True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment, 69850-69853 [2014-27733]

Download as PDF asabaliauskas on DSK5VPTVN1PROD with NOTICES 69850 Federal Register / Vol. 79, No. 226 / Monday, November 24, 2014 / Notices your comment. Your comment— including your name and your state— will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, such as anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which is . . . privileged or confidential,’’ as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you are required to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c). Your comment will be kept confidential only if the FTC General Counsel grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comment online, or to send it to the Commission by courier or overnight service. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ rvaluerulepra2, by following the instructions on the web-based form. If this Notice appears at http:// www.regulations.gov, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘R-value Rule: FTC File No. R811001’’ on your comment and on the envelope, and mail or deliver it to the VerDate Sep<11>2014 20:32 Nov 21, 2014 Jkt 235001 following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before December 24, 2014. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at http://www.ftc.gov/ftc/privacy.shtm. Comments on the information collection requirements subject to review under the PRA should also be submitted to OMB. If sent by U.S. mail, address comments to: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission, New Executive Office Building, Docket Library, Room 10102, 725 17th Street NW., Washington, DC 20503. Comments sent to OMB by U.S. postal mail, however, are subject to delays due to heightened security precautions. Thus, comments instead should be sent by facsimile to (202) 395–5167. David C. Shonka, Principal Deputy General Counsel. [FR Doc. 2014–27721 Filed 11–21–14; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION [File No. 132 3219] True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment Federal Trade Commission. Proposed Consent Agreement. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis to Aid Public Comment describes both the allegations in the draft complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations. SUMMARY: PO 00000 Frm 00029 Fmt 4703 Sfmt 4703 Comments must be received on or before December 17, 2014. ADDRESSES: Interested parties may file a comment at https:// ftcpublic.commentworks.com/ftc/ trusteconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.—Consent Agreement; File No. 132 32193’’ on your comment and file your comment online at https:// ftcpublic.commentworks.com/ftc/ trusteconsent by following the instructions on the Web-based form. If you prefer to file your comment on paper, write ‘‘True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.—Consent Agreement; File No. 132 32193’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Jamie Hine (202–326–2188), Bureau of Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580. SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for November 17, 2014), on the World Wide Web, at http:// www.ftc.gov/os/actions.shtm. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before December 17, 2014. Write ‘‘True Ultimate Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.— Consent Agreement; File No. 132 32193’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to DATES: E:\FR\FM\24NON1.SGM 24NON1 asabaliauskas on DSK5VPTVN1PROD with NOTICES Federal Register / Vol. 79, No. 226 / Monday, November 24, 2014 / Notices the extent practicable, on the public Commission Web site, at http:// www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which . . . is privileged or confidential,’’ as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).1 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/ftc/ trusteconsent by following the instructions on the Web-based form. If this Notice appears at http:// www.regulations.gov/#!home, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘True Ultimate Standards Everywhere, Inc., Doing Business As 1 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). VerDate Sep<11>2014 20:32 Nov 21, 2014 Jkt 235001 TRUSTe, Inc.—Consent Agreement; File No. 132 32193’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before December 17, 2014. