TrustArc is a privacy compliance technology company based in San Francisco, California. The company provides software and services to help corporations update their privacy management processes so they comply with government laws and best practices.
History
TrustArc, was founded as a non-profit industry association called TRUSTe in 1997 by Lori Fena, then executive director of the Electronic Frontier Foundation, and Charles Jennings, a software entrepreneur, with the mission of fostering online commerce by helping businesses and other online organizations self-regulate privacy concerns. In 2000, TRUSTe became the first organization to join the Safe Harbor framework of the U.S. Department of Commerce and the European Union, and subsequently launched its EU Safe Harbor Seal Program. The EU-US Safe Harbor was agreed upon by the Department of Commerce and the EU to provide a framework for American companies to comply with European data and privacy standards. In 2001, TRUSTe became a Children's Online Privacy Protection Act Safe Harbor organization for the Federal Trade Commission and thereafter launched its Children's Privacy Seal Program. That year, Fran Maier, who had helped build Match.com and had been running the company following the departure of its co-founder, Gary Kremen, joined the organization as Executive Director. One of her first efforts was to address consumer issues with email spam, which at the time was estimated to comprise 59 percent of all email traffic. The same year, TRUSTe's founding Executive Director, Susan Yamada, who was formerly editor of Upside Magazine, resigned, though later went on to serve as board chair. In 2008, TRUSTe changed its structure from a non-profit industry association to a venture-backed for-profit company, raising its first round of capital from Accel Partners. This raised the question of whether a for-profit company would be less stringent on the companies it certifies than a non-profit. In November 2009, Chris Babel, former Senior Vice President of VeriSign's worldwide Authentication Services, joined TRUSTe as chief executive officer. Maier remained active in the company until 2014, serving variously as president, CEO and board chair. In 2013, TRUSTe was approved by the as an official certification provider for the EU Self-Regulatory Programme for Online Behavioural Advertising. The same year, TRUSTe was named the first approved Accountability Agent for the Asia-Pacific Economic Cooperation's Cross Border Privacy Rules System. In 2016, in an effort to help companies prepare for the European Union's General Data Protection Regulation, which extends the scope of the EU data protection law established in 1995 to all foreign companies processing data of EU residents, TRUSTe partnered with the International Association of Privacy Professionals to offer free compliance assessments of a company's privacy practices. On June 6, 2017, the company changed its name from TRUSTe to TrustArc.
Services
TrustArc's certification subsidiary, TRUSTe, provides privacy dispute resolution services, designed to help oversee consumer requests and complaints regarding the privacy practices of those companies participating in TRUSTe's program.
Criticism and Controversies
A Wired article in 2002 questioned whether TRUSTe certification could be trusted, noting that "TRUSTe officials often seemed to be covering for their clients" rather than revoking privacy seals for violations. In January 2006, Harvard economics researcher Benjamin Edelman published a study showing that sites with TRUSTe certification were 50 percent more likely to violate privacy policies than uncertified sites. Edelman also reported that TRUSTe did not go far enough to punish seal holders that break their rules and was not prompt enough in revoking the seal on companies that violate privacy standards.
Federal Trade Commission settlement
On November 17, 2014, the Federal Trade Commission announced that TRUSTe had agreed to settle a complaint that it misrepresented to consumers its recertification program, and its status as a non-profit entity, against a $200,000 penalty. The FTC complaint alleged that from 2006 to 2013, TRUSTe failed, in over 1000 instances, to conduct annual privacy checks on the companies it certified. Consumer organizations, including Center for Digital Democracy and the Consumer Federation of America, argued for higher penalties and more FTC oversight, but the FTC declined to increase the penalties. FTC Commissioner Maureen Ohlhausen issued a partial dissent to the FTC ruling, "because TRUSTe never misrepresented its corporate status," and had informed clients of its for-profit status.