas personalinformation


Policy Content

11. the process available to individuals to obtain access toindividually identifiable information collected fromthem online and the process available to correct factualinaccuracies in that information

Access

A seal participant … must provide individuals with access toindividually identifiable information collected from them onlineif such information is retrievable in the ordinary course ofbusiness and providing access does not impose an unreasonableburden.


Access

G4 HELP. An organization must establish a mechanismwhereby, upon request and proper identification of theindividual, it makes available to the individual the individuallyidentifiable information or prospect information it maintainswith respect to the individual. The information subject to thisrequirement tends to be, but is not limited to, (i) account orapplication information, for example, name, address, and levelof service subscribed to, and (ii) billing information and similardata about transactions conducted online, for example, date andamount of purchase, and credit card account used…

0.25

54


Pts BBBOnLine Pts

Data subject able toknow data controllerhas personalinformation(cont’d)

Organizations have substantial flexibility in deciding how bestto make the individually identifiable information or prospectinformation available to the individual. For example, anorganization may choose the form in which it discloses thisinformation to the individual. Monthly statements from banksand credit card companies are examples of appropriatemechanisms to satisfy this disclosure obligation, even thoughthey may reveal more than the individually identifiableinformation that the individual submitted to the organizationonline. The organization also determines the reasonable termsunder which it will make such information available such aslimits on frequency and the imposition of fees. Frequency limitsthat require intervals of more than a year between requestsand/or fees of more than $15 for a response to an annualrequest would not be reasonable except in extraordinarycircumstances. [updated August 17, 2000]

Data communicated inreasonable time andmanner, withoutexcessive charge andin intelligible form


Access

G4 HELP. … Organizations have substantial flexibility indeciding how best to make the individually identifiableinformation or prospect information available to the individual.For example, an organization may choose the form in which itdiscloses this information to the individual. Monthly statementsfrom banks and credit card companies are examples ofappropriate mechanisms to satisfy this disclosure obligation,even though they may reveal more than the individuallyidentifiable information that the individual submitted to theorganization online. The organization also determines thereasonable terms under which it will make such informationavailable such as limits on frequency and the imposition of fees.Frequency limits that require intervals of more than a yearbetween requests and/or fees of more than $15 for a responseto an annual request would not be reasonable except inextraordinary circumstances. [updated August 17, 2000]

0.125

55


Pts BBBOnLine Pts

Reasons for denial ofaccess


Access

G4 HELP. … If an organization can not make information thatit maintains available because it can not retrieve the informationin the ordinary course of business, it must provide theindividual with a reference to the provisions in its privacynotice that discuss the type of data collected, how it is used, andappropriate choices related to that data, or provide theindividual with materials on these matters that are at least ascomplete as the information provided in the privacy notice.[updated August 17, 2000]

0.125

Ability to challengeand correct


Policy Content


11. the process available to individuals to obtain access toindividually identifiable information collected fromthem online and the process available to correct factualinaccuracies in that information

Access

A seal participant must establish effective and easy to usemechanisms to permit individuals access to correct inaccuratefactual information. A seal participant must take steps to helpassure the accuracy of the individually identifiable informationit is maintaining.

BBBOnLine Privacy Program Dispute Resolution Process

Part 1 Overview

1.2 Parties to Privacy Policy Review Service and PrivacyReview Appeal Board

The parties to a proceeding are:

the complainant, the individual complaining about misuseof information, and the respondent, the company,organization or individual about whom the complainantis complaining.

0.25

56


Pts BBBOnLine Pts

Ability to challengeand correct(cont’d)

Part 2 Eligible Complaints

2.2 Personal Eligibility

… The complainant must be (i) the person who providedthe personal information to the organization or individualthat collected it and allegedly misused it, … (iii) thesubject of the information in the case of informationrelated to an individual that was collected online fromanother individual. The complainant must have made agood faith attempt to resolve her/his complaint directlywith the organization or individual about which he or sheis complaining, following the procedures set out in thatorganization’s or individual’s statement of its privacypolicies.

2.5 Available Remedies

A complainant may seek to have the information that sheor he submitted online which is the subject of thecomplaint used in a manner consistent with the company’spublished privacy policies and, if applicable, theBBBOnLine Privacy Program guidelines. A complainantalso may seek to have that information corrected.



B7. Does the privacy notice(s) note the availability of theBBBOnLine dispute resolution mechanism? …

B7 HELP. This provision does not require a detailed discussionof the dispute resolution process …

Access

G2 HELP. Organizations must … establish appropriateprocesses or mechanisms so that factual inaccuracies inindividually identifiable information may be corrected.

57


Pts BBBOnLine Pts

Ability to challengeand correct(cont’d)

G4 HELP. An organization must establish a mechanismwhereby, upon request and proper identification of theindividual, it makes available to the individual the individuallyidentifiable information or prospect information it maintainswith respect to the individual. The information subject to thisrequirement tends to be, but is not limited to, (i) account orapplication information, for example, name, address, and levelof service subscribed to, and (ii) billing information and similardata about transactions conducted online, for example, date andamount of purchase, and credit card account used.

G6 HELP. The organization must take reasonable steps toassure itself that the individual to whom it makes individuallyidentifiable information available is the same person fromwhom the organization collected the information and that theindividual to whom it makes prospect information available isthe person who is the subject of the information.

G7 HELP. Upon the request of an affected individual, anorganization must correct factual inaccuracies in theindividually identifiable information it maintains about him orher, if the information will be communicated to others or usedfor substantive decision making. There is no obligation toascertain the accuracy of such factual information, unless theindividual’s request includes information that suggests thelikelihood of a factual inaccuracy. The organization chooses theform of the showing that an individual must make to suggest thelikelihood of a factual inaccuracy in the individually identifiableinformation that it maintains.

G8. Does the privacy notice(s) inform individuals of thisopportunity to correct factual inaccuracies to the individuallyidentifiable information or prospect information?

G8 HELP. Sites or services must inform individuals that thisopportunity exists.

G9 HELP. The organization must take reasonable steps toassure itself that the individual who is requesting correction ofindividually identifiable information is the same person fromwhom the organization collected the information and that theindividual requesting correction of prospect information is theperson who is the subject of the information.

58


Pts BBBOnLine Pts

Accountability Principle: A data controller should be accountable for complying with measures which giveeffect to the principles stated above.

Data controlleraccountable forcompliance withprinciples

1 Eligibility Criteria for BBBOnLine Privacy Seal

General Requirements

A seal participant must take appropriate steps to assure that itsinformation management practices comply with its privacypolicies and any applicable BBBOnLine Privacy Programrequirements.

A seal participant must successfully complete the BBBOnLinePrivacy Compliance Assessment to demonstrate that itsinformation practices conform to program requirements.

A seal participant must agree to cooperate in applicable programverification requirements in addition to the ComplianceAssessment. Verification requirements include but are notlimited to information pertaining to: choice, individual accessto data, transfer of information to third parties, data integrity,security, and parental notice and consent.

A seal participant must agree to participate in the BBBOnLinePrivacy Policy Dispute Resolution Program and to abide bydecisions entered in the program.

A seal participant must inform BBBOnLine of all materialchanges to their privacy policies or practices, or of any othermodification which could impact the participant's seal standing,prior to implementation.