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at http://www.ftc.gov/ftc/privacy.htm. Analysis of Proposed Consent Order To Aid Public Comment The Federal Trade Commission has accepted, subject to final approval, an agreement containing an order from True Ultimate Standards Everywhere, Inc. (‘‘TRUSTe’’). The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission again will review the agreement and the comments received and will decide whether it should withdraw from the agreement or make final the agreement’s proposed order. This matter involves respondent’s marketing and distribution of a variety of online privacy seals (‘‘seals’’) for companies to display on their Web sites. The FTC complaint alleges that respondent violated Section 5(a) of the FTC Act by falsely representing to consumers the frequency with which it reviews and verifies the practices of companies displaying its Web site and mobile seals. Specifically, the complaint alleges that from June 1997 until January 2013, respondent failed to conduct annual recertifications for almost 1,000 companies holding respondent’s TRUSTed Web sites, COPPA/Children’s Privacy, EU Safe Harbor, TRUSTed Cloud, TRUSTed Apps, TRUSTed Data, and TRUSTed PO 00000 Frm 00030 Fmt 4703 Sfmt 4703 69851 Smart Grid seals. In addition, the complaint alleges that respondent provided to its sealholders the means and instrumentalities to misrepresent that respondent is a non-profit corporation. The FTC complaint describes, with specificity, that following respondent’s transition to a for-profit corporation in July 2008, respondent recertified numerous clients whose privacy policies continued to describe TRUSTe as a non-profit entity. The proposed consent order contains provisions designed to prevent respondent from engaging in similar acts and practices in the future. Part I of the proposed order prohibits respondent from misrepresenting (1) the steps respondent takes to evaluate, certify, review, or recertify a company’s privacy practices; (2) the frequency with which respondent evaluates, certifies, reviews, or recertifies a company’s privacy practices; (3) the corporate status of respondent and its independence; and (4) the extent to which any person or entity is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy program sponsored by respondent. Part II of the proposed order prohibits respondent from providing to any person or entity the means and instrumentalities (including any required or model language for use in any privacy policy or statement) to misrepresent any of the same items in Part I of the proposed order. Parts III and IV of the proposed order contain additional reporting requirements with respect to respondent’s COPPA/Children’s Privacy seal. First, the proposed order expands respondent’s COPPA recordkeeping and reporting requirements to ten years. Second, the proposed order requires respondent to report (1) the number of new seals it awards; (2) how it assesses the fitness of members; and (3) any additional steps it takes to monitor compliance with the safe harbor requirements. Third, the proposed order expands respondent’s COPPA requirement to retain consumer complaints and descriptions of disciplinary actions to include consumer complaints related to respondent and its safe harbor program participants as well as all documents related to disciplinary actions taken by respondent. Fourth, the proposed order imposes additional COPPA recordkeeping requirements, such as a requirement that respondent retain detailed explanations of assessments of new and existing applicants in any COPPA safe harbor program. E:\FR\FM\24NON1.SGM 24NON1 69852 Federal Register / Vol. 79, No. 226 / Monday, November 24, 2014 / Notices Part V of the proposed order requires respondent to pay $200,000 to the United States Treasury as disgorgement. The purpose of this analysis is to facilitate public comment on the proposed order. It is not intended to constitute an official interpretation of the proposed complaint order or to modify in any way the proposed order’s terms. By direction of the Commission, Commissioner Ohlhausen voting ‘‘yes,’’ consistent with the views expressed in her partial dissent. asabaliauskas on DSK5VPTVN1PROD with NOTICES Donald S. Clark, Secretary. Statement of Chairwoman Edith Ramirez, Commissioner Julie Brill, and Commissioner Terrell McSweeny We write to express our strong support for the complaint and consent order in this case. The Commission unanimously supports Count I of the complaint in this matter, which is of paramount importance, in light of TRUSTe’s unique role in increasing consumer trust in the global marketplace and ensuring the effectiveness of relevant self-regulatory frameworks. TRUSTe operates privacyrelated self-regulatory and oversight programs for businesses and offers certified privacy seals for program participants, including (1) COPPA/ Children’s Privacy, which certifies compliance with the Children’s Online Privacy Protection Act and implementing regulations; (2) EU Safe Harbor, which certifies compliance with the U.S.