From the Desk of the Executive Director:
2002 -- A Year of Strengthening the Enforcement Arm of TRUSTe. »Learn More

The Politics of Privacy:
What will 2003 bring for Privacy in Washington, DC, Sacramento and Beyond? John Kamp explains. »Learn More

Industry Insider:
Whither Privacy Post 9/11? An excerpt from the new book Privacy Payoff illustrates that while security and privacy were thought to be at odds after September 11, one can complement the other to create a business edge. »Learn More

TRUSTe TIPS:
Monthly privacy tips for our members. This month: License Agreement 8. »Learn More

Stay Current: 
Privacy and Security Events. »Learn More

Bits & Pieces: 
Current TRUSTe happenings and how to take advantage of them. »Learn More

Guideline-based Approaches to Emerging Privacy Practices
By Fran Maier

A very important, but often forgotten part of our program is our effort around compliance and enforcement. From TRUSTe's inception in 1997, we recognized that without the means and ability to enforce our program requirements, we would not be able to build a seal and certification program that consumers would trust and turn to. Without a program with "teeth," we would not be able to stand out for consumers as an organization which values privacy.

In the past year, we've invested heavily in improving our compliance and enforcement related efforts to build our accountability and an even stronger privacy certification and seal program. Here's a snapshot:

1. License Agreement 8.0. Last month I gave a quick preview of TRUSTe 8.0. As your company renews you'll be upgrading to TRUSTe 8.0 and demonstrating your voluntary agreement to stand by these standards. Since TRUSTe's launch in 1997, we've updated our license agreement seven times in order to respond to changes in the marketplace and new technologies by codifying best practices.
   
   
2. Customer Database and Watchdog Dispute Resolution Process. Throughout this year, we've been building improved systems to better serve you and our certification and compliance staff. We have upgraded our technology infrastructure to automate aspects of the Watchdog Dispute Resolution Program allowing for increased scalability and improved responsiveness to the growing number of Watchdog complaints filed each year.
   
   
3. Watchfire. We're employing new technologies to help us abide by the "Trust, But Verify" maxim. Most notably we are using Watchfire technology, which provides for an automated and systematic means for ongoing monitoring of changes to the privacy statement and data collection processes.
   
   
4. Appeals Panel. We are formalizing an appeals panel to further support organizations and consumers in our Watchdog Dispute Resolution process. The appeals board provides accountability not only for TRUSTe licensees, but also for Watchdog program practices.

I often respond to common misperceptions regarding TRUSTe. One is that every organization gets certified. Another is that certification is a simple process. In fact, as you well know, certification has many steps and we often turn companies away. With the help of our new systems, we are better able to track certification rate and the reasons for non-certification. This year, many organizations are not able to implement COPPA requirements (which are law), as well as Choice and EU Safe Harbor. These problems translate into lengthy certification for some and, at times, companies simply do not make the revisions or changes necessary for certification, and thus are not awarded the TRUSTe seal. A robust certification process strengthens TRUSTe's brand and your company's use of the seal.

Transparency and accountability are essential ingredients oftrust. TRUSTe's own transparency leads to greater accountability among our entire member base. As we move into 2003, we're looking forward to building on this foundation.

Forecasting Movement in 2003
By John Kamp, Wiley Rein and Fielding

My crystal ball is foggy on the details of new privacy legislation from Washington next year, but three things are very likely:

1. SPAM legislation will be taken up quickly and will pass, but will not solve the problem because SPAM from other countries will continue unabated.

2. Financial service firms, and maybe everyone else, will sweat as Congress "reauthorizes" critical banking regulations.

3. TRUSTe licensees will be well prepared for any new federal mandates.

To give you more perspective, I suggest you think about the perspective of four of the best privacy wonks I know. Only two of the four reside in Washington, insuring that at least half of them have good sense. Then, keep an eye on several key policy makers identified below. They are all fascinating characters to watch, and what they do can change your business.

Watchwords from Privacy Wonks

Jennifer Barrett, Acxiom, says the conditions look right for the "Perfect Storm" of privacy legislation next year. She points to the convergence of several forces, including increasing interest by three sectors: 1. state legislators and Attorneys General, 2. Federal Congressional Committee leaders, and 3. companies and their trade associations.

