Skip to Content

Notice

True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment

Document Details

Information about this document as published in the Federal Register.

Enhanced Content

Relevant information about this document from Regulations.gov provides additional context. This information is not part of the official Federal Register document.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Trade Commission.

ACTION:

Proposed Consent Agreement.

SUMMARY:

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.

DATES:

Comments must be received on or before December 17, 2014.

ADDRESSES:

Interested parties may file a comment at https://ftcpublic.commentworks.com/​ftc/​trusteconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.—Consent Agreement; File No. 132 32193” on your comment and file your comment online at https://ftcpublic.commentworks.com/​ftc/​trusteconsent by following the instructions on the Web-based form. If you prefer to file your comment on paper, write “True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.—Consent Agreement; File No. 132 32193” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Jamie Hine (202-326-2188), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for November 17, 2014), on the World Wide Web, at http://www.ftc.gov/​os/​actions.shtm.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before December 17, 2014. Write “True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.—Consent Agreement; File No. 132 32193” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to Start Printed Page 69851the extent practicable, on the public Commission Web site, at http://www.ftc.gov/​os/​publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.

Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which . . . is privileged or confidential,” as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).[1] Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.

Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/​ftc/​trusteconsent by following the instructions on the Web-based form. If this Notice appears at http://www.regulations.gov/​#!home, you also may file a comment through that Web site.

If you file your comment on paper, write “True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.—Consent Agreement; File No. 132 32193” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before December 17, 2014. You can find more information, including routine uses permitted by the Privacy Act, in the Commission's privacy policy, at http://www.ftc.gov/​ftc/​privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission has accepted, subject to final approval, an agreement containing an order from True Ultimate Standards Everywhere, Inc. (“TRUSTe”).

The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received and will decide whether it should withdraw from the agreement or make final the agreement's proposed order.

This matter involves respondent's marketing and distribution of a variety of online privacy seals (“seals”) for companies to display on their Web sites. The FTC complaint alleges that respondent violated Section 5(a) of the FTC Act by falsely representing to consumers the frequency with which it reviews and verifies the practices of companies displaying its Web site and mobile seals. Specifically, the complaint alleges that from June 1997 until January 2013, respondent failed to conduct annual recertifications for almost 1,000 companies holding respondent's TRUSTed Web sites, COPPA/Children's Privacy, EU Safe Harbor, TRUSTed Cloud, TRUSTed Apps, TRUSTed Data, and TRUSTed Smart Grid seals. In addition, the complaint alleges that respondent provided to its sealholders the means and instrumentalities to misrepresent that respondent is a non-profit corporation. The FTC complaint describes, with specificity, that following respondent's transition to a for-profit corporation in July 2008, respondent recertified numerous clients whose privacy policies continued to describe TRUSTe as a non-profit entity.

The proposed consent order contains provisions designed to prevent respondent from engaging in similar acts and practices in the future. Part I of the proposed order prohibits respondent from misrepresenting (1) the steps respondent takes to evaluate, certify, review, or recertify a company's privacy practices; (2) the frequency with which respondent evaluates, certifies, reviews, or recertifies a company's privacy practices; (3) the corporate status of respondent and its independence; and (4) the extent to which any person or entity is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy program sponsored by respondent. Part II of the proposed order prohibits respondent from providing to any person or entity the means and instrumentalities (including any required or model language for use in any privacy policy or statement) to misrepresent any of the same items in Part I of the proposed order.

Parts III and IV of the proposed order contain additional reporting requirements with respect to respondent's COPPA/Children's Privacy seal. First, the proposed order expands respondent's COPPA recordkeeping and reporting requirements to ten years. Second, the proposed order requires respondent to report (1) the number of new seals it awards; (2) how it assesses the fitness of members; and (3) any additional steps it takes to monitor compliance with the safe harbor requirements. Third, the proposed order expands respondent's COPPA requirement to retain consumer complaints and descriptions of disciplinary actions to include consumer complaints related to respondent and its safe harbor program participants as well as all documents related to disciplinary actions taken by respondent. Fourth, the proposed order imposes additional COPPA recordkeeping requirements, such as a requirement that respondent retain detailed explanations of assessments of new and existing applicants in any COPPA safe harbor program.Start Printed Page 69852

Part V of the proposed order requires respondent to pay $200,000 to the United States Treasury as disgorgement.