A seal participant must disclose in its Compliance Assessment allsite URL's where individually identified information is collectedor provide alternative evidence that there is a link to the privacypolicy on any page where individually identifiable informationis collected. This disclosure must also include a description ofthe “specific types” of information being collected and all usesof that information.

1

59


Pts BBBOnLine Pts

Data controlleraccountable forcompliance withprinciples(cont’d)

How the Privacy Program Works

The BBBOnLine privacy program:

• Monitors compliance through rigorous requirements forparticipating companies to undertake, at least annually, anassessment of their online privacy practices, and,

• Offers specific consequences for non-compliance such asseal withdrawal, publicity and referral to governmentenforcement agencies.

Participation Agreement

2. Eligibility Requirements

A. For the Seal. ... Licensee acknowledges compliancewith these Eligibility Requirements and agrees tocontinue to abide by them, including participation inthe dispute resolution process ...

D. Verification. Licensee agrees to cooperate withBBBOnLine in verification of Licensee’s compliancewith Eligibility Requirements and this Agreement.BBBOnLine may itself, or through an independentthird party designated by BBBOnLine, conductrandom compliance reviews (online, on-site, orotherwise) of one or more Eligibility Requirement onBBBOnLine’s own initiative or in response tocomplaints from individuals or third parties (RandomReviews).

TOTAL 6.25

Initial Assessment: November 17, 1999Revised Assessment: August 17, 2000

60

Exhibit B

Comparison of TRUSTe Program with the OECD Guidelines on theProtection of Privacy and Transborder Flows of Personal Data

OECD Criteria Pts TRUSTe Pts

Collection Limitation Principle: There should be limits to the collection of personal data and any suchdata should be obtained by lawful and fair means and, where appropriate, with the knowledge or consentof the data subject.

Limits tocollection bylawful and fairmeans

0.5

Knowledge orconsent of datasubject

0.5 Program Principle: Posting notice and disclosure of collection anduse practices regarding personally identifiable information (dataused to identify, contact, or locate a person), via a posted privacystatement.

TRUSTe License Agreement Rev 5.0Schedule A: Program Requirements:

3. Information Collection and Use Practices. Licensee's PrivacyStatement shall be made available to users of the Site (“Users”)prior to or at the time Personally Identifiable Information orThird Party Personally Identifiable Information is collected. ThePrivacy Statement shall disclose to Users the Site's informationuse and collection practices, including each of the following:

A. What Personally Identifiable Information pertaining to Usersand/or Third Party Personally Identifiable Information iscollected through the Site;

B. The identity of the organization (including name, address,phone, fax number, and e-mail address) collecting thePersonally Identifiable Information and/or Third PartyPersonally Identifiable Information through the Site; …

E. What choices are available to the User of the Site regardingcollection, use, disclosure and distribution of PersonallyIdentifiable Information;

0.5

61


Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used,and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Relevant topurposes of use

0.5

Accurate,complete andkept up-to-date

0.5 Program Principle: Putting data security and quality, and accessmeasures in place to safeguard, update, and correct personallyidentifiable information.


4. Minimum Requirements of the TRUSTe Program.

C. Data Quality and Access. Licensee shall take reasonable stepswhen collecting, creating, maintaining, using, disclosing ordistributing Personally Identifiable Information and/or ThirdParty Personally Identifiable Information, to assure that thedata are accurate, complete and timely for the purposes forwhich they are to be used …

0.5

Purpose Specification Principle: The purposes for which personal data are collected should be specifiednot later than at the time of data collection and the subsequent use limited to the fulfilment of thosepurposes or such others as are not incompatible with those purposes and as are specified on each occasionof change of purpose.

Specify purposesto data subjectnot later thantime of collection


Privacy Statement:

• What personal information is being gathered by your site• Who is collecting the information• How the information will be used • With whom the information will be shared with

0.5

62


Specify purposesto data subjectnot later thantime of collection(cont’d)


3. Information Collection and Use Practices. Licensee's PrivacyStatement shall be made available to users of the Site (“Users”)prior to or at the time Personally Identifiable Information orThird Party Personally Identifiable Information is collected. ThePrivacy Statement shall disclose to Users the Site's informationuse and collection practices, including each of the following: …

C. How Personally Identifiable Information and/or Third PartyPersonally Identifiable Information collected through theSite may be used;

D. With whom Personally Identifiable Information and/or ThirdParty Personally Identifiable Information collected throughthe Site may be shared, if at all; …

Appendix A: Self Assessment Sheet:

1. Collection and Use of Information

After reading your privacy statement users should have noquestions regarding how and why they are giving their name,email address, company name, and other information to yourWeb site…

Uses limited topurposes orspecifiedconsistentpurposes

0.5 TRUSTe License Agreement Rev 5.0Schedule A: Program Requirements:


F. Use of Personally Identifiable Information and/or ThirdParty Personally Identifiable Information. Licensee shall treatall Personally Identifiable Information and/or Third PartyPersonally Identifiable Information gathered on the Site inaccordance with Licensee's Privacy Statement(s) in effect atthe time of collection …

G. Limit on Use of Third Party Personally IdentifiableInformation. Third Party Personally Identifiable Informationcollected through the Site may be used solely by Licensee orby other parties when necessary to facilitate the completionof the transaction that is the primary purpose for which theinformation was collected …

0.5

63


Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used forpurposes other than those specified in accordance with [Purpose Specification Principle] except: a) withthe consent of the data subject; or b) by the authority of law.

Use and disclosein accordancewith specifiedpurposes

0.5 TRUSTe License Agreement Rev 5.0Schedule A: Program Requirements:


E. Displaying Personally Identifiable Information and/or ThirdParty Personally Identifiable Information. Licensee shall notmake Personally Identifiable Information and/or Third PartyPersonally Identifiable Information available to the generalpublic in any form (including but not limited to on-linedirectories and customer lists) without the prior written orelectronic consent of the individual identified …

F. Use of Personally Identifiable Information and/or ThirdParty Personally Identifiable Information. Licensee shall treatall Personally Identifiable Information and/or Third PartyPersonally Identifiable Information gathered on the Site inaccordance with Licensee's Privacy Statement(s) in effect atthe time of collection …

G. Limit on Use of Third Party Personally IdentifiableInformation. Third Party Personally Identifiable Informationcollected through the Site may be used solely by Licensee orby other parties when necessary to facilitate the completionof the transaction that is the primary purpose for which theinformation was collected. Third Party PersonallyIdentifiable Information collected through the Site may notbe otherwise used or disclosed or distributed to other partiesunless Licensee first provides the person identified by theThird Party Personally Identifiable Information a reasonablemeans for the third party to notify the Site Operator thatthey do not wish to have their Third Party PersonallyIdentifiable Information used, disclosed or distributed (e.g.Opt Out), whereupon the Site operator shall ensure that theidentified person's choice is complied with.

0.5

64


Except with datasubject consent orby authority oflaw

0.5 Program Principle: Giving users choice and consent over how theirpersonal information is used and shared.

Privacy Statement: The choices available to users regardingcollection, use, and distribution of their information: You must offerusers an opportunity to opt-out of internal secondary uses as well asthird-party distribution for secondary uses.