Tony Hadley, Experian, gave us all early warning about what may be the darkest storm cloud over this first session of the 108th Congress. Critical provisions of the Fair Credit Reporting Act (FCRA) expire in 2004 if not "reauthorized" in 2003, particularly those allowing conglomerate financial service companies to share customer information with affiliates. Whenever a bill must pass, it inevitably draws scores of amendments from interested parties from across the political spectrum. Sometimes such a bill becomes a "Christmas tree" with both pretty and ugly decorations.

Jerry Cerasale, head of the DC Office of the DMA, just announced that DMA will support restrictions on SPAM next year. Although not a pure privacy measure, last year's stalled SPAM bill will likely pass quickly next year with much Congressional chest pounding, building momentum for other privacy legislation.

Trevor Hughes, newly appointed executive director of the International Association of Privacy Officers, concedes that Internet cookies and web beacons are not currently top of mind in the U.S. Still, he cautions us to keep an eye on the Europeans whose well-intentioned, but sometimes hasty regulations often cross the pond.


Privacy Players to Watch

Senator Shelby, the new Republican Chairman of the Senate Banking Committee, has been one of the most fervent proponents of privacy legislation and now heads the committee that has primary responsibility for the Fair Credit Reporting Act. Expect an early proposal by Shelby that includes broad restrictions on sharing of financial information that could reach well beyond traditional banking and other financial services. If there is a perfect storm, this could be its center.

Senator McCain, the returning Chairman of the Senate Commerce Committee, is as fiercely independent on privacy as everything else, and will demand Commerce Committee concurrence on any broad measure proffered by Senator Shelby. Although conservative and very skeptical of the more regulatory measures proposed by Chairman Hollings this year, McCain defers to no one unless it helps him forge a legislative compromise.

Representatives Tauzin and Stearns, Chairmen of the House Commerce Committee and the House Consumer Subcommittee, held extensive hearings and circulated several drafts of privacy legislation last session that will shape the debate and likely become the earliest House bill to move next year.

Representative Oxley, House Banking Committee Chairman, will control early discussion of FCRA reauthorization and will likely propose a much more business friendly version than Senator Shelby. A fresh face to this, expect Oxley to be conservative, smart and affable, but no push-over for his rival Tauzin on the Commerce Committee.

FTC Chairman Muris and Commissioners Swindle and Leary, command a solid three vote majority that has moved aggressively against privacy violators but openly doubt the need for more legislative authority over privacy and e-commerce. Expect more high profile fraud cases, and strong emphasis on security measures that support privacy promises. If you have not recently reviewed your security measures, a quick review of the recent actions against Microsoft and Lilly will get your attention.

Meanwhile, your attention to your customers is your best way to stay out of the crosshairs of any of these Washington policy makers. Listen to customers and give them the privacy they demand. Make clear and understandable privacy promises, then keep them.

Whither Privacy, Post 9/11?
By Ann Cavoukian and Tyler Hamilton

On a date now referred to as 9/11, the unimaginable occurred. In the space of two hours, the United States experienced the most destructive and horrific act of terrorism in its history. The North American public - indeed, the whole world - suddenly felt vulnerable. We all wanted to feel more secure, even if that meant sacrificing civil liberties and personal freedoms, including privacy. There followed a groundswell of support for invasive security technologies and increased public surveillance, particularly in the United States.

The U.S. Congress pushed through the U.S.A. Patriot Act, giving intelligence authorities new powers of investigation and surveillance that made it easier to intercept e-mail, tap phone calls and use satellite-tracking and video-monitoring techniques. Previously controversial covert technologies, such as the FBI's Carnivore e-mail sniffer (now called DCS1000) and keystroke-logging program Magic Lantern, were now considered less contentious tools of investigation. The rules had changed in this war against terror. Privacy took a back seat - or so it seemed.