The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint order or to modify in any way the proposed order's terms.

By direction of the Commission, Commissioner Ohlhausen voting “yes,” consistent with the views expressed in her partial dissent.

Start Signature

Donald S. Clark,

Secretary.

End Signature

Statement of Chairwoman Edith Ramirez, Commissioner Julie Brill, and Commissioner Terrell McSweeny

We write to express our strong support for the complaint and consent order in this case.

The Commission unanimously supports Count I of the complaint in this matter, which is of paramount importance, in light of TRUSTe's unique role in increasing consumer trust in the global marketplace and ensuring the effectiveness of relevant self-regulatory frameworks. TRUSTe operates privacy-related self-regulatory and oversight programs for businesses and offers certified privacy seals for program participants, including (1) COPPA/Children's Privacy, which certifies compliance with the Children's Online Privacy Protection Act and implementing regulations; (2) EU Safe Harbor, which certifies compliance with the U.S.-EU Safe Harbor Framework; (3) TRUSTed Apps, which certifies the privacy practices of mobile applications; and (4) APEC Privacy, which certifies compliance with the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System.[1]

In Count I, the Commission alleges that TRUSTe promised consumers it would annually recertify its self-regulatory program participants for compliance with TRUSTe's privacy program requirements, but that, in many instances, it failed to do so. Annual recertification is a cornerstone of the service TRUSTe provides. It helps ensure that companies (1) continue to follow TRUSTe's program requirements, (2) do not make material changes to their practices or policies without appropriate consent, and (3) periodically consider the impact of technology and marketplace developments in their privacy practices. TRUSTe did not fulfill its obligations; today's order helps to ensure that TRUSTe will do so in the future. Consumers who see the TRUSTe seal on a Web site or mobile app should be confident that a trusted third party has kept its promise to review and vouch for the privacy practices of that Web site or mobile app.

We also believe that Count II represents an appropriate use of “means and instrumentalities” liability. At the time TRUSTe provided model language for its clients' privacy policies stating that TRUSTe was a nonprofit entity, there is no question that the statement was true. However, after TRUSTe informed clients of its for-profit status in 2008, many clients neglected to update their policies and continued to represent that TRUSTe was a nonprofit entity. These ongoing representations by TRUSTe's clients clearly became deceptive once TRUSTe converted to a for-profit entity. Yet for five years, TRUSTe continued to recertify some companies that included this deceptive statement, that TRUSTe itself had disseminated, in their privacy policies. TRUSTe was well-positioned to rectify the misrepresentation about its own corporate status—it could have elected simply not to recertify the companies in question until the misrepresentation was cured. It failed to take this straightforward step and instead continued to bless the language at issue by giving the companies its seal of approval.

In Shell Oil Company and FTC v. Magui Publishers, Inc., which Commissioner Ohlhausen cites in her statement, the Commission concluded that by providing customers with deceptive statements, the respondent furnished the means and instrumentalities for its clients to engage in deceptive acts or practices.[2] In this case, although TRUSTe disclosed to clients its change in status, it continued to recertify privacy policies using language TRUSTe had itself supplied about its corporate status that was no longer true. TRUSTe's recertification of these inaccurate privacy policies is the conduct we take aim at—it provided a stamp of approval of a false representation which TRUSTe's clients then passed along to consumers via their Web sites. As such, TRUSTe provided its clients with the means and instrumentalities to deceive others. The application of means and instrumentalities liability in this case is consistent with the principle underlying Shell and Magui Publishers, namely, that one who places the means of deception in the hands of another is also liable for the deception under Section 5.[3] The inclusion of this count is particularly appropriate here, given TRUSTe's unique position in the privacy self-regulatory ecosystem. Companies that purport to hold their clients accountable to protect consumer privacy should themselves be held to an equally high standard.

