The TRUSTe Seal: Everything You Need to Know About the Granddaddy of Trustmarks

At the ripe old age of 24, the TRUSTe seal is the granddaddy of trustmarks. And while it's not quite as influential as it used to be, it still may be worth having on your website to earn brand trust.

Some trust badges indicate your affiliation with prominent industry organizations; others announce to customers that your website’s payment processing is safe and secure. From TRUSTe's beginnings in the early days of e-commerce, its purpose has been to tell your website visitors that your privacy policy meets the highest standards of data governance.

TRUSTe: An Online Privacy Pioneer

TRUSTe started as a non-profit association to foster online commerce by helping organizations self-regulate privacy concerns. It wanted online businesses to work together to address the rising privacy fears of consumers. This was decades before anyone had ever thought about the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) or the dozens of other consumer data privacy regulations that exist today.

TRUSTe was a trailblazer from the start.  Among its achievements, it was the first organization to form a framework encompassing both U.S. and European data privacy standards in 2000. A lot has happened since then, but TRUSTe has continued its mission to ensure internet users can feel confident that their data and browsing experiences are secure.

TRUSTe has also been a leader in advocating for the privacy of children’s data online, and has helped set standards to control spam emails—which, like data privacy, have today moved from self-regulation to a governmental regulatory model.

Enduring Its Share of Reputation Challenges

The company has not been without its own reputation management issues, however.

As early as a 2002 Wired Magazine article,  critics have questioned whether the TRUSTe certification can be trusted. As with most trust seals, such as the Better Business Bureau accreditation seal, companies have to pay for certification and the right to display the TRUSTe seal. This led journalist Paul Boutin of Wired to suggest that "TRUSTe officials often seemed to be covering for their clients" rather than enforcing their own standards. 

These accusations were seconded by Harvard economics researcher Ben Edelman, who asserted that TRUSTe-certified companies were actually less trustworthy than uncertified companies based on his research. He specifically cited the 2008 case of Coupons.com, a company that had earned the TRUSTe seal but nevertheless "stored data in deceptive filenames and registry entries designed to look like part of Windows." Edelman said Coupons.com continued this practice even after TRUSTe claimed that the company had corrected it.

In  2014, the Federal Trade Commission announced that TRUSTe had agreed to settle a complaint that it misrepresented its recertification program with a $200,000 penalty. The FTC complaint alleged that from 2006 to 2013, TRUSTe failed, in over 1,000 instances, to conduct annual privacy checks as promised on the companies it certified.

TRUSTe Remains a Valued Trustmark

TRUSTe has emerged from these controversies bloodied but unbowed.

According to surveys, the TRUSTe seal continues to strike a positive note with consumers visiting not just e-commerce sites, but any website that asks visitors to entrust it with their private data. It communicates to visitors that you take protection and privacy of their personal data seriously. 

Today, TRUSTe offers multiple certifications and verifications, for the U.S. and worldwide. TRUSTe says of its Enterprise Privacy & Data Governance Practices seal:

Companies who display the TRUSTe Certified Privacy seal have demonstrated that their privacy policies and practices meet the TRUSTe Enterprise Privacy & Data Governance Practices Assessment Criteria.

TRUSTe monitors ongoing compliance through annual recertifications and complaints received through the Privacy Feedback mechanism.

All companies that display this seal are solely responsible for their own privacy practices and for promptly notifying TRUSTe of any changes that might affect their certification status.

TRUSTe is responsible only for the privacy practices applicable to it as expressly described in the privacy policy for the TrustArc group of companies and is not responsible for the privacy practices of any other company.

It's fair to say that TRUSTe is no longer the preeminent trustmark to website visitors. Many have never heard of the organization or know of its history, and many other entities and regulations have stepped forward in the privacy and security space.

But the most recent data shows that TRUSTe is still one of the 10 most recognized trust seals. And with recognition comes trust.

TrustArc and TRUSTe Seals Today

TRUSTe currently functions as the certification subsidiary of TrustArc. The parent company was renamed to TrustArc in 2017. The company is based in San Francisco.

According to the blog post announcing this change, “The TrustArc name reinforces our deep privacy expertise developed over the past two decades along with our ongoing expansion into new technology-powered solutions.”

TrustArc offers a variety of TRUSTe seals and TRUSTe certifications that companies can display on their website to assure clients of their compliance with the guidelines that the seal represents. Companies obtain TRUSTe seals is by going through an assessment process conducted by TrustArc. Then, the TRUSTe team guides the company through any remediation required to make their privacy program compliant with certification standards.

Once the necessary changes have been made, the company is awarded the TRUSTe seal along with a Letter of Attestation that can be shared with business partners as proof of compliance.