-EU Safe Harbor Framework; (3) TRUSTed Apps, which certifies the privacy practices of mobile applications; and (4) APEC Privacy, which certifies compliance with the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System.1 In Count I, the Commission alleges that TRUSTe promised consumers it would annually recertify its selfregulatory program participants for compliance with TRUSTe’s privacy program requirements, but that, in many instances, it failed to do so. Annual recertification is a cornerstone of the service TRUSTe provides. It helps ensure that companies (1) continue to follow TRUSTe’s program requirements, (2) do not make material changes to their practices or policies without appropriate consent, and (3) periodically consider the impact of 1 TRUSTe’s APEC Privacy certification program was not the subject of the allegations in the complaint. TRUSTe became an ‘‘Accountability Agent’’ for the APEC Cross-Border Privacy Rules System in June 2013, and issued its first certification under that program in August 2013. VerDate Sep<11>2014 20:32 Nov 21, 2014 Jkt 235001 technology and marketplace developments in their privacy practices. TRUSTe did not fulfill its obligations; today’s order helps to ensure that TRUSTe will do so in the future. Consumers who see the TRUSTe seal on a Web site or mobile app should be confident that a trusted third party has kept its promise to review and vouch for the privacy practices of that Web site or mobile app. We also believe that Count II represents an appropriate use of ‘‘means and instrumentalities’’ liability. At the time TRUSTe provided model language for its clients’ privacy policies stating that TRUSTe was a nonprofit entity, there is no question that the statement was true. However, after TRUSTe informed clients of its for-profit status in 2008, many clients neglected to update their policies and continued to represent that TRUSTe was a nonprofit entity. These ongoing representations by TRUSTe’s clients clearly became deceptive once TRUSTe converted to a for-profit entity. Yet for five years, TRUSTe continued to recertify some companies that included this deceptive statement, that TRUSTe itself had disseminated, in their privacy policies. TRUSTe was well-positioned to rectify the misrepresentation about its own corporate status—it could have elected simply not to recertify the companies in question until the misrepresentation was cured. It failed to take this straightforward step and instead continued to bless the language at issue by giving the companies its seal of approval. In Shell Oil Company and FTC v. Magui Publishers, Inc., which Commissioner Ohlhausen cites in her statement, the Commission concluded that by providing customers with deceptive statements, the respondent furnished the means and instrumentalities for its clients to engage in deceptive acts or practices.2 In this case, although TRUSTe disclosed to clients its change in status, it continued to recertify privacy policies using language TRUSTe had itself supplied about its corporate status that was no longer true. TRUSTe’s recertification of these inaccurate privacy policies is the conduct we take aim at—it provided a stamp of approval of a false representation which TRUSTe’s clients then passed along to consumers via their Web sites. As such, TRUSTe provided its clients with the means and instrumentalities to deceive others. The 2 In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999); FTC v. Magui Publishers, Inc., No. 89– 3818RSWL(GX), 1991 WL 90895 (C.D. Cal. Mar. 28, 1991), aff’d 9 F.3d 1551 (9th Cir. 1993). PO 00000 Frm 00031 Fmt 4703 Sfmt 4703 application of means and instrumentalities liability in this case is consistent with the principle underlying Shell and Magui Publishers, namely, that one who places the means of deception in the hands of another is also liable for the deception under Section 5.3 The inclusion of this count is particularly appropriate here, given TRUSTe’s unique position in the privacy self-regulatory ecosystem. Companies that purport to hold their clients accountable to protect consumer privacy should themselves be held to an equally high standard. Partial Dissent of Commissioner Maureen K. Ohlhausen I support Count I of the complaint in this matter because of TRUSTe’s unique position of consumer trust as a third party certifier. However, I do not support the use of ‘‘means and instrumentalities’’ liability in Count II of the complaint and dissent as to that Count. TRUSTe was initially organized in 1997 as a non-profit. Before July 2008, TRUSTe required every certified client Web site to include in its privacy policy a description of TRUSTe stating in part, ‘‘TRUSTe is [a] non-profit organization.’’ On July 3, 2008, TRUSTe changed its corporate form from nonprofit to for-profit. The company announced the change to its clients and requested that all clients update the relevant privacy policy language on their Web sites. Some clients did not update their Web sites. When TRUSTe recertified such Web sites, TRUSTe would typically request, but not require, that the client update their privacy policy to reflect the change to for-profit status. Count II of our complaint alleges that by recertifying Web sites containing privacy policies that inaccurately describe TRUSTe as a non-profit, TRUSTe provided the means and instrumentalities to its clients to misrepresent that TRUSTe was a nonprofit corporation. The majority’s statement argues that TRUSTe, by ‘‘recertify[ing] a statement that was untrue,’’ provided to its clients the means and instrumentalities to deceive consumers.1 3 Commissioner Ohlhausen suggests that the allegations underlying Count II would be more appropriately viewed through the lens of secondary ‘‘aiding and abetting’’ liability. Regardless of whether one could construct alternative theories of liability, our concern is with TRUSTe’s own actions. As discussed above, the deception here was the result of TRUSTe’s own actions. 1 In the Matter of True Ultimate Standards Everywhere, Inc., FTC File No. 1323219, Statement of Chairwoman Edith Ramirez, Commissioner Julie E:\FR\FM\24NON1.SGM 24NON1 Federal Register / Vol. 79, No. 226 / Monday, November 24, 2014 / Notices asabaliauskas on DSK5VPTVN1PROD with NOTICES I disagree with this use of means and instrumentalities. To be liable of deception under means and instrumentalities requires that the party itself must make a misrepresentation, as the Commission detailed in Shell Oil Company.2 According to the majority in that case, ‘‘[T]he means and instrumentalities doctrine is intended to apply in cases . . . where the originator of the unlawful material is not in privity with consumers’’ and ‘‘it is well settled law that the originator is liable if it passes on a false or misleading representation with knowledge or reason to expect that consumers may possibly be deceived as a result.’’ 3 For example, in FTC v. Magui Publishers, Inc., the court found the defendant directly liable for providing the means and instrumentalities to violate Section 5 when it sold Salvador Dali prints with forged signatures to retail customers, who then sold the prints to consumers.4 Unlike Shell and Magui Publishers, the statement that TRUSTe provided to its clients was indisputably truthful at the time. During the period in which TRUSTe required client privacy policies to state that TRUSTe was a non-profit, TRUSTe was, in fact, a non-profit. Once TRUSTe changed to for-profit status, it no longer required clients to state its non-profit status and actively encouraged clients to correct their privacy policies. TRUSTe did not pass to clients any false or misleading representations regarding its for-profit status. Nor was TRUSTe’s recertification of Web sites a misrepresentation of TRUSTe’s non-profit status to its clients; during recertification TRUSTe again clearly communicated its for-profit status to clients by requesting that its clients update their privacy policies. Because TRUSTe accurately represented Brill, and Commissioner Terrell McSweeny, at 2 (Nov. 17, 2014). 2 In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999). 3 Id. at *10 (Public Statement of Chairman Pitofsky, Commissioner Anthony and Commissioner Thompson) (emphasis added). Similarly, Commissioner Orson Swindle’s dissent stated that under FTC precedent, ‘‘means and instrumentalities is a form of primary liability in which the respondent was using another party as the conduit for disseminating the respondent’s misrepresentations to consumers.’’ Id. at *14–15 (Dissenting Statement of Commissioner Orson Swindle) (emphasis added). Swindle’s dissent likewise emphasized that a defendant ‘‘may not be held primarily liable unless it has actually made a misrepresentation.’’ Id. (quoting In re JWP Inc. Securities Lit., 928 F. Supp. 1239, 1256 (S.D.N.Y. 1996)). See also FTC v. Magui Publishers, Inc., Civ. No. 89–3818RSWL(GX), 1991 WL 90895, at *14, (C.D. Cal. 1991), aff’d, 9 F.3d 1551 (9th Cir. 1993) (‘‘One who places in the hands of another a means or instrumentality to be used by another to deceive the public in violation of the FTC Act is directly liable for violating the Act.’’). 