AustLII Home | Databases | WorldLII | Search | Feedback

Privacy Law and Policy Reporter

Privacy Law and Policy Reporter (PLPR)
You are here:  AustLII >> Databases >> Privacy Law and Policy Reporter >> 2000 >> [2000] PrivLawPRpr 53

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Gellman, Robert --- "TrustE fails to justify its role as privacy arbiter" [2000] PrivLawPRpr 53; (2000) 7(6) Privacy Law and Policy Reporter 118

TrustE fails to justify its role as privacy arbiter

Robert Gellman

Both TrustE and BBBOnline, two of the online privacy seal programs, offer privacy dispute resolution for consumer complaints about violations of privacy in the online environment. These programs have been around for a while, so it is time to look at how they and the organisations that sponsor them work.

My conclusions are based on what I found on the websites of the two organisations at the end of August. First, I consider TrustE.

Dispute resolution programs are especially important because of the critical role they play under the EU’s safe harbor agreement with the US Department of Commerce. One of the biggest sticking points in reaching that agreement was enforcement. How would American companies in the safe harbor be held accountable and provide effective remedies to consumers? One solution accepted by the EU was to recognise that self-regulatory mechanisms backed by federal agency review would be sufficient. It is an open question whether federal agencies such as the Federal Trade Commission (FTC) would really pay attention to complaints arising from private internet dispute resolution mechanisms. The FTC’s track record on privacy is highly limited. Other agencies with similar responsibilities in other areas, such as the Department of Transportation, have no track record on privacy at all.

Before we get to the secondary enforcers, however, we need to know whether the primary privacy dispute resolution mechanisms have any substance, credibility or utility.

TrustE does not make it easy to review its dispute resolution program. The TrustE website offers no statistics, formal decisions or rules. It is unclear who is making decisions on disputes. Reports of some ‘investigations’ are publicly posted, but they are hard to evaluate because so little is available. Some, but not all, of the public investigation reports have numbers that suggest that many complaints have been received. What were the other complaints about, and what happened to them? We do not know. TrustE does not even offer a summary.

Is the TrustE dispute process fair or valuable to companies or to consumers? I cannot tell. Is TrustE trying to keep from the public eye a dispute process that does not work or provide any meaningful remedies for consumers? Maybe TrustE just doesn’t care or doesn’t think anyone else will.

TrustE’s lack of interest in public accountability is troubling and undermines the credibility of the program. It would be easy to make more information about the dispute resolution process available on the website.

TrustE has taken a lot of flak from privacy and internet people because of its inability to address some privacy violations by its seal holders. TrustE’s defence was that the violations did not relate to website activities covered by the privacy seal. The response may have been correct, but it only underscored the limitations of seal programs generally and the shortcomings of self-regulation. It looked to many as if TrustE was exonerating the companies that fund TrustE’s operations. It did not help that big, bad Microsoft was one of the companies that TrustE let off the hook. TrustE’s one line comment that Microsoft’s actions did ‘compromise consumer trust and privacy’ was too little, too late.

TrustE was embarrassed again when an internet security firm revealed that the TrustE Web site was using cookies and Web bugs to track visitors to its website. TrustE quickly stopped these practices and blamed a third party company hired to count website visitors. But the episode only displayed the sloppiness of TrustE. If TrustE does not pay attention to what is happening on its own website, who will believe that it really oversees the operations of others? Even worse, TrustE said it thought the company was only collecting non-personally identifiable IP addresses. The trouble with that defence is that some IP addresses are potentially identifiable. So is TrustE just being sloppy again, or does it fail to understand internet technology?

With this last episode, TrustE may have exhausted any welcome that it had on the internet. TrustE is becoming a symbol of what is wrong with internet self-regulation. The EU has accepted TrustE dispute resolution for purposes of the safe harbor, but I have to wonder if it really looked at what TrustE is doing.

At present, I cannot find a good reason to advise a consumer with a privacy complaint against a TrustE seal holder to bother filing a complaint with TrustE. The consumer might do better looking for one of the many hungry trial lawyers who are searching for new class action privacy suits.

Next issue: BBBOnline does a better job than TrustE, but that isn’t saying much.

Robert Gellman is a Washington-based privacy and information policy consultant and former chief counsel to the House subcommittee on information, justice, transportation and agriculture.

This article originally appeared in the 2 October issue of DM News, the journal of the US Direct Marketing Association. It is reproduced by kind permission of the journal and the author.

This is the first of two articles on privacy seal programs, the second of which will appear in the next issue of PLPR — Editor

AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback