 |
|
BATHE YOUR SITE IN SEALS OF PRIVACY ASSURANCE
Source: ECommerce-Guide.com
Posted on September 30, 2000
With visible seals from a third party certification scheme that attests to your Web site's security and privacy practices, consumers can better trust that their personal and transactional information will be kept private, secure, and confidential. In this week's column you'll learn where you can find the information to participate in these programs.
Why Is Independent Certification Needed?
Even as electronic commerce is booming, consumer wariness of online buying still remains far too high if the goals to supplant Mail Order/Phone Order (MOTO) shopping are to ever be realized. Continued fears of credit card theft, stolen identities, and other security and privacy threats certainly won't disappear overnight, but with efforts like those described, perhaps those fears will eventually lose their stranglehold on e-business. An online seal is a certification program that allows Web sites to validate their privacy policies and consumers to easily identify Web sites adhering to specified information practice principles, typically by seeing the seal prominently displayed on the home page. Seal programs represent another effort in the move for the online industry to self-regulate. Unlike the Platform for Privacy Preferences (P3P) however, seal programs generally involve a third party that requires the site operator to submit to a rigorous application process and performs periodic site reviews after the seal is granted.
Because business owners often assume too much about their internal practices, independent verification of your actual business activities helps you to gain the insights of professionals and would-be data thieves to discover what you'd likely miss on your own. Proponents of seal programs believe this use of a third party -- whose goals are to obtain and evaluate business goals and policies -- reassures the consumer of the objectivity and reliability of the seal. They also believe that a seal program offers a consistent and predictable implementation of its policies, and that the same principles are applied to small online retailers as they are to major corporations. Just as the Underwriter's Laboratories (UL) seal on electrical items helps consumers to gain confidence that manufacturers claims of safety are real, Web privacy seals of assurance helps your shoppers to gain confidence that the data they share with you will remain safe.
Characteristics of a Seal Program
According to the Online Privacy Alliance, a seal program should exhibit the following characteristics:
- Ubiquity -- the seal program should be far-reaching and be readily recognizable by consumers
- Comprehensiveness -- the seal program should cover data of varying degrees of sensitivity.
- Accessibility -- the user should easily be able to locate, use, and understand a seal.
- Affordability -- the cost of the program should not limit business from using it regardless of size. It will be tied to the complexity of the site, the amount of data collected, how it is used and distributed, etc. This may or may not be a function of the size of the company.
- Integrity -- the seal provider should be able to enforce its policies and protect the integrity of the seal.
- Depth -- the seal provider should be able to support its client base including complaints about violations of online privacy policies.
The three prevailing seal programs described here include:
- BBBOnline
- CPAWebtrust
- TRUSTe
BBB Online Privacy
The BBBOnline Privacy Seal signifies that an online merchant meets the highest standards for the treatment of personally identifiable information. Companies that qualify must post privacy notices telling consumers what personal information is being collected and how it will be used. Qualifying Web sites commit to abide by their posted privacy policies, and agree to a comprehensive independent verification by BBBOnline. The Privacy program also gives consumers a mechanism for resolving disputes. The BBBOnline's privacy seal is backed by the Council of Better Business Bureaus (CBBB). As an extension of the BBB brand, the BBBOnline's privacy seal carries high name recognition and trust that helps to build consumer confidence.
In April 1997, the Council of Better Business Bureaus recognized the need to gain expertise in Internet commerce and created the BBBOnline subsidiary to specialize in e-commerce consumer protection and business self-regulation needs. To create its Privacy Program, BBBOnline worked closely with business leaders and representatives from major corporations with expertise and leadership in the e-commerce arena:
- America Online
- American Express
- AMR Corporation (American Airlines & Travelocity)
- AT&T
- BankAmerica
- Dell
- Dun & Bradstreet
- Eastman Kodak
- Equifax
- Experian
- Ford
- Hewlett-Packard
- IBM
- Intel
- J.C.Penney
- MCI WorldCom
- Microsoft
- New York Times Electronic Media
- Procter & Gamble
- Reed Elsevier (parent company of LEXIS-NEXIS)
- Sony
- US West
- Viacom
- Xerox
BBBOnline will help to resolve customer complaints using the same approach as the off-line BBB process. The first step encourages the business and the consumer to resolve the complaint between themselves. If this fails, BBBOnline steps in, providing a consumer-oriented process to resolve the complaint. Businesses that repeatedly violate their own policies will have their BBBOnline seal revoked. They'll then be publicly identified, and the most serious or frequent offenders will have the violations reported to the proper government agency, including the FTC.