4 Magui Publishers, Inc., 1991 WL 90895, at *17. VerDate Sep<11>2014 20:32 Nov 21, 2014 Jkt 235001 its non-profit status to its clients, TRUSTe cannot be primarily liable for deceiving consumers under a means and instrumentalities theory. TRUSTe’s alleged recertifications of untrue statements are more properly analyzed as secondary liability for aiding and abetting.5 In Magui Publishers the court found that the defendant forgers were not only directly liable for their own misstatements, but also secondarily liable for the retailers’ fraudulent misrepresentations to consumers because defendants ‘‘supplied their deceptive art work, certificates and promotional materials to their retail customers with full knowledge these customers would use the materials to deceive consumers.’’ 6 The court explained that aiding and abetting has three components: ‘‘(1) The existence of an independent primary wrong; (2) actual knowledge by the alleged aider and abettor of the wrong and of his or her role in furthering it; and (3) substantial assistance in the commission of the wrong.’’ 7 It is not clear that TRUSTe’s clients committed an independent primary wrong. However, TRUSTe certainly had knowledge of the misstatements in the privacy policies and of TRUSTe’s role in facilitating those misstatements. And, arguably, its certifications may have provided substantial assistance in deceiving consumers. Regardless, because TRUSTe never misrepresented its corporate status, TRUSTe’s actions regarding its corporate status at most comprise aiding and abetting its clients’ actions. Perhaps all this seems like legal hairsplitting, but it is not. Under the Supreme Court’s decision in Central Bank of Denver v. First Interstate Bank of Denver,8 the FTC ‘‘may well be precluded from bringing Section 5 cases under an aiding and abetting theory.’’ 9 By prosecuting activities more properly analyzed as aiding and abetting under the guise of means and instrumentalities liability, I am concerned that we are 5 ‘‘[A] respondent who has provided assistance to another party that has made misrepresentations is at most secondarily liable—in particular, for aiding and abetting another’s misrepresentations.’’ Shell Oil Co., 128 F.T.C. 749, *15 (1999) (Swindle Dissent) (citing Wright v. Ernst & Young LLP, 152 F.3d 169, 175 (2d Cir. 1998), cert. denied, 119 S.Ct. 870 (1999); Shapiro v. Cantor, 123 F.3d 717, 720 (2d Cir. 1997); Anixter v. Home-Stake Production Co., 77 F.3d 1215, 1225 (10th Cir. 1996) (‘‘the critical element separating primary from aiding and abetting violations is the existence of a representation, made by the defendant.’’)). 6 Magui Publishers, Inc., 1991 WL 90895, at *15. 7 Id. at *14. 8 Cent. Bank, N.A. v. First Interstate Bank, N.A., 511 U.S. 164 (1994). 9 Shell Oil Co., 128 F.T.C. 749, *19 (Swindle Dissent). PO 00000 Frm 00032 Fmt 4703 Sfmt 4703 69853 stepping beyond the limits the Supreme Court has established. I therefore dissent from Count II. [FR Doc. 2014–27733 Filed 11–21–14; 8:45 am] BILLING CODE 6750–01–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Centers for Disease Control and Prevention [Docket No. CDC–2014–0015] Request for Comment on Draft Vaccines Adverse Event Reporting System (VAERS) 2.0 Form Centers for Disease Control and Prevention (CDC), Department of Health and Human Services (HHS). ACTION: Notice of request for public comment. AGENCY: The Centers for Disease Control and Prevention (CDC), located within the Department of Health and Human Services (HHS), is publishing this notice requesting public comment on the proposed VAERS 2.0 form, which is intended to replace the current VAERS–1 form (https://vaers.hhs.gov/ resources/vaers_form.pdf). CDC and the U.S. Food and Drug Administration (FDA) co-administer the Vaccines Adverse Event Reporting System (VAERS), a post-licensure (i.e., after vaccines have been licensed by the FDA and are being used in the community) reporting system that accepts submitted reports of adverse events that occur after vaccination from healthcare providers, manufacturers, and the public. Healthcare providers and vaccine manufacturers are required to submit VAERS reports. The National Childhood Vaccine Injury Act of 1986, section 2125 of the Public Health Service Act (42 U.S.C. 300aa–25) authorized VAERS. The current VAERS form has been used since 1990. DATES: Written comments must be received on or before January 23, 2015. ADDRESSES: You may submit comments, identified by docket number CDC– 2014–0015 by any of the following methods: • Federal eRulemaking Portal: http:// www.regulations.gov. Follow the instructions for submitting comments. • Mail: You may also submit written comments to the following address: Centers for Disease Control and Prevention, (CDC), National Center for Emerging and Zoonotic Infectious Diseases, Division of Healthcare Quality Promotion, Immunization Safety Office, Attn: VAERS 2.0 form Docket No. CDC– SUMMARY: E:\FR\FM\24NON1.SGM 24NON1

