The VeriSign of Privacy? TRUSTe Scales Up and Tackles Mobile, Cloud, and Ads

It’s taken me a long time to figure out TRUSTe. I’ve been to their offices, which are in a swanky building on Second Street in San Francisco’s Financial District, about three times in the last 10 months. But my last story about the company was back in September 2010, when it introduced some new privacy certification services for makers of mobile apps. The oddity about TRUSTe—the thing I couldn’t get my head around, until recently—is that the organization is a for-profit business that’s paid by other companies to verify that their online privacy practices meet its standards. Most of the other bodies that do this kind of thing, like the International Organization for Standardization (ISO) or Underwriters’ Laboratories, are non-profits—as TRUSTe itself was until 2008. I couldn’t understand why anyone would trust TRUSTe, when its revenue comes from the very companies it monitors. In economics, after all, that’s called “regulatory capture.”

The tension I was sensing is real—and, in fact, TRUSTe has taken heat in the past for lax enforcement of its own privacy standards. But in the course of several conversations with TRUSTe CEO Chris Babel and president Fran Maier, I’ve come to realize that I was thinking about the company in the wrong way. It’s not really a regulatory or standards organization, and never was. It’s more akin to a Progressive Era industry association—sort of like the Better Business Bureau or the Good Housekeeping Institute—built to tackle an Internet-age problem. Its job is to dispense a virtual seal of approval, to help assure consumers that when they visit TRUSTe-certified sites, they aren’t putting their private information at risk. Once that trust is in place, the concept goes, everyone can get on with business.

It’s also wrong to think of TRUSTe as a detective bureau, full of people running around investigating consumer complaints. It does have staffers who do that, but increasingly, TRUSTe is a technology company. It’s got software that automatically generates privacy policies, software that crawls and scans websites for potential privacy holes, software that automates opt-out programs for behavioral advertising, software that can help your Web browser block tracking cookies. In fact, it’s only by automating such processes, Babel says, that TRUSTe can keep up with the Internet’s growth and make its services accessible to more companies.

TRUSTe CEO Chris Babel

“The most frustrating question I get is, ‘Oh, TRUSTe, I recognize that, you’re that non-profit that has people doing privacy certification, right?'” Babel says. “I love the fact that people have seen the seal, they know it and recognize it and trust it. But we as a company have not gotten the message out well that in terms of our technological underpinnings, we’re really more like a three-year-old startup.”

It was looking at Babel’s own professional background that finally helped me understand TRUSTe’s current mission as a for-profit company. He came to the company from VeriSign, where he managed the Secure Sockets Layer (SSL) business, selling the certificates that website owners use to encrypt communications with visitors’ browsers. That part of VeriSign has since been sold to Symantec, but under Babel’s leadership it hit the 500,000-customer mark—and he has similar ambitions for TRUSTe. “All of the same customers who were buying an SSL certificate should also have a privacy policy,” he argues.

TRUSTe has a long way to go to hit that level—it’s only got 4,500 paying customers, who represent just a sliver of the overall e-commerce market. But that’s still a big increase over the 1,800 clients that TRUSTe had when Babel came on board two years ago. With $22 million in venture funding from Accel Partners, Baseline Ventures, DAG Ventures, and Jafco Ventures, the company has been scaling up fast—it’s now got 95 employees, including 35 in sales (up from four when Babel arrived), 30 in engineering (also up from four), and 20 in support and operations. And in the last year, it has expanded way beyond its initial focus on website privacy certification, adding services in three burgeoning areas where privacy questions are gaining urgency: advertising, mobile apps and websites, and cloud computing.

“Our pitch is that you need the best privacy policy on the planet,” says Babel. “That’s as unsexy as it gets as a sales pitch. But when you place the seal on your site”—or app, or ad, or cloud service—“you tend to see your customers buying more.”

* * *

TRUSTe exists because of the constant pressure that technology places on our personal boundaries. The truth is that the more personally identifiable information or “PII” that your favorite travel site, airline, wireless carrier, newspaper, or social networking site has about you, the more customized the services and content they can offer. It’s inevitable that as software engineers and marketers think up new services, they’ll be tempted to use that information in ways that you might not be comfortable with.

“PII is like uranium: quite valuable, but more than a little dangerous when it falls into the wrong hands,” wrote Lori Fena and Charles Jennings in their 2000 volume The Hundredth Window. When they wrote the book, Fena was chair of the Electronic Frontier Foundation, and Jennings was an Internet entrepreneur who had founded Internet startups like Preview Systems, GeoTrust, and Supertracks. It was a manifesto of sorts for TRUSTe, which Fena and Jennings had founded in 1997 with the mission of encouraging websites to disclose their privacy policies, so that consumers could know how their personal information was being collected and used. Sites that did so, and that paid a licensing fee, were allowed to display the TRUSTe seal.