Partial Dissent of Commissioner Maureen K. Ohlhausen

I support Count I of the complaint in this matter because of TRUSTe's unique position of consumer trust as a third party certifier. However, I do not support the use of “means and instrumentalities” liability in Count II of the complaint and dissent as to that Count.

TRUSTe was initially organized in 1997 as a non-profit. Before July 2008, TRUSTe required every certified client Web site to include in its privacy policy a description of TRUSTe stating in part, “TRUSTe is [a] non-profit organization.” On July 3, 2008, TRUSTe changed its corporate form from non-profit to for-profit. The company announced the change to its clients and requested that all clients update the relevant privacy policy language on their Web sites. Some clients did not update their Web sites. When TRUSTe recertified such Web sites, TRUSTe would typically request, but not require, that the client update their privacy policy to reflect the change to for-profit status.

Count II of our complaint alleges that by recertifying Web sites containing privacy policies that inaccurately describe TRUSTe as a non-profit, TRUSTe provided the means and instrumentalities to its clients to misrepresent that TRUSTe was a non-profit corporation. The majority's statement argues that TRUSTe, by “recertify[ing] a statement that was untrue,” provided to its clients the means and instrumentalities to deceive consumers.[1]

Start Printed Page 69853

I disagree with this use of means and instrumentalities. To be liable of deception under means and instrumentalities requires that the party itself must make a misrepresentation, as the Commission detailed in Shell Oil Company.[2] According to the majority in that case, “[T]he means and instrumentalities doctrine is intended to apply in cases . . . where the originator of the unlawful material is not in privity with consumers” and “it is well settled law that the originator is liable if it passes on a false or misleading representation with knowledge or reason to expect that consumers may possibly be deceived as a result.” [3] For example, in FTC v. Magui Publishers, Inc., the court found the defendant directly liable for providing the means and instrumentalities to violate Section 5 when it sold Salvador Dali prints with forged signatures to retail customers, who then sold the prints to consumers.[4]

Unlike Shell and Magui Publishers, the statement that TRUSTe provided to its clients was indisputably truthful at the time. During the period in which TRUSTe required client privacy policies to state that TRUSTe was a non-profit, TRUSTe was, in fact, a non-profit. Once TRUSTe changed to for-profit status, it no longer required clients to state its non-profit status and actively encouraged clients to correct their privacy policies. TRUSTe did not pass to clients any false or misleading representations regarding its for-profit status. Nor was TRUSTe's recertification of Web sites a misrepresentation of TRUSTe's non-profit status to its clients; during recertification TRUSTe again clearly communicated its for-profit status to clients by requesting that its clients update their privacy policies. Because TRUSTe accurately represented its non-profit status to its clients, TRUSTe cannot be primarily liable for deceiving consumers under a means and instrumentalities theory.

TRUSTe's alleged recertifications of untrue statements are more properly analyzed as secondary liability for aiding and abetting.[5] In Magui Publishers the court found that the defendant forgers were not only directly liable for their own misstatements, but also secondarily liable for the retailers' fraudulent misrepresentations to consumers because defendants “supplied their deceptive art work, certificates and promotional materials to their retail customers with full knowledge these customers would use the materials to deceive consumers.” [6] The court explained that aiding and abetting has three components: “(1) The existence of an independent primary wrong; (2) actual knowledge by the alleged aider and abettor of the wrong and of his or her role in furthering it; and (3) substantial assistance in the commission of the wrong.” [7]

It is not clear that TRUSTe's clients committed an independent primary wrong. However, TRUSTe certainly had knowledge of the misstatements in the privacy policies and of TRUSTe's role in facilitating those misstatements. And, arguably, its certifications may have provided substantial assistance in deceiving consumers. Regardless, because TRUSTe never misrepresented its corporate status, TRUSTe's actions regarding its corporate status at most comprise aiding and abetting its clients' actions.