A. Choice. Licensee shall offer the user the opportunity toexercise affirmative choice (e.g. to “Opt Out” as definedbelow) before Personally Identifiable Information collectedthrough the Site may be (1) used when such use is unrelatedto the primary purpose for which the information wascollected; or (2) disclosed or distributed to third partieswhen such disclosure or distribution is unrelated to theprimary purpose for which the information was collected.The scope of uses deemed “related” shall be defined in thePrivacy Statement. At a minimum, if Licensee states in itsPrivacy Statement that it provides Personally IdentifiableInformation to third parties and such use, disclosure ordistribution is unrelated to the purpose for which theinformation was collected users must always be given theopportunity to opt out of such use, disclosure ordistribution. “Opt Out” means to notify the Site operatorthat they do not wish to have their Personally IdentifiableInformation used, disclosed or distributed in a manner thatis unrelated to the primary purpose for which theinformation was collected, whereupon the Site operator shallensure that the user's choice is complied with. Such Opt-Outopportunity shall not in any way limit the use, disclosure ordistribution of Personally Identifiable Information to theextent such use, disclosure or distribution is required by lawcourt order, or other valid legal process.

0.5

65


Except with datasubject consent orby authority oflaw(cont’d)

E. Displaying Personally Identifiable Information and/or ThirdParty Personally Identifiable Information. Licensee shall notmake Personally Identifiable Information and/or Third PartyPersonally Identifiable Information available to the generalpublic in any form (including but not limited to on-linedirectories and customer lists) without the prior written orelectronic consent of the individual identified, except thatthis paragraph shall not prevent or restrict Licensee from (i)distributing information that is already publicly available,including but not limited to information available in publictelephone directories, classified ads, newspaper reports,publications, and the like; (ii) providing information asrequired by law, court order, or other valid legal process; or(iii) displaying information in an online bulletin board, chatroom, news group, or other public forum, where theinformation being displayed was placed there by a user orother third party ...

F. Use of Personally Identifiable Information and/or ThirdParty Personally Identifiable Information. ... If Licenseewishes to materially change its Privacy Statement(s), Licenseeshall notify TRUSTe of the changes and shall takecommercially reasonable measures to obtain the consentfrom the user to whom it pertains, such as obtaining writtenor electronic consent of the user. Alternatively, with priorwritten approval by TRUSTe, which approval should not beunreasonably withheld or delayed, Licensee may postprominent notices on the Site about the change of suchpolicy and leave such notices posted for at least thirty (30)business days prior to implementation of the new use anddescription of how to notify Licensee to prevent such use.Licensee shall specify in their Privacy Statement how userswill be notified of changes in the use of PersonallyIdentifiable Information and/or Third Party PersonallyIdentifiable Information.

G. Limit on Use of Third Party Personally IdentifiableInformation. … Third Party Personally IdentifiableInformation collected through the Site may not be otherwiseused or disclosed or distributed to other parties unlessLicensee first provides the person identified by the ThirdParty Personally Identifiable Information a reasonable meansfor the third party to notify the Site Operator that they donot wish to have their Third Party Personally IdentifiableInformation used, disclosed or distributed (e.g. Opt Out),whereupon the Site operator shall ensure that the identifiedperson's choice is complied with.

66



Reasonablesecuritysafeguards

1 Program Principle: Putting data security and quality, and accessmeasures in place to safeguard, update, and correct personallyidentifiable information.

Privacy Statement: The security procedures in place to protect users'collected information from loss misuse, or alteration: If your sitecollects, uses, or distributes personally identifiable information suchas credit card or social security numbers, accepted transmissionprotocols (e.g. encryption) must be in place.


3. Information Collection and Use Practices. … The PrivacyStatement shall disclose to Users the Site's information use andcollection practices, including …

F. What kinds of security procedures have been put in place byLicensee, its collecting organization, and any others withwhom the Personally Identifiable Information and/or ThirdParty Personally Identifiable Information collected throughthe Site may be shared to protect against the loss, misuse oralteration of Personally Identifiable Information and/orThird Party Personally Identifiable Information in thepossession or control of Licensee or the collectingorganization;


B. Security. Licensee must implement reasonable procedures toprotect Personally Identifiable Information and/or ThirdParty Personally Identifiable Information within its controlfrom loss, misuse or unauthorized alteration. If Licenseecollects, uses, discloses or distributes sensitive information,such as credit card numbers or social security numbers, itshall utilize commercially accepted protocols, such asencryption, to protect information sent over the Internet.

1

67


Reasonablesecuritysafeguards(cont’d)

TRUSTe License Agreement Rev 5.0Appendix A: Self Assessment Sheet

VI. Security

Security is a major concern for consumers, especially when aWeb site is collecting sensitive forms of information (i.e.financial and medical information). You need to inform userswhat types of security procedures you have in place to protectthe loss, misuse, or alteration of the information collected.

A. Identification. Access to the data should be assigned tospecific individuals in order to maintain control overaccess…

B. Authentication. The identity of the individuals accessing thedata must be verified. Requiring the user to enter a passwordbefore accessing data is the most common form ofverification. However, passwords can be guessed or stolen.Special care must be taken to ensure authentication integrityis maintained…

C. Authorization/Access Control. Only the appropriate level ofaccess to the data should be granted. Appropriate levels ofaccess should be granted to specific individuals with thedegree of access determined by job function or necessity…

D. Data Confidentiality. Data shall be protected fromunauthorized disclosure. Protection from unauthorizeddisclosure may be accomplished through employeeawareness or an employee requirement to sign an agreementto adhere to the company's privacy policy. The duty towatch over data includes protecting data from interceptionwhile data is sent through cyberspace. Examples ofacceptable means include encryption and Virtual PrivateNetworks…

E. Data Integrity. Data should be reliable. Appropriatemeasures should be in place to prevent unauthorizedmodifications of data from various sources and actions suchas viruses and merging of databases. When data has beenpurposely modified, inadvertently corrupted, or is incorrect,the loss of information integrity compromises privacy…

68



F. Data Retention. Data should be stored on alternative mediato ensure access in case of disaster. However, access to thealternative media should be limited and controlled withappropriate security measures in place to protect privacy...

G. Overall Management, Policies, and Procedures. Lack ofawareness regarding the value of customer information andthe necessity of security measures is one of the greatestprivacy threats. Appropriate measures to both inform andremind employees of the importance of data security policiesand procedures should be in place...

H. Monitoring/Oversight. Accurate assessment of the level ofthreat against customer information is critical to the successof security initiatives. A threat to customer information is aperson, organization, event or condition that could gainunauthorized access to the information. Countermeasuresare the steps, procedures, devices, etc. that the company has(or should have) in place to detect and address specificvulnerabilities...

Openness Principle: There should be a general policy of openness about developments, practices andpolicies with respect to personal data. Means should be readily available of establishing the existence andnature of personal data, and the main purposes of their use, as well as the identity and usual residence ofthe data controller.

General policy ofopenness

0.5 Program Principle: Adopting and implementing a privacy policy thatfactors in the goals of your individual Web site as well as consumeranxiety over sharing personal information online.