But these days, simply having a privacy policy doesn’t cut it. You also have to adhere to it—and you have to give your users easy ways to control how much they share. These are all tough challenges, as the endless saga of Facebook’s evolving privacy settings illustrates. Part of the problem is that Silicon Valley culture seems hard-wired to think about computer security—which is a simple problem of debugging code until all off the vulnerabilities have been removed—but not so much about privacy, which is “so different, and much more complicated,” in the estimate of Maier, TRUSTe’s president, executive chair, and former CEO. (She handed the title to Babel in 2009.) Privacy is “nuanced, personal,” Maier says. “What I want might be different from you want. There is not a common enemy, like hackers. It’s more of a contract between the individual and the company. We hold the companies to whatever promises they have made.”

TRUSTe president Fran Maier

Fena and Jennings set up TRUSTe as a non-profit, and Maier, who had previously co-founded, kept that model when she joined in 2001. She says the organization grew from $1 million in licensing revenues that year to $5 million by 2006, and was always cash-flow positive. It recruited top brands as licensees, from Apple and Adobe to the New York Times and the NFL. But it was a manual operation, and there was never enough money to hire serious engineering or product-development teams to build automated systems.

That became a problem as tech-savvy competitors began to crop up. For example, one startup called Scan Alert, later bought by McAfee, developed a form of automated A/B testing that allowed it to prove to business customers that its “Hacker Safe” certificates improved sales of downloadable software, an area TRUSTe had also entered. “Our whole franchise was at risk,” Maier says. “I realized that we were going to become a boutique if we didn’t start to address the issues in a way that was more scalable and impactful.”

Maier formed a plan to incorporate and raise venture funding, but she says TRUSTe’s board was initially skeptical. In fact, she says she had to threaten to resign to get them to go along. But most of TRUSTe’s clients had the opposite reaction. “They said, ‘We don’t care about your non-profit status, we just want to be sure you continue to do what you’re doing, and to the extent that you can grow your brand, that is only good for us,” Maier recounts.

The changeover was finalized in 2008, when TRUSTe pulled in $10 million in Series A funding from Accel and Baseline. The next year, Maier—who says her strengths are in branding, marketing, and relationships, not operations and technology—hired Babel away from Verisign.

Babel points out that his first months at TRUSTe, in late 2009 and early 2010, coincided with a remarkable flareup of privacy-related controversies. Silicon Valley startup NebuAd was taking heat for using so-called “deep packet inspection” software to help Internet service providers monitor consumers’ Web browsing habits and serve them targeted ads. Facebook was still smarting over Beacon, a system that used information about members’ activities on external websites to serve them targeted ads inside Facebook. Google was being blasted for mistakenly collecting Wi-Fi browsing data as part of its Street View mapping project, and for weak privacy settings in its Buzz microblogging service. In a settlement with the Federal Trade Commission, the search giant agreed to conduct annual privacy audits for the next 20 years. (NebuAd and Beacon are now dead, and Google announced last week that it’s killing Buzz.) “You basically had privacy concerns becoming foremost in businesses’ and consumers’ minds,” says Babel.

That new awareness has enabled TRUSTe to speed up its growth on all fronts, beginning with the flagship website certification program. “Historically we were seeing 10 to 20 percent growth [per year],” says Babel. “Now we have kicked it up to 100 percent.”

That’s thanks in part to new low-cost services that TRUSTe is selling through partners such as Web hosting providers Tucows and eNom for just $10 to $60 a year—far below the $500 to $100,000 per year that the traditional licensees pay. For those prices, TRUSTe merely generates a privacy policy, but doesn’t actually certify a site—or it scans the site with automated software and offers the seal, but only for low numbers of page views. All of these down-market experiments are drawn from Babel’s experience at VeriSign. “We had 500,000 [SSL] customers but only 300 of them were spending over $50,000 a year, and the lowest was spending $6,” Babel says.

But at the same time, TRUSTe has been diversifying. Big Web brands, which used to provide nearly all of the company’s business, now account for only about 70 percent of TRUSTe’s revenue, Babel says. The second-biggest source—about 15 percent—is the new “TRUSTed Ads” program.

TRUSTed Ads is tailored to work with the “Self-Regulatory Program for Online Behavioral Advertising,” a voluntary system set up last year by a group of ad-industry trade organizations called the Digital Advertising Alliance. In essence, this is an effort by the advertising industry to preempt Congressional action that might ban or severely limit behavioral advertising, in which records of people’s browsing activities are used to place ads that match their interests. Such records usually aren’t connected to personally identifiable information, but behavioral advertising is controversial anyway, since it often occurs without users’ explicit permission. Publishers, advertisers, and ad networks participating in the voluntary program agree to place special “AdChoices” icons on or near any Web ad placed using behavioral information. That’s where TRUSTe comes in: companies pay the organization to make the AdChoices icon show up on their ads. If a user clicks on the icon, TRUSTe displays a privacy notice and an interactive opt-out screen.

