The VeriSign of Privacy? TRUSTe Scales Up and Tackles Mobile, Cloud, and Ads
(Page 4 of 4)
developers of mobile apps for enterprises. “One customer said that they were dealing with a Fortune 500 company that was going to download their app onto all of their employees’ phones, until they realized they didn’t own the phones,” Babel says. “The client told them ‘The only way we will buy this in this quarter is if you get the app certified by TRUSTe.’”
In the cloud computing area, TRUSTe works with companies that host other companies’ data—frequently including customer PII. Think of a payroll provider, for example, that stores address information for its clients’ employees. TRUSTe checks that cloud providers have appropriate privacy policies regarding their clients’ data, and that they’re being followed. Cloud providers can then use TRUSTe’s certification letter in their sales pitches. “I was a little skeptical [about cloud privacy certification] because I didn’t think our brand message was going to work as well” in the business-to-business market, Babel confesses. “But the team said, ‘Let’s soft-launch it and get it out there and see.’ And this piece is now 5 to 10 percent of our bookings, and it’s growing really nicely.”
But does TRUSTe have teeth? Are all of these certifications and automated audits backed by the threat of enforcement if the company finds privacy breaches? The organization has had its critics over the years. Back in 2008, Benjamin Edelman, an assistant professor at Harvard Business School, documented a case in which a TRUSTe client, Coupons.com, failed to change allegedly deceptive downloadable-software practices even after TRUSTe investigated and supposedly resolved customer complaints. “Hard-hitting rules are particularly unlikely when certification authorities get paid for each certification they issue—but get nothing for rejecting an applicant,” Edelman wrote.
But Babel says there are plenty of cases where clients’ TRUSTe seals have been pulled due to consumer complaints. He says TRUSTe was the first to report former client Classic Closeouts to the Federal Trade Commission in 2009 after the company began making unauthorized charges to its customers’ credit and debit cards. A legal case eventually resulted in a $2 million judgment against the discount-clothing company, which is now defunct.
Babel also says that a consistent 8 to 12 percent of all companies who apply to TRUSTe for privacy certification fail to complete the process—usually because they’re unwilling to implement the policy changes TRUSTe requires. Doing the privacy analysis and other background checks on companies that don’t ultimately become paying customers “is a cost sink for us,” says Babel. “But if that rate went to zero, I’d worry that we are just certifying everyone. That will catch up with you and damage the brand.”
As much work as it’s doing to broaden its services, there’s still a lot of room left for growth in TRUSTe’s original market—privacy certification on the Web. Babel says that at least half of the companies that collect personal data online—meaning their sites include at least one form for entering a name or e-mail address—don’t have published privacy policies. Moreover, advancing technology makes the Web a far more complicated place than it used to be, which ups the pressure on e-retailers, publishers, social networks, and other companies to be transparent about their privacy practices, and to make sure their partners meet the same standards. “The number of parties a consumer is dealing with when they touch a website isn’t just one anymore, it’s four or 10 or 20,” Babel says. “So the underpinnings of each of [TRUSTe's markets] excite me quite a bit.”
“What we have learned is that when companies don’t have transparency about what their actions are, consumers think the worst,” says Maier. For example, she says TRUSTe’s own surveys have found that when consumers are informed that behavioral advertisers don’t have personally identifiable information about them—e.g., that the shoe ad they’re seeing is there only because they’ve visited five shoe sites in the last week—their animosity over the practice goes way down. And consumers especially like the ability to opt out of practices like behavioral tracking—even if they rarely use it. “Once you give people choices, whether or not they decide to exercise that choice is almost irrelevant,” Maier says. “If it’s exercised, there has to be accountability. But just the fact of giving people some sort of redress tends to build trust.”