2. Licensees agrees to the following requirements.

F. Privacy Statement(s). Licensee shall maintain and abide bya privacy statement, approved by TRUSTe that reflectsLicensee's information use policies, and is easily accessible atLicensee's Site

0.5

69


Ready means fordata subject toknow aboutpersonalinformation, andpurposes,including identityand location ofdata controller


Privacy Statement Wizard:

Contact Information About the Web site

This section asks you to enter some basic questions about your site.This information will be disclosed in the privacy statement so thatusers can contact you if there is a problem. Any and all informationentered into the wizard is optional and is not captured by the site.


2. Licensee agrees to the following requirements.

F. Privacy Statement(s). Licensee shall maintain and abide by aprivacy statement approved by TRUSTe that reflectsLicensee’s information use policies, and is easily accessible atLicensee’s Site …

I. The Privacy Statement must include a statement explainingthat the Site is a participant in the TRUSTe Program, and isusing the TRUSTe Mark(s) under license from TRUSTepursuant to the requirements of the TRUSTe program, andthat all rights in the TRUSTe Mark(s) belong to TRUSTe.This statement shall include a full description of how users ofthe Site can contact Licensee as well as a description of howto contact TRUSTe to express concerns regarding Licensee'sPrivacy Statement.

0.5

70








Data subject ableto know datacontroller haspersonalinformation

0.25 Program Principle: Adopting and implementing a privacy policy thatfactors in the goals of your individual Web site as well as consumeranxiety over sharing personal information online.

Program Principle: Posting notice and disclosure of collection anduse practices regarding personally identifiable information (dataused to identify, contact, or locate a person), via a posted privacystatement.

Program Principle: Putting data security and quality, and accessmeasures in place to safeguard, update, and correct personallyidentifiable information.


3. Information Collection and Use Practices. … The PrivacyStatement shall disclose to Users the Site's information use andcollection practices, including each of the following: …

G. Whether Users of the Site are offered access to theirPersonally Identifiable Information and how they may haveinaccuracies corrected.

0.125

Datacommunicated inreasonable timeand manner,without excessivecharge and inintelligible form

0.25

Reasons fordenial of access

0.25

71


Ability tochallenge andcorrect

0.25 Program Principle: Putting data security and quality, and accessmeasures in place to safeguard, update, and correct personallyidentifiable information.

Privacy Statement: How users can update or correct inaccuracies intheir pertinent information: Appropriate measures shall be taken toensure that personal information collected online is accurate,complete, and timely, and that easy-to-use mechanisms are in placefor users to verify that inaccuracies have been corrected.

Resolution Process: As a licensee in the TRUSTe program, a Website agrees to provide consumers with simple, effective means tosubmit their privacy concerns directly to the Web site. At aminimum, all privacy statements contain TRUSTe contactinformation so that consumers may direct their questions orconcerns to us. We request users to contact Web sites directly beforefiling a report with us.



C. Data Quality and Access. … Licensee must implementreasonable and appropriate processes or mechanisms to allowusers to correct inaccuracies in material PersonallyIdentifiable Information, such as account or contactinformation. These processes or mechanisms must be simpleand easy to use, and shall confirm to users that inaccuracieshave been corrected.

6. User Complaints. Licensee shall provide users with reasonable,appropriate, simple and effective means to submit complaintsand express concerns regarding Licensee's privacy practices.Licensee shall respond to all reasonable user submissions in atimely fashion, not to exceed ten (10) business days. Licenseeshall also reasonably cooperate with TRUSTe's efforts to resolveuser complaints, questions and concerns.

0.25

72



Data controlleraccountable forcompliance withprinciples

1 TRUSTe Oversight: We monitor our licensees for compliance withtheir posted privacy practices and TRUSTe program requirementsthrough a variety of measures. Our oversight process includes initialand periodic Web site reviews, “seeding,” and online communitymonitoring.

Resolution Process: In the unlikely event that TRUSTe has reasonto believe a licensee has violated its posted privacy practices or otherTRUSTe program requirements, we will conduct an escalatinginvestigation. This process may include an on-site compliance reviewby one of TRUSTe's official auditors, PriceWaterhouseCoopers LLPor KPMG Peat Marwick LLP. If the on-site review finds that alicensee is non-compliant, TRUSTe will advise and guide thelicensee on the steps to remedy the problem.

If no action is taken by the licensee--depending on the severity ofthe breach--our investigation may also result in revocation of theTRUSTe trustmark, termination from the program, or in extremecases, referral to the appropriate government agency.


5. Reviews. Licensee shall reasonably cooperate with TRUSTe toensure compliance with the Program, Program Requirementsand Privacy Statement(s). TRUSTe may, itself or through anindependent, qualified, neutral third party designated byTRUSTe, review the Privacy Statement(s) and the Siteperiodically, to assess the level of consistency and quality of useof the TRUSTe Mark(s) on the Site and the consistency andquality of Licensee's Privacy Statement(s) and related privacypractices, and Licensee's conformance with the ProgramRequirements throughout the term of the Agreement…

1

73


Data controlleraccountable forcompliance withprinciples(cont’d)

8. Notice of Violation. Licensee agrees to notify TRUSTe withinfive (5) business days of any violation of its Privacy Statement(s)or of the Program Requirements relating to the misuse ofPersonally Identifiable Information and/or Third PartyPersonally Identifiable Information collected through the Site sothat TRUSTe can help Licensee resolve the problem.

9. Cooperation To Resolve Complaints. If Licensee is the subjectof a complaint submitted to TRUSTe either concerning allegedmisuse of the TRUSTe Mark(s) or raising specific privacyconcerns pertaining to a Licensee, in addition to any otherobligations hereunder, Licensee shall cooperate with TRUSTe inan effort to resolve the complaint in a manner that will preventany disparagement of the TRUSTe Mark(s) or any injury toTRUSTe's good will.

TOTAL 6.375

November 15, 1999

74

Exhibit C

Comparison of WebTrust Principles and Criteria for Business-to-Consumer Electronic Commerce with the OECD Guidelines on the

Protection of Privacy and Transborder Flows of Personal Data

OECD Criteria Pts WebTrust Principles & Criteria, Version 2.0 Pts

Collection Limitation Principle: There should be limits to the collection of personal data and any suchdata should be obtained by lawful and fair means and, where appropriate, with the knowledge orconsent of the data subject.

Limits tocollection bylawful and fairmeans

0.5

Knowledge orconsent of datasubject

0.5 Business and Information Privacy Practices

A1 Description of goods and/or services

The entity discloses descriptive information about …

A1.3 Source of information (meaning, where it was obtained andhow it was compiled).

A5 Information Privacy

The entity discloses on its Web site its information privacy practices.These practices include but are not limited to the following disclosures.

A5.1 The specific kinds and sources of information being collected…

A5.2 Choices regarding how individually identifiable informationcollected from an individual online may be used and/ordistributed. Individuals should be given the opportunity toopt out of such use, by either not providing such informationor denying its distribution to parties not involved with thetransaction.

A5.3 The consequences, if any, of an individual’s refusal to provideinformation …

A5.5 If the Web site uses cookies, how they are used and theconsequences, if any, of an individual’s refusal to accept acookie.

0.5

75


Data Quality Principle: Personal data should be relevant to the purposes for which they are to be used, and,to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Relevant topurposes of use

0.5

Accurate,complete andkept up-to-date

0.5 Transaction Integrity Principle

The entity maintains effective controls to provide reasonable assurancethat customers’ transactions using e-commerce are completed and billedas agreed.