Already, TRUSTe is serving up the AdChoices icon 650 million times a day—a sign that the idea of giving consumers more control over the ads they see is “finally moving into the mainstream,” in Babel’s view. Other companies like Evidon and DoubleVerify offer support for the new AdChoices icon, but Babel says TRUSTe offers superior tracking and reporting, so that advertisers can see exactly how many consumers are opting out. (Serving those hundreds of millions of icons, by the way, depends on rock-solid infrastructure technology, which is where Babel says he’s been directing a lot of the company’s engineering investment.)

The last 15 percent of TRUSTe’s revenue comes from its mobile and cloud certification programs. On the mobile side, as I explained in my piece last year, TRUSTe helps app developers craft privacy policies and then certifies that they’re being followed. This program only has a few hundred customers so far, Babel says, but it’s particularly interesting to developers of mobile apps for enterprises. “One customer said that they were dealing with a Fortune 500 company that was going to download their app onto all of their employees’ phones, until they realized they didn’t own the phones,” Babel says. “The client told them ‘The only way we will buy this in this quarter is if you get the app certified by TRUSTe.'”

In the cloud computing area, TRUSTe works with companies that host other companies’ data—frequently including customer PII. Think of a payroll provider, for example, that stores address information for its clients’ employees. TRUSTe checks that cloud providers have appropriate privacy policies regarding their clients’ data, and that they’re being followed. Cloud providers can then use TRUSTe’s certification letter in their sales pitches. “I was a little skeptical [about cloud privacy certification] because I didn’t think our brand message was going to work as well” in the business-to-business market, Babel confesses. “But the team said, ‘Let’s soft-launch it and get it out there and see.’ And this piece is now 5 to 10 percent of our bookings, and it’s growing really nicely.”

But does TRUSTe have teeth? Are all of these certifications and automated audits backed by the threat of enforcement if the company finds privacy breaches? The organization has had its critics over the years. Back in 2008, Benjamin Edelman, an assistant professor at Harvard Business School, documented a case in which a TRUSTe client,, failed to change allegedly deceptive downloadable-software practices even after TRUSTe investigated and supposedly resolved customer complaints. “Hard-hitting rules are particularly unlikely when certification authorities get paid for each certification they issue—but get nothing for rejecting an applicant,” Edelman wrote.

But Babel says there are plenty of cases where clients’ TRUSTe seals have been pulled due to consumer complaints. He says TRUSTe was the first to report former client Classic Closeouts to the Federal Trade Commission in 2009 after the company began making unauthorized charges to its customers’ credit and debit cards. A legal case eventually resulted in a $2 million judgment against the discount-clothing company, which is now defunct.

Babel also says that a consistent 8 to 12 percent of all companies who apply to TRUSTe for privacy certification fail to complete the process—usually because they’re unwilling to implement the policy changes TRUSTe requires. Doing the privacy analysis and other background checks on companies that don’t ultimately become paying customers “is a cost sink for us,” says Babel. “But if that rate went to zero, I’d worry that we are just certifying everyone. That will catch up with you and damage the brand.”

As much work as it’s doing to broaden its services, there’s still a lot of room left for growth in TRUSTe’s original market—privacy certification on the Web. Babel says that at least half of the companies that collect personal data online—meaning their sites include at least one form for entering a name or e-mail address—don’t have published privacy policies. Moreover, advancing technology makes the Web a far more complicated place than it used to be, which ups the pressure on e-retailers, publishers, social networks, and other companies to be transparent about their privacy practices, and to make sure their partners meet the same standards. “The number of parties a consumer is dealing with when they touch a website isn’t just one anymore, it’s four or 10 or 20,” Babel says. “So the underpinnings of each of [TRUSTe’s markets] excite me quite a bit.”

“What we have learned is that when companies don’t have transparency about what their actions are, consumers think the worst,” says Maier. For example, she says TRUSTe’s own surveys have found that when consumers are informed that behavioral advertisers don’t have personally identifiable information about them—e.g., that the shoe ad they’re seeing is there only because they’ve visited five shoe sites in the last week—their animosity over the practice goes way down. And consumers especially like the ability to opt out of practices like behavioral tracking—even if they rarely use it. “Once you give people choices, whether or not they decide to exercise that choice is almost irrelevant,” Maier says. “If it’s exercised, there has to be accountability. But just the fact of giving people some sort of redress tends to build trust.”

Wade Roush is the producer and host of the podcast Soonish and a contributing editor at Xconomy. Follow @soonishpodcast

Trending on Xconomy