But in the months after 9/11, heightened fear and anxiety were gradually replaced by sober second thought. Questions began to be asked about the perceived conflict between privacy and security and the distinctive roles of government authorities and the private sector. Must privacy and security be viewed as mutually exclusive polar opposites? Or can security be achieved alongside privacy, making both complementary components in a smartly crafted program? Is it not possible for technologies of security to enhance privacy at the same time? And why are we so quick to blur the line between government objectives related to public safety and private-sector objectives related to consumer protection? It's one thing for a law-enforcement authority to install facial-recognition technology at an airport or to monitor, consistent with legal process, e-mail communications of suspicious members of the public; it is quite another when a business sells lifestyle information, medical data or financial information to another or monitors the Internet surfing of consumers without obtaining their consent or giving proper notice.

Evidence indicates that concerns about privacy have not abated since 9/11. Indeed, we may be in for a consumer and political backlash against overly intrusive security initiatives that fly in the face of liberty. For many in the business community who have been able to see through the emotional and political reaction to Sept. 11, privacy is just as important today as it ever was.

"Sept. 11 has changed many things, but it hasn't changed our privacy strategy," said Harriet Pearson, chief privacy officer of International Business Machines Corp. "What has changed is the emphasis with which people were once talking about privacy. I spend a lot of time now discussing the need to balance privacy with security, and the need for privacy policies within business as a matter of maintaining trust." Pearson says fewer people are talking about privacy from what she calls a "purist, civil liberties" perspective, but she adds that this isn't necessarily a bad thing. "We've said all along that privacy is a matter of balance."

Several chief privacy officers interviewed were unanimous in their declaration that the government's battle against terrorism has not substantially changed their corporate privacy practices. The message was clear: We stand by our privacy policies unless forced to comply with the law. Building consumer trust continues to be a top priority.

Evidence that consumer privacy gained newfound momentum after 9/11 emerged in the months that followed.

Perhaps the most significant sign that consumer privacy remains at the forefront of industry concern came on Jan. 15, 2002, when Bill Gates sent a memo to Microsoft employees titled "Trustworthy Computing." In this memo, the founder and chairman of the world's largest software firm elevated security and privacy to the "highest priority" for Microsoft's future Web strategy, known as .Net.

Clearly, Bill Gates had seen the writing on the wall. In his memo, he wrote that pursuing the four key aspects of Trustworthy Computing - which he outlined as availability, security, privacy and trustworthiness - was seen as integral to the company's future success. "The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways." Gates added, "Users should be in control of how their data is used. Policies for information use should be clear to the user."

There are some who question whether Gates will be able to back up his words with action, but consensus in the industry is that the path has been laid for others to follow. And at no time has following this path become so crucial to the future health and commercial viability of the new economy. Identity theft in North America is rampant. Hackers are keeping one step ahead of law enforcers. Junk mail is out of control and is likely to get far worse when wireless Internet and location-based technologies take hold. Internet viruses and worms are more harmful and persistent than ever, and while we're all waiting with baited breath for the next big "event," their numbers continue to quietly multiply. Cookies, Web bugs, spyware and other technologies of surveillance have become more sophisticated, easier to use and cheaper to deploy.

Is it any wonder why consumers are worried about their privacy; about losing control over their own personal information? Such worries ultimately affect consumer confidence, and companies that can build back this confidence and establish trusting relationships with consumers stand to benefit the most. Earning that trust means more than simply complying with the privacy laws and regulations that have emerged across North America, Europe and parts of Asia, which all establish rules for collecting, using and sharing personally identifiable information. An increasing number of businesses realize that trust is a currency in the new economy, and profiting from this economy means proactively obtaining as much of this currency as possible.

Herein lies the privacy payoff - a payoff for businesses, consumers, investors, the Internet, the economy, and our global society as a whole.

The Privacy Payoff is published by McGraw-Hill Ryerson. Released in September 2002, the 332 page book can be purchased at www.barnesandnoble.com or www.amazon.com.

TRUSTe TIPS: Monthly Tips on Privacy for Our Members
This Month: Introducing License Agreement 8

In December, TRUSTe launched version 8 of its license agreement. The new agreement is available now at the TRUSTe website. As new companies join the TRUSTe program, or as current members undergo the annual recertification, they will adopt the standards and policies set forth in version 8. This is the culmination of a yearlong effort and ongoing commitment to strengthen the certification and compliance elements of the TRUSTe program.