B1 Requesting goods and/or services

The entity maintains controls to provide reasonable assurance that:

B1.1 Each request or transaction is checked for accuracy andcompleteness.

B1.2 Positive acknowledgment is received from the customerbefore the transaction is processed.

B5 Entity monitoring of its transaction integrity

The entity maintains monitoring procedures that provide reasonableassurance of the following:

• Its transaction integrity controls remain effective.• Reports of noncompliance are promptly addressed and corrective

measures taken.

Information Protection Principle

C4 Accuracy and completeness of information

The entity maintains controls so that individually identifiableinformation collected, created or maintained by it is accurate andcomplete for its intended use.

0.5

76


Purpose Specification Principle: The purposes for which personal data are collected should be specified notlater than at the time of data collection and the subsequent use limited to the fulfilment of those purposesor such others as are not incompatible with those purposes and as are specified on each occasion of changeof purpose.

Specifypurposes todata subject notlater than timeof collection


The entity discloses its business and information privacy practices fore-commerce transactions and executes transactions in accordance withits disclosed practices.



A5.1 The specific kinds and sources of information being collectedand maintained; the use of that information; and possiblethird party distribution of that information.

0.5

Uses limited topurposes orspecifiedconsistentpurposes


The entity discloses its business and information privacy practices fore-commerce transactions and executes transactions in accordance with itsdisclosed practices.

0.5

Use Limitation Principle: Personal data should not be disclosed, made available or otherwise used forpurposes other than those specified in accordance with [Purpose Specification Principle] except: a) with theconsent of the data subject; or b) by the authority of law.

Use anddisclose inaccordancewith specifiedpurposes


The entity discloses its business and information privacy practices fore-commerce transactions and executes transactions in accordance with itsdisclosed practices.


The entity maintains effective controls to provide reasonable assurancethat private customer information obtained as a result of e-commerce isprotected from uses not related to the entity’s business.

These controls address privacy and security matters such asencryption or other protection of private customer information(such as credit card numbers and personal and financialinformation) transmitted to the entity over the Internet, protectionof such information once it reaches the entity and requestingpermission of customers to use their information for purposes otherthan those related to the entity’s business, and for obtainingcustomer permission before storing, altering, or copyinginformation on the customer’s computer.

0.25

77


Use and disclosein accordancewith specifiedpurposes(cont’d)

C5 Entity responsibility for third party information

The entity maintains controls and carries out procedures to determinethe adequacy of information protection and privacy policies of thirdparties to whom information is transferred.

Except withdata subjectconsent or byauthority of law







These controls address privacy and security matters such asencryption or other protection of private customer information(such as credit card numbers and personal and financialinformation) transmitted to the entity over the Internet, protectionof such information once it reaches the entity and requestingpermission of customers to use their information for purposes otherthan those related to the entity’s business, and for obtainingcustomer permission before storing, altering, or copying informationon the customer’s computer.

C2 Collecting customer informationz

The entity maintains controls over the collection of data and has policieswhich provide customers with the following:

• A choice as to whether individually identifiable information collectedfrom them online may be used for purposes other than completing thetransaction in progress (an internal secondary use or external third-party use)

• The opportunity to opt out of any particular internal secondary orexternal third-party usage of that information except those required bylaw or other regulatory agency.

0.5

78



Reasonablesecuritysafeguards

1 Information Protection Principle


These controls address privacy and security matters such asencryption or other protection of private customer information(such as credit card numbers and personal and financialinformation) transmitted to the entity over the Internet …

C1 Transmission of private customer information

The entity maintains controls to protect transmissions of privatecustomer information over the Internet from unintended recipients.

C3 Protection and use of private customer information

The entity maintains controls to protect private customer informationobtained as a result of e-commerce and retained in its system fromoutsiders.

C3.1 Systems that retain private customer information obtained asa result of e-commerce are protected from unauthorizedoutside access.

C3.2 Customers entering through the Web page cannot accessother customers’ private information.

C3.3 Private customer information obtained as a result ofe-commerce is not intentionally disclosed to parties notrelated to the entity’s business unless (1) customers are clearlynotified prior to their providing such information or (2)customer permission is obtained after the customer hasprovided such information.

C3.4 Private customer information obtained as a result ofe-commerce is used by employees only in ways associatedwith the entity’s business

1

79



C6 Protection of customers’ computers and files

The entity maintains controls to protect against its unauthorized accessto customer’s computers and its unauthorized modification of customer’scomputer files:

C6.1 Customer permission is obtained before storing, altering orcopying information in the customer’s computer or thecustomer is notified with an option to prevent such activities.

C6.2 Transmission of malicious computer code to customers isprevented.

Openness Principle: There should be a general policy of openness about developments, practices and policieswith respect to personal data. Means should be readily available of establishing the existence and nature ofpersonal data, and the main purposes of their use, as well as the identity and usual residence of the datacontroller.

General policyof openness

0.5 Business and Information Privacy Practices Principle


To enhance customer confidence in e-commerce, it is importantthat the customer is informed about the entity’s business practicesfor e-commerce transactions. … The entity should also follow itsdisclosed practices. This includes management’s agreeing to third-party arbitration to settle customer complaints. The entity alsoneeds to disclose its practices relating to the manner in which inuses, protects and maintains private customer information alongwith the site’s consumer recourse provisions.




0.5

80


General policyof openness(cont’d)


A5.3 The consequences, if any, of an individual’s refusal to provideinformation or of an individual’s decision to opt out of aparticular use of such information.

A5.4 How individually identifiable information collected can bereviewed and, if necessary, corrected or removed.

A5.5 If the Web site uses cookies, how they are used and theconsequences, if any, of an individual’s refusal to accept acookie.

Ready meansfor data subjectto know aboutpersonalinformation,and purposes,includingidentity andlocation of datacontroller



A4 Customer communications

The entity discloses information to enable customers to file claims, askquestions and register complaints, including, but not limited to, thefollowing:

• Street address (not a post office box or email address)

• Telephone number (a number to reach an employee on a reasonablytimely basis and not only a voice mail system or message machine)

• Days and hours of operation

• If there are several offices or branches, the same information for theprincipal office.




0.25

81




i) within a reasonable time;ii) at a charge, if any, that is not excessive;iii) in a reasonable manner; andiv) in a form that is readily intelligible to him;



Data subjectable to knowdata controllerhas personalinformation






0.25

Datacommunicatedin reasonabletime andmanner,withoutexcessivecharge and inintelligible form

0.25

Reasons fordenial of access

0.25

82


Ability tochallenge andcorrect


A4 Customer communications

A4.1 In the event outside dispute resolution is necessary, theprocess by which these disputes are resolved. Thesecomplaints may relate to any part of a customer’se-commerce transaction, including complaints related to thequality of services and products, accuracy, completeness, anddistribution of private customer information and theconsequences for failure to resolve such complaints. Thisresolution process should have the following attributes:

• Management's commitment to use a specified third partydispute resolution service or other process mandated byregulatory bodies in the event the customer is not satisfiedwith the entity's proposed resolution of such a complainttogether with a commitment from such third party tohandle such unresolved complaints.

• Procedures to be followed in resolving such complaints,

first with the entity and, if necessary, with the designatedthird party.

• What use or other action will be taken with respect to theprivate information, which is the subject of the complaint,until the complaint is satisfactorily resolved.






0.25

83


Ability tochallenge andcorrect(cont’d)

… In connection with safeguarding this information, consumers areconcerned about being able to correct or update informationprovided to a site. The process by which a site allows this processto occur can greatly enhance its e-commerce activity. Consumerconcern about the safeguarding of private information traditionallyhas been one of the most significant deterrents to undertakinge-commerce transactions.


Data controlleraccountable forcompliancewith principles

1 The WebTrust Seal of Assurance

The WebTrust Seal of assurance symbolizes to potential customers thata CPA or CA has evaluated the Web site’s business practices and controlsto determine whether they are in conformity with the WebTrustPrinciples and Criteria for Business-to-Consumer E-commerce, and hasissued a report with an unqualified opinion indicating that suchprinciples are being followed in conformity with the WebTrust Criteria.

Obtaining the Seal

To obtain the WebTrust Seal of assurance, the entity must meet all theWebTrust Principles as measured by the WebTrust Criteria associatedwith each of these principles. In addition, the entity must (1) engage aCPA or CA practitioner, who has a WebTrust business license from theAICPA, CICA, or other authorized national accounting institute toprovide the WebTrust service and (2) obtain an unqualified report fromsuch practitioner

The Seal Management Process

The WebTrust Seal of assurance will be managed using a trusted-third-party service organization (the seal manager) …

1

84


Data controlleraccountable forcompliancewith principles(cont’d)

The WebTrust Criteria

In order to provide more specific guidance, a number of WebTrustCriteria have been developed for each WebTrust Principle. The entitymust be in conformity with these criteria to obtain and maintain itsWebTrust Seal…

The entity must be able to demonstrate over a period of time (at leasttwo months or more) that (1) it executed transactions in accordance withthe business practices it discloses for e-commerce transactions, (2) itscontrols operated effectively, (3) it maintains a control environment thatis conducive to reliable business practice disclosures and effectivecontrols, and (4) it maintains monitoring procedures to ensure that suchbusiness practices remain current and such controls remain effective inconformity with the WebTrust Criteria. These concepts are an integralpart of the WebTrust Criteria.

Business and Information Privacy Practices

A6 Monitoring


• Its business practice disclosures on its Web site remain current.

• Reports of noncompliance are promptly addressed and correctivemeasures taken.


C7 Monitoring


C7.1 Its business practice disclosures on its Web site remaincurrent.

C7.2 Reports of non-compliance are promptly addressed andcorrective measures taken.

TOTAL 6

November 17, 1999

85

Exhibit D

Australian federal government Benchmarks for Industry-BasedCustomer Dispute Resolution Schemes

Principle 1 — Accessibility

The scheme makes itself readily available to customers by promoting knowledge of its existence,being easy to use and having no cost barriers.

Key Practices

1.1 The scheme seeks to ensure that all customers of the relevant industry are aware of itsexistence.

1.2 The scheme promotes its existence in the media or by other means.

1.3 The scheme produces readily available material in simple terms explaining:

how to access the scheme;

how the scheme works;

the major areas with which the scheme deals; and

any restrictions on the scheme’s powers.

1.4 The scheme requires scheme members to inform their customers about the scheme.

1.5 The scheme ensures that information about its existence, procedures and scope is availableto customers through scheme members:

when a scheme member responds to a customer’s complaint; and

when customers are not satisfied in whole or in part with the outcome of the internalcomplaints mechanism of a scheme member, when the scheme member refuses to deal witha complaint, or when the time period within which the internal complaints mechanism isexpected to produce an outcome has expired, whichever first occurs.

1.6 The scheme promotes its existence in such a way as to be sensitive to disadvantagedcustomers or customers with special needs.

1.7 The scheme seeks to ensure nation-wide access to it by customers.

1.8 The scheme provides appropriate facilities and assistance for disadvantaged complainants orthose with special needs.

86

1.9 Complainants can make initial contact with the scheme orally or in writing but the complaintmust ultimately be reduced to writing.

1.10 The terms of reference of the scheme are expressed clearly.

1.11 Customers do not pay any application or other fee or charge before a complaint is dealt withby the scheme, or at any stage in the process.

1.12 The scheme’s staff have the ability to handle customer complaints and are provided withadequate training in complaints handling.

1.13 The scheme’s staff explain to complainants in simple terms:

how the scheme works;

the major areas it deals with;

any restrictions on its powers; and

the timelines applicable to each of the processes in the scheme.

1.14 The scheme’s staff assist complainants to subsequently reduce a complaint to writing, wherecomplainants need assistance to do so.

1.15 The scheme’s processes are simple for complainants to understand and easy to use.

1.16 The scheme provides for a complainant’s case to be presented orally or in writing at thedetermination stage, at the discretion of the decision-maker.

1.17 The scheme provides for complainants to be supported by another person at any stage in thescheme’s processes.

1.18 The scheme uses appropriate techniques including conciliation, mediation and negotiationin attempting to settle complaints.

1.19 The scheme provides for informal proceedings which discourage a legalistic, adversarialapproach at all stages in the scheme’s processes.

1.20 The scheme discourages the use of legal representatives before the decision-maker except inspecial circumstances.

1.21 The scheme provides the opportunity for both parties to be legally represented where oneparty is so allowed.

1.22 The scheme provides for the scheme member to pay the legal costs of complainants wherethe scheme member is the first party to request to be legally represented and the decision-maker agrees to that request.

87

Principle 2 — Independence

The decision-making process and administration of the scheme are independent from schememembers.

Key Practices

2.1 The scheme has a decision-maker who is responsible for the determination of complaints.

2.2 The decision-maker is appointed to the scheme for a fixed term.

2.3 The decision-maker is not selected directly by scheme members, and is not answerable toscheme members for determinations.

2.4 The decision-maker has no relationship with the scheme members that fund or administerthe scheme which would give rise to a perceived or actual conflict of interest.

2.5 The scheme’s staff are not selected directly by scheme members, and are not answerable toscheme members for the operation of the scheme.

2.6 There is a separate entity set up formally to oversee the independence of the scheme’soperation. The entity has a balance of customer, industry and, where relevant, other keystakeholder interests.

2.7 Representatives of customer interests on the overseeing entity are:

capable of reflecting the viewpoints and concerns of customers; and

persons in whom customers and customer organizations have confidence.

2.8 As a minimum the functions of the overseeing entity comprise:

appointing or dismissing the decision-maker;

recommending or approving the scheme’s budget;

receiving complaints about the operation of the scheme;

recommending and being consulted about any changes to the scheme’s terms of reference;

receiving regular reports about the operation of the scheme; and

receiving information about, and taking appropriate action in relation to, systemic industryproblems referred to it by the scheme.

88

2.9 The scheme has sufficient funding to enable its caseload and other relevant functionsnecessary to fulfil its terms of reference to be handled in accordance with these benchmarks.

2.10 Changes to the terms of reference are made in consultation with relevant stakeholders,including scheme members, industry and customer organizations and government.

Principle 3 — Fairness

The scheme produces decisions which are fair and seen to be fair by observing the principles ofprocedural fairness, by making decisions on the information before it and by having specific criteriaupon which its decisions are based.