Current TRUSTe certifications include:

TRUSTe Enterprise Privacy Certification

This TRUSTe certification on a company’s website demonstrates that it is aligned with TrustArc’s Privacy & Data Governance Framework. This framework is an amalgamation of several regulatory standards consisting of but not limited to: 

• The OECD Privacy Guidelines
• The APEC Privacy Framework
• The EU General Data Protection Regulation (GDPR)
• The U.S. Health Insurance Portability and Accountability Act (HIPAA)
• ISO 27001

TRUSTe International Privacy Verification

This seal demonstrates that a company is compliant with the EU-U.S. Privacy Shield Framework. The framework comprises a set of guidelines instituted to protect people’s personal data handled by companies operating in the EU and US.

TRUSTe APEC CBPR and PRP Privacy Certifications

Similar to the International Privacy Seal, these two trustmarks demonstrate a company’s compliance with the APEC Privacy Framework. APEC or the Asia-Pacific Economic Cooperation has put forth two standards under their framework that companies need to abide by in order to handle the personal data of people living in the Asia-Pacific region. These two standards are: 

1. APEC CBPR for Data Controllers: If your business identifies as a data controller, the APEC CBPR Certification signifies that all the set requirements for collecting, retaining, processing, and utilizing personal data are fulfilled.
2. APEC PRP for Data Processors: For corporations that act as data processors, the APEC PRP Certification says that the company meets all the requirements for assisting data controllers.

TRUSTe Privacy Shield Verification

The Privacy Shield Verification is an assessment service offered by TrustArc for companies to align their privacy policy with the principles laid out in the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively called the “Privacy Shield” Frameworks). TrustArc’s assessment checks for compliance with seven principles embodied by the Privacy Shield. These are: 

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse, Enforcement, and Liability

With regards to Privacy Shield compliance, TrustArc offers three verification packages for customers to choose from. The most basic is the “Dispute Resolution Package”, which lets companies harness TrustArc’s expertise to address or resolve any privacy inquiries raised by consumers or end-users, as per the terms of Privacy Shield.

The most fully featured option, known as the “Privacy Shield Verification Package,” offers comprehensive guidance for making companies fully compliant with Privacy Shield. This includes not only assessing their privacy practices and setting up a searchable audit trail, but also constant monitoring and remediation assistance. Once compliance is established, the company is awarded the TRUSTe Verified Privacy seal and the Letter of Attestation.

The mid-tier package known as the “Privacy Shield Assessment Package” does not offer constant monitoring or the TRUSTe Verified Privacy seal but includes all the other core services required for companies to align themselves with “Privacy Shield”.

CCPA Validation

The California Consumer Privacy Act (CCPA) regulation applies to all companies that harness consumer data for their business. In essence, CCPA comprises four rights that California consumers enjoy, namely: -

1. “Right to know” how a business collects their data and uses/shares it.
2. “Right to delete” any personal information collected from a user that they no longer want to share.
3. “Right to opt-out” of having their personal information sold.
4. “Right to non-discrimination” when exercising all rights granted to them under the CCPA.

The CCPA Validation report can be displayed on a company’s website to demonstrate their compliance with CCPA following an independent assessment by TrustArc.

TRUSTe EDAA Trust Seal

The EDAA or European Interactive Digital Advertising Alliance mandates that companies collecting user data for targeted or Online Behavioral Advertising (OBA) must do so in accordance with a set of guidelines.

TRUSTe is an EDAA-sanctioned certification provider. To that end, TrustArc assists companies in making their practices compliant with the terms set forth by the EDAA and awards them the EDAA Trust Seal after all prescribed changes are made.

TrustArc GDPR Validation

The General Data Protection Regulation or GDPR is a comprehensive set of guidelines instituted by the European Union in 2016 that all companies using customer data of the people living in EU nations must abide by. In addition, the regulation puts down specific terms and conditions applicable to data controllers and processors.

GDPR mandates that data must be anonymized whenever possible, and data controllers must design systems centered around user privacy. The mandate puts down six lawful bases under which any user data can be processed, namely consent, contract, public task, vital interest, legitimate interest, or legal requirement. For a company to collect and use personal data, its function must fall under at least one of them.

TrustArc offers two options for validating a company’s GDPR compliance. One is called the GDPR Program Validation, and the other is known as GDPR Practices Validation. Each caters to a different aspect of GDPR compliance.

TrustArc’s evaluation process requires companies to be aligned with GDPR articles and ISO 27001 standards, TrustArc privacy standards, and the Data Governance Accountability Framework.

If a company clears all of TrustArc’s evaluations, they are awarded a OnePIN badge. OnePIN is a leading provider of User Agreement services and has teamed up with TrustArc to certify GDPR compliance.

Back to the Future with TrustArc

As important as online privacy was to consumers in the early days of the internet, it's fair to say that issues like how to balance personalization and privacy are even more hotly contested today—with the biggest tech companies in the world on the hot seat.

Which puts TrustArc—and its TRUSTe subsidiary—right where the action is.

To apply for a TRUSTe seal, visit TrustArc's website.