The BBBOnline Kids Privacy Program
The BBBOnline Kids Privacy program is a part of BBBOnline Privacy intended for businesses with Web sites that are directed to children to demonstrate their commitment to protecting children's privacy online. When you see a BBBOnline Kid's Privacy seal, it means that the business has not only met BBBOnline's Privacy seal requirements, but that it is in full compliance with the privacy protection self-regulatory guidelines of the Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus.
Web sites that carry the BBBOnline Kid's Privacy seal must:
- Obtain parental consent before any personal information can be collected, used or disclosed
- Obtain parental consent before children are allowed to post or communicate directly with others
- Provide warnings and explanations in easy-to-understand language
- Avoid collecting more information than necessary to provide children's games and activities
- Be careful in the way they provide hyperlinks
- Follow strict rules when sending email
The BBBOnline Kid's Privacy requirements are based upon the guidelines of the Online Privacy Alliance, the Council of Better Business Bureaus' Children's Advertising Review Unit, and the Children's Online Privacy Protection Act (COPPA). The BBBOnline Seals are shown in Figure 1 below. For additional information about the BBBOnline seal programs, visit the BBB Web site.
CPAWebtrust
Another initiative comes from the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accounts (CICA). The CPA WebTrust seal of integrity offers consumers an independent professional's opinion that attests to a merchant's online trustworthiness.
The WebTrust Seal Of Assurance (shown below in Figure 2) symbolizes that a CPA or Chartered Accountant (CA) has evaluated a business' practices and controls to see if they're in conformance with the WebTrust Principles and Criteria For Business-To-Consumer Electronic Commerce. Launched in late-1997, these principles embody fundamental standards for business practices, transaction integrity, and information protection. Auditors check that goods ordered are actually shipped, that payment account information is quickly removed from company Web Servers after it's entered, that confirmation data is provided to the buyer at order completion time, and that contact data is provided to help consumers in the event of order handling or processing problems.
Consumers can verify a seal's authenticity by clicking on it. If it's legitimate, a graphical certificate appears instructing the buyer on ways to view the underlying WebTrust certificate, as shown below in Figure 3. The certificate that's shown attests that it was issued as a result of a WebTrust examination, issued to the company operating the commerce site, and provides the physical address of the business. Without a legitimate certificate behind it, the seal should not be considered valid.
To obtain a WebTrust seal, business owners provide the following statements to their CPA or CA:
- Disclosure of business practices for e-commerce and evidence of successful execution of transactions in accordance with these practices.
- Presence of and adherence to effective controls that assure that orders placed via the e-commerce channel were completed and billed as agreed.
- Presence of and adherence to effective controls to assure that consumer's private information obtained during the course of transacting is not being used by anyone not related to the company.
These assertions are stated for a three-month period of time or longer and reviewed in detail by the CPA or CA. After the review, CPAs or CAs perform their own sets of tests and provide a professional opinion that bolster management's representations of their site's compliance with WebTrust Principles. Continued use of the seal is offered so long as businesses inform the CPA or CA of any changes that may affect ongoing compliance with the principles, and so long as the CPA or CA regularly updates their independent examination of management's assertions of compliance. The WebTrust Seal Management Process is operated by Verisign Inc. who provides Class 3 Digital Certificates. After Verisign receives an auditor's unqualified report on the company, they allow the seal's display for a specific period of time. Verisign also provides the site owner with an applet that enables consumer communications directly with the seal manager to display the audit report and certificate data.
More information about the program may be found at the CPA WebTrust Web site.
In Web We Trust...