Key Practices

3.1 The decision-maker bases determinations on what is fair and reasonable, having regard togood industry practice, relevant industry codes of practice and the law.

3.2 The scheme’s staff advise complainants of their right to access the legal system or otherredress mechanisms at any stage if they are dissatisfied with any of the scheme’s decisions orwith the decision-maker’s determination.

3.3 Both parties can put their case to the decision-maker.

3.4 Both parties are told the arguments, and sufficient information to know the case, of the otherparty.

3.5 Both parties have the opportunity to rebut the arguments of, and information provided by,the other party.

3.6 Both parties are told of the reasons for any determination.

3.7 Complainants are advised of the reasons why a complaint is outside jurisdiction or isotherwise excluded.

3.8 The decision-maker encourages but cannot compel complainants to provide informationrelevant to a complaint.

3.9 The decision-maker can demand that scheme members provide all information which, in thedecision-maker’s view, is relevant to a complaint, unless that information identifies a thirdparty to whom a duty of confidentiality or privacy is owed, or unless it contains informationwhich the scheme member is prohibited by law from disclosing.

89

3.10 Where a scheme member provides information which identifies a third party, the informa-tion may be provided to the other party with deletions, where appropriate, at the discretionof the decision-maker.

3.11 The scheme ensures that information provided to it for the purposes of resolving complaintsis kept confidential, unless disclosure is required by law or for any other purpose specifiedin these benchmarks.

3.12 Parties to a complaint agree not to disclose information gained during the course of anymediation, conciliation or negotiation to any third party, unless required by law to disclosesuch information.

Principle 4 — Accountability

The scheme publicly accounts for its operations by publishing its determinations and informationabout complaints and highlighting any systemic industry problems.

Key Practices

4.1 The scheme regularly provides written reports of determinations to scheme members andany interested bodies for the purposes of:

educating scheme members and customers; and

demonstrating consistency and fairness in decision-making.

4.2 Written reports of determinations do not name the parties involved.

4.3 The scheme publishes a detailed and informative annual report containing specific statisticaland other data about the performance of the scheme, including:

information about how the scheme works;

the number and types of complaints it receives and their outcome;

the time taken to resolve complaints;

any systemic problems arising from complaints;

examples of representative case studies;

information about how the scheme ensures equitable access;

a list of scheme members supporting the scheme, together with any changes to the list duringthe year;

90

where the scheme’s terms of reference permit, the names of those scheme members whichdo not meet their obligations as members of the scheme; and

information about new developments or key areas in which policy or education initiativesare required.

4.4 The annual report is distributed to relevant stakeholders and otherwise made available uponrequest.

Principle 5 — Efficiency

The scheme operates efficiently by keeping track of complaints, ensuring complaints are dealt withby the appropriate process or forum and regularly reviewing its performance.

Key Practices

5.1 The scheme deals only with complaints which are within its terms of reference and have notbeen dealt with, or are not being dealt with, by another dispute resolution forum and:

which have been considered, and not resolved to the customer’s satisfaction, by a schememember’s internal complaints resolution mechanism; or

where a scheme member has refused, or failed within a reasonable time, to deal with acomplaint under its internal complaints resolution mechanism.

5.2 The scheme has mechanisms and procedures for referring relevant complaints to other,more appropriate, fora.

5.3 The scheme has mechanisms and procedures for referring systemic industry problems, thatbecome apparent from complaints, to relevant scheme members.

5.4 The scheme excludes vexatious and frivolous complaints, at the discretion of the decision-maker.

5.5 The scheme has reasonable time limits set for each of its processes which facilitate speedyresolution without compromising quality decision-making.

5.6 The scheme has mechanisms to ensure that the time limits are complied with as far as possible.

5.7 The scheme has a system for tracking the progress of complaints.

5.8 The scheme’s staff keep the parties informed about the progress of their complaint.

91

5.9 The scheme sets objective targets against which it can assess its performance.

5.10 The scheme keeps systematic records of all complaints and enquiries, their progress and theiroutcome.

5.11 The scheme conducts regular reviews of its performance.

5.12 The scheme’s staff seek periodic feedback from the parties about the parties’ perceptions ofthe performance of the scheme.

5.13 The scheme reports regularly to the overseeing entity on the results of its monitoring andreview.

Principle 6 — Effectiveness

The scheme is effective by having appropriate and comprehensive terms of reference and periodicindependent reviews of its performance.

Key Practices

6.1 The scope of the scheme and the powers of the decision-maker are clear.

6.2 The scope of the scheme (including the decision-maker’s powers) is sufficient to deal with:

the vast majority of customer complaints in the relevant industry and the whole of each suchcomplaint; and

customer complaints involving monetary amounts up to a specified maximum that isconsistent with the nature, extent and value of customer transactions in the relevantindustry.

6.3 The decision-maker has the power to make monetary awards of sufficient size and otherawards (but not punitive damages) as appropriate.

6.4 The scheme has mechanisms for referring systemic industry problems to the overseeingentity (where referral to the scheme member or members under key practice 5.3 does notresult in the systemic problem being adequately addressed) for appropriate action.

6.5 The scheme has procedures in place for:

receiving complaints about the scheme; and

referring complaints about the scheme to the overseeing entity for appropriate action.

92

6.6 The scheme responds to any recommendations of the overseeing entity in a timely andappropriate manner.

6.7 The scheme requires scheme members to set up internal complaints mechanisms.

6.8 The scheme has the capacity to advise scheme members about their internal complaintsmechanisms.

6.9 The scheme has mechanisms to encourage scheme members to abide by the rules of thescheme.

6.10 The determinations of the decision-maker are binding on the scheme member if complain-ants accept the determination.

6.11 The operation of the scheme is reviewed within three years of its establishment, and regularlythereafter, by an independent party commissioned by the overseeing entity.

6.12 The review, undertaken in consultation with relevant stakeholders, includes:

the scheme’s progress towards meeting these benchmarks;

whether the scope of the scheme is appropriate;

scheme member and complainant satisfaction with the scheme;

assessing whether the dispute resolution processes used by the scheme are just andreasonable;

the degree of equitable access to the scheme; and

the effectiveness of the terms of reference.

6.13 The results of the review are made available to relevant stakeholders.

<http://www.treasury.gov.au/publications/ConsumerAffairs/IndustrySelf-RegulationPublications/BenchmarksForIndustry-BasedCustomerDisputeResolutionSchemes/index.asp>

93

Exhibit E

Australian National Arbitration Forum Principles

The National Arbitration Forum believes arbitration must be based on the rules of law, appliedconsistently, under The Forum Code of Procedure and applicable law. The Code must also beapplied fairly. To that end, we commit to these twelve principles, which conform to The Forum’sDue Process Standard:

PRINCIPLE 1. FUNDAMENTALLY FAIR PROCESS - All parties in an arbitration are entitled tofundamental fairness.

PRINCIPLE 2. ACCESS TO INFORMATION - Information about arbitration should be reason-ably accessible before the parties commit to an arbitration contract.

PRINCIPLE 3. COMPETENT AND IMPARTIAL ARBITRATORS - The arbitrators should beboth skilled and neutral.