TRUSTe periodically revisits its license agreement to ensure it best reflects emerging trends and technologies, evolving practices, and systemic issues that impact consumer privacy. With substantive input from policymakers, regulators, consumer groups and other leaders in the privacy arena, TRUSTe continues to codify best practices into new versions of its agreement. Moving forward, TRUSTe will take a similar approach, but will also incorporate the use of guidelines to best anticipate implementation issues and gather additional data points from the community at-large.

Changes to the license agreement adopted in version 8 include:

• Choice for Sharing with Third Parties: Requires companies to provide consumers with the choice to opt-out before sharing their personal information with any third party unless the sharing is part of a third-party service relationship. Choice no longer hinges on a company's definition of its primary business purpose.
  
  
• Policy Change Requirements: Requires licensees to adhere to user preferences for a specified period of time. These preference changes, also known as "Shelf Life Preferences", must be maintained for no less than 12 months with up front disclosure of intended changes. Furthermore, companies must notify consumers as to the length of time their preferences will remain fixed at the time of registration and via email when preferences expire.
  
  
• Consumer Notice: Requires companies to gain TRUSTe approval on all notices of a change in practice, to best ensure clarity and robust notice.
  
  
• Privacy Policy Consistency: Clarifies the requirement that companies ensure that their Comprehensive Privacy Statement is consistent with all other privacy disclosures, such as FAQs and P3P statements.

If you have any questions about the new license agreement, please call your TRUSTe Account Manager or send email to inquiries@truste.org

The International Association of Privacy Officers Third Annual Privacy Summit

Date: February 26-28, 2003

Location: Hilton Washington, Washington, D.C.

For more information, please visit www.privacyassociation.org

TRUSTe Announces 2003 Price Schedule - Members Encouraged to Renew Certification and Receive Rate Protection for up to Two Years.

Effective January 1, 2003, TRUSTe will be raising its license fees. TRUSTe is currently accepting renewals under the normal price schedule. Members can also take advantage of a new 2 year certification package and rate protect themselves through 2004. Complete renewal applications must be received by December 31, 2002.

For renewing members, please contact George Mamashiani by phone at 415-618-3403 or by email at george@truste.org. For new members, please contact Michelle Lucas by phone at 415-618-3402 or by email at mlucas@truste.org.

TRUSTe Unveils New International Privacy Service - Enables Companies to Globalize Their Privacy Approach

On November 25, TRUSTe launched its International Privacy Service to certify privacy policies and offer its dispute resolution services in foreign languages for United States-based companies with global operations. This news signifies TRUSTe's move to help companies maximize their share of the $12.8 trillion in global online trade expected by 2006, according to Forrester Research, and help consumers worldwide make informed privacy choices.

Microsoft Corp. is the first company to make use of TRUSTe's International Privacy Service, extending TRUSTe's privacy policy certification and Watchdog Dispute Resolution to all 14 of its foreign language MSN Web sites serving the European Union. Driven by demand from TRUSTe members like Microsoft, TRUSTe has begun offering these services to help companies further their trusting relationships with customers regardless of geographic locale or language.

"Our objective is to establish MSN as the most trustworthy Internet service worldwide by incorporating privacy best practices into products, policies and compliance efforts," said Diane McDade, privacy product manager for MSN. "Through this expansion of their policy certification and dispute resolution services, TRUSTe's International Privacy Service is helping MSN add another layer of privacy assurance to our European customers."

To learn more about the TRUSTe International Privacy Service, please visit http://www.truste.org/about/international_privacy_services.html.

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to editor@truste.org.

TRUSTe Announces 2003 Price Schedule - Members Encouraged to Renew Certification and Receive Rate Protection for up to Two Years.

For renewing members, please contact George Mamashiani by phone at 415-618-3403 or by email at george@truste.org. For new members, please contact Michelle Lucas by phone at 415-618-3402 or by email at mlucas@truste.org.

Privacy Goes International -- TRUSTe is gearing up to launch a Privacy Translation Services program to help companies globalize their privacy strategy. Stay tuned for details next month. To learn more, please contact our business development staff at 415-618-3402.