Perhaps all this seems like legal hairsplitting, but it is not. Under the Supreme Court's decision in Central Bank of Denver v. First Interstate Bank of Denver,[8] the FTC “may well be precluded from bringing Section 5 cases under an aiding and abetting theory.” [9] By prosecuting activities more properly analyzed as aiding and abetting under the guise of means and instrumentalities liability, I am concerned that we are stepping beyond the limits the Supreme Court has established. I therefore dissent from Count II.

End Supplemental Information

Footnotes

1.  In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c).

Back to Citation

1.  TRUSTe's APEC Privacy certification program was not the subject of the allegations in the complaint. TRUSTe became an “Accountability Agent” for the APEC Cross-Border Privacy Rules System in June 2013, and issued its first certification under that program in August 2013.

Back to Citation

2.  In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999); FTC v. Magui Publishers, Inc., No. 89-3818RSWL(GX), 1991 WL 90895 (C.D. Cal. Mar. 28, 1991), aff'd 9 F.3d 1551 (9th Cir. 1993).

Back to Citation

3.  Commissioner Ohlhausen suggests that the allegations underlying Count II would be more appropriately viewed through the lens of secondary “aiding and abetting” liability. Regardless of whether one could construct alternative theories of liability, our concern is with TRUSTe's own actions. As discussed above, the deception here was the result of TRUSTe's own actions.

Back to Citation

1.  In the Matter of True Ultimate Standards Everywhere, Inc., FTC File No. 1323219, Statement of Chairwoman Edith Ramirez, Commissioner Julie Brill, and Commissioner Terrell McSweeny, at 2 (Nov. 17, 2014).

Back to Citation

2.  In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999).

Back to Citation

3.  Id. at *10 (Public Statement of Chairman Pitofsky, Commissioner Anthony and Commissioner Thompson) (emphasis added). Similarly, Commissioner Orson Swindle's dissent stated that under FTC precedent, “means and instrumentalities is a form of primary liability in which the respondent was using another party as the conduit for disseminating the respondent's misrepresentations to consumers.” Id. at *14-15 (Dissenting Statement of Commissioner Orson Swindle) (emphasis added). Swindle's dissent likewise emphasized that a defendant “may not be held primarily liable unless it has actually made a misrepresentation.” Id. (quoting In re JWP Inc. Securities Lit., 928 F. Supp. 1239, 1256 (S.D.N.Y. 1996)). See also FTC v. Magui Publishers, Inc., Civ. No. 89-3818RSWL(GX), 1991 WL 90895, at *14, (C.D. Cal. 1991), aff'd, 9 F.3d 1551 (9th Cir. 1993) (“One who places in the hands of another a means or instrumentality to be used by another to deceive the public in violation of the FTC Act is directly liable for violating the Act.”).

Back to Citation

4.  Magui Publishers, Inc., 1991 WL 90895, at *17.

Back to Citation

5.  “[A] respondent who has provided assistance to another party that has made misrepresentations is at most secondarily liable—in particular, for aiding and abetting another's misrepresentations.” Shell Oil Co., 128 F.T.C. 749, *15 (1999) (Swindle Dissent) (citing Wright v. Ernst & Young LLP, 152 F.3d 169, 175 (2d Cir. 1998), cert. denied, 119 S.Ct. 870 (1999); Shapiro v. Canto r, 123 F.3d 717, 720 (2d Cir. 1997); Anixter v. Home-Stake Production Co., 77 F.3d 1215, 1225 (10th Cir. 1996) (“the critical element separating primary from aiding and abetting violations is the existence of a representation, made by the defendant.”)).

Back to Citation

6.  Magui Publishers, Inc., 1991 WL 90895, at *15.

Back to Citation

7.  Id. at *14.

Back to Citation

8.  Cent. Bank, N.A. v. First Interstate Bank, N.A., 511 U.S. 164 (1994).

Back to Citation

9.  Shell Oil Co., 128 F.T.C. 749, *19 (Swindle Dissent).

Back to Citation

[FR Doc. 2014-27733 Filed 11-21-14; 8:45 am]

BILLING CODE 6750-01-P