To further encourage privacy self-regulation, the TRUSTe Program is intended to help companies implement appropriate privacy practices without undue government legislation or specific mandates. The TRUSTe logo (shown below in Figure 4) symbolizes that a site owner has committed to disclosing their privacy practices to the public and is backed by TRUSTe's assurance process. TRUSTe's goals are to provide:
- Online consumers with control over their personal information
- Web publishers with a standardized, cost-effective solution for both satisfying the business model of their site and addressing consumers' anxiety over sharing personal information online
- Government regulators with demonstrable evidence that the industry can successfully self-regulate
Web site owners agree to:
- Disclose their information management practices in their privacy statement
- Display the TRUSTe Mark
- Adhere to their own privacy practices
- Cooperate with all review activities
Initially and periodically, TRUSTe reviews the site and seeds it with personal user information to assure continued compliance. They also perform periodic conformance reviews with their auditors PricewaterhouseCoopers, LLP and KPMG Peat Marwick.
The Roots Of TRUSTe
TRUSTe grew from an idea during a lecture on trust at Esther Dyson's PC Forum in March 1996. Among the attendees were Lori Fena, Executive Director of the Electronic Frontier Foundation (EFF), and Charles Jennings, founder and CEO of Portland Software. After the lecture, the two were introduced by a mutual friend who knew that each had espoused the need for branded symbols of trust on the Internet similar to UL Labs or Good Housekeeping "seals of approval." Over the next few months, Fena and Jennings gathered up a small team of interested Internet electronic commerce pioneers, and they met regularly to draw up plans and develop criteria for bringing TRUSTe to the Internet. The group unanimously agreed on two cornerstone principles to govern the TRUSTe program:
1. Users have a right to informed consent; and
2. No single privacy principle is adequate for all situations.
The Privacy Partnership
In late 1998, several major TRUSTe objectives were realized. Several major Internet portal sites joined with TRUSTe to launch the Privacy Partnership campaign. The Privacy Partnership is a grassroots consumer education campaign to raise awareness of the privacy issue. At the same time, TRUSTe launched a major Web site redesign, featuring a new identity rooted in "Building a Web You Can Believe In." Accompanying this was a new license agreement, written to incorporate the fair information practices recommended by the FTC and the Department of Commerce. The new agreement also features a Children's Seal and accompanying requirements for children's sites.
For more information, visit the TRUSTe Web Site.
Summary
So how do you decide which seal program is best for you? Most companies are concerned about cost, but that should not be your overriding concern. Seal programs typically use tiered cost structures, based on either the complexity of the site and the amount of data collected and how it is used, or revenue size of the company. BBBOnline, for example, ties its cost structure to the annual sales (offline and online) of the company. A company with $1 million or less in total company sales would pay a one-time application fee of $75 and an annual assessment evaluation fee of $150 (ranging to $5,000/yr for companies with over $2 billion in annual sales). Do your investigative homework carefully, and one of the programs may leap out as the best for your business and your customers.
Once you have chosen a seal program, you'll likely find this set of steps to obtain your seal:
- Complete the business application and in some cases, pay a nominal application fee
- Complete a compliance assessment questionnaire. The questionnaire will determine your eligibility for a privacy program seal. You must be able to demonstrate that you have implemented a privacy policy and appropriate data security measures, and that your information management practices abide by your policy.
- Submit the completed participation agreement to the seal program.
- Once your questionnaire has been evaluated and your site has been reviewed for compliance, you will receive instructions on how to install the seal on your Web site
-
Confidence Breeds Confidence
As people demand more in the way of assurances for safety, security, and confidentiality of information, the industry will continue to respond with increasingly better solutions. While efforts like BBBOnline, CPAWebTrust, TRUSTe, and others expand and flourish, the explosive growth of e-commerce that industry experts proclaim might arrive sooner than anyone predicts. If a little bad press goes a long way, just think where a lot of good press will take you!
E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca
In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.
|
|
ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999
WebTrust Is Your
Best Defense
Against
Privacy Breaches.
Get WebTrust
Working For
Your Site.
|