PRINCIPLE 4. INDEPENDENT ADMINISTRATION - An arbitration should be administered bysomeone other than the arbitrator or the parties themselves.

PRINCIPLE 5. CONTRACTS FOR DISPUTE RESOLUTION - An agreement to resolve disputesthrough arbitration is a contract and should conform to legal principles of contract.

PRINCIPLE 6. REASONABLE COST - The cost of an arbitration should be proportionate to theclaim.

PRINCIPLE 7. REASONABLE TIME LIMITS - A dispute should be resolved with reasonablepromptness.

PRINCIPLE 8. RIGHT TO REPRESENTATION - All parties have the right to be represented inan arbitration, if they wish, for example, by an attorney or other representative.

PRINCIPLE 9. SETTLEMENT & MEDIATION - The preferable process is for the partiesthemselves to resolve the dispute.

PRINCIPLE 10. HEARINGS - Hearings should be convenient, efficient, and fair for all.

PRINCIPLE 11. REASONABLE DISCOVERY - The parties should have access to the informationthey need to make a reasonable presentation of their case to the arbitrator.

PRINCIPLE 12. AWARDS AND REMEDIES - The remedies resulting from an arbitration mustconform to the law.

<http://www.arb-forum.com/other/index.html>, 08/29/00For the Code of Practice see <http://www.arb-forum.com/library/code.html>, 08/29/00

94

Exhibit F

Compliance/Enforcement Activity of Privacy Seals

Activity BBBOnLine

Documents Reviewed <www.bbbonline.org>

How to apply for a privacy seal/ privacy Policy/Eligibilityrequirement/Privacy Program Participation Agreement/Privacy PolicyAssessment Questionnaire/How BBBOnLine protects your privacy/PrivacyProgram/How the privacy program works/FAQ

Obtaining the Seal Prior to applying for the Privacy Seal the Web site should have adoptedand posted an online privacy policy and meets the eligibilityrequirements.

A Business Application and Compliance Assessment Questionnaire mustbe completed. The questionnaire is the basis for determining anorganization’s eligibility for the Privacy Seal. This is reviewed andapproved by a Compliance Analyst.

Standards To provide consumers the highest level of confidence that their personaldata is being used and how protective the privacy policies are that areposted on the Web. To ensure that processes in place are adequate to liveup to the privacy policies

Objective To provide consumers the highest level of confidence that their personaldata is being used and how protective the privacy policies are that areposted on the Web.

To ensure that processes in place are adequate to live up to the privacypolicies posted.

Process Comprehensive Compliance Assessment Review, at least annually and ona random basis. This may be conducted as initiated on its own or inresponse to public complaints. The compliance reviews may be conductedby BBBOnLine staff or by an independent third party.

This includes review of a Web site’s privacy policies that are posted onthe site and the processes that the Web site has in place to live up to theprivacy policies.

Enforcement Non-compliance results in seal withdrawal, publicity, and referral togovernment enforcement agencies. The Web site/licensee may appealand/or request an audit.

95

Activity TRUSTe

Documents Reviewed <www.truste.org>

How TRUSTe program works/TRUSTe Oversight/FAQ

Obtaining the Seal A TRUSTe representative will initially review the Web site for adherenceto TRUSTe program principles, privacy statement requirements, and theTRUSTe seal.

Standards Not specifically stated.

Objective To ease consumers' privacy concerns and to establish Web site credibilityby ensuring that Web sites are complying with their posted privacypractices.

Process A TRUSTe representative will periodically review the Web site to ensurecompliance with posted privacy practices and program requirements andto check for changes to the privacy statement.

TRUSTe regularly “seeds” Web sites, which is the process of trackingunique identifiers in a site's database. Unique user information issubmitted and results monitored to ensure that the Web site is practisinginformation collection and use practices that are consistent with its statedpolicies.

Online Community Monitoring — TRUSTe relies on online users toreport violations of posted privacy policies, misuse of the TRUSTe seal, orspecific privacy concerns pertaining to a Web site.

Enforcement Where TRUSTe has reason to believe that a site is in non-compliance withits stated privacy practices, an escalating investigation will be conducted.Depending on the severity of the breach, the investigation could result inan on-site compliance review by a CPA firm or revocation of the site'sseal/license. After TRUSTe has exhausted all escalation efforts, extremeviolations are referred to the appropriate law authority, which in the U.S.may include the appropriate attorney general's office, the Federal TradeCommission, or the Consumer Protection Agency. TRUSTe may pursuebreach of contract or trademark infringement litigation against the site.

96

Activity WebTrust

Documents Reviewed <www.cica.ca>

WebTrust principles & criteria for business-to-consumer electroniccommerce October 15, 1999.

Obtaining the Seal To obtain the WebTrust Seal of assurance, the Web site must meet all theWebTrust Principles as measured by the WebTrust Criteria associatedwith each of these principles. The management of the Web site will makesuch assertions by filling out a self-assessment questionnaire. In addition,the entity must: (1) engage a Certified Public Accountant (CPA-U.S.) orChartered Accountant (CA-Canada) practitioner who has a WebTrustbusiness license from the American Institute of Certified PublicAccountants (AICPA-U.S.), Canadian Institute of Chartered Accountants(CICA-Canada), or other authorized national Accounting institute toprovide the WebTrust service and (2) obtain an unqualified report fromsuch practitioner.

Standards The audit standard is pursuant to the CICA — Section 5025 Standards forAssurance EngagementorCPA — Section SSAE1CICA and CPA standards and requirements for an Assurance Engagementare both similar.

Objective To assure potential customers that a CPA or CA has evaluated the Website’s business practices and controls to determine whether they are inconformity with the WebTrust Principles and Criteria for Business-to-Consumer E-commerce, and has issued a report with an unqualified auditopinion indicating that such principles are being followed in conformitywith the WebTrust Criteria.

These principles and criteria reflect fundamental standards for businesspractices, transaction integrity, and information protection.

Process Once the seal is obtained, the Web site will be able to continue displayingthe seal provided that it can obtain an unqualified audit report. Thefrequency of the audits will be based on:a) The nature and complexity of the Web site’s operation.b) The frequency of significant changes to its Web site.c) The relative effectiveness of the Web site’s monitoring and change

management controls for ensuring continued conformity with theWebTrust Criteria as such changes are made.

d) The auditor’s professional judgment.

Enforcement Seal (a digital certificate) withdrawal if Web site is not able to obtain anunqualified audit report. In such situations, the auditor will advise the sealmanager (a trusted third party organization) and the Web site to initiatewithdrawal. This will electronically revoke the seal.


2 Bloor Street East, Suite 1400Toronto, Ontario Canada M5S 2V1

416-326-33331-800-387-0073

Fax: 416-325-9195TTY (Teletypewriter): 416-325-7539

Website: www.ipc.on.ca

Office of theFederal Privacy Commissioner

Level 8 Piccadilly Tower133 Castlereagh Street

Sydney NSW 2000 Australia+61 2 9284 9600

Fax: +61 2 9284 9666TTY (Teletypewriter): 1-800-620-241

Website: www.privacy.gov.au

Web Seals: A Review of Online Privacy Programs · 2016-03-22 · developed Web seals designed to...

Documents

Transcript of Web Seals: A Review of Online Privacy Programs · 2016-03-22 · developed Web seals designed to...