Agencies

[Federal Register Volume 79, Number 226 (Monday, November 24, 2014)]
[Notices]
[Pages 69850-69853]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-27733]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3219]


True Ultimate Standards Everywhere, Inc., Doing Business as 
TRUSTe, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the draft complaint and the terms of the consent 
order--embodied in the consent agreement--that would settle these 
allegations.

DATES: Comments must be received on or before December 17, 2014.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/trusteconsent online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``True Ultimate 
Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.--Consent 
Agreement; File No. 132 32193'' on your comment and file your comment 
online at https://ftcpublic.commentworks.com/ftc/trusteconsent by 
following the instructions on the Web-based form. If you prefer to file 
your comment on paper, write ``True Ultimate Standards Everywhere, 
Inc., Doing Business As TRUSTe, Inc.--Consent Agreement; File No. 132 
32193'' on your comment and on the envelope, and mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Jamie Hine (202-326-2188), Bureau of 
Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for November 17, 2014), on the World Wide Web, 
at http://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before December 17, 
2014. Write ``True Ultimate Standards Everywhere, Inc., Doing Business 
As TRUSTe, Inc.--Consent Agreement; File No. 132 32193'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to

[[Page 69851]]

the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/trusteconsent by following the instructions on the Web-based form. 
If this Notice appears at http://www.regulations.gov/#!home, you also 
may file a comment through that Web site.
    If you file your comment on paper, write ``True Ultimate Standards 
Everywhere, Inc., Doing Business As TRUSTe, Inc.--Consent Agreement; 
File No. 132 32193'' on your comment and on the envelope, and mail your 
comment to the following address: Federal Trade Commission, Office of 
the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Visit the Commission Web site at http://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before December 17, 2014. You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at http://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing an order from True Ultimate Standards 
Everywhere, Inc. (``TRUSTe'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission again will review the 
agreement and the comments received and will decide whether it should 
withdraw from the agreement or make final the agreement's proposed 
order.
    This matter involves respondent's marketing and distribution of a 
variety of online privacy seals (``seals'') for companies to display on 
their Web sites. The FTC complaint alleges that respondent violated 
Section 5(a) of the FTC Act by falsely representing to consumers the 
frequency with which it reviews and verifies the practices of companies 
displaying its Web site and mobile seals. Specifically, the complaint 
alleges that from June 1997 until January 2013, respondent failed to 
conduct annual recertifications for almost 1,000 companies holding 
respondent's TRUSTed Web sites, COPPA/Children's Privacy, EU Safe 
Harbor, TRUSTed Cloud, TRUSTed Apps, TRUSTed Data, and TRUSTed Smart 
Grid seals. In addition, the complaint alleges that respondent provided 
to its sealholders the means and instrumentalities to misrepresent that 
respondent is a non-profit corporation. The FTC complaint describes, 
with specificity, that following respondent's transition to a for-
profit corporation in July 2008, respondent recertified numerous 
clients whose privacy policies continued to describe TRUSTe as a non-
profit entity.
    The proposed consent order contains provisions designed to prevent 
respondent from engaging in similar acts and practices in the future. 
Part I of the proposed order prohibits respondent from misrepresenting 
(1) the steps respondent takes to evaluate, certify, review, or 
recertify a company's privacy practices; (2) the frequency with which 
respondent evaluates, certifies, reviews, or recertifies a company's 
privacy practices; (3) the corporate status of respondent and its 
independence; and (4) the extent to which any person or entity is a 
member of, adheres to, complies with, is certified by, is endorsed by, 
or otherwise participates in any privacy program sponsored by 
respondent. Part II of the proposed order prohibits respondent from 
providing to any person or entity the means and instrumentalities 
(including any required or model language for use in any privacy policy 
or statement) to misrepresent any of the same items in Part I of the 
proposed order.
    Parts III and IV of the proposed order contain additional reporting 
requirements with respect to respondent's COPPA/Children's Privacy 
seal. First, the proposed order expands respondent's COPPA 
recordkeeping and reporting requirements to ten years. Second, the 
proposed order requires respondent to report (1) the number of new 
seals it awards; (2) how it assesses the fitness of members; and (3) 
any additional steps it takes to monitor compliance with the safe 
harbor requirements. Third, the proposed order expands respondent's 
COPPA requirement to retain consumer complaints and descriptions of 
disciplinary actions to include consumer complaints related to 
respondent and its safe harbor program participants as well as all 
documents related to disciplinary actions taken by respondent. Fourth, 
the proposed order imposes additional COPPA recordkeeping requirements, 
such as a requirement that respondent retain detailed explanations of 
assessments of new and existing applicants in any COPPA safe harbor 
program.

[[Page 69852]]

    Part V of the proposed order requires respondent to pay $200,000 to 
the United States Treasury as disgorgement.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint order or to modify in any way 
the proposed order's terms.
    By direction of the Commission, Commissioner Ohlhausen voting 
``yes,'' consistent with the views expressed in her partial dissent.

Donald S. Clark,
Secretary.

Statement of Chairwoman Edith Ramirez, Commissioner Julie Brill, and 
Commissioner Terrell McSweeny

    We write to express our strong support for the complaint and 
consent order in this case.
    The Commission unanimously supports Count I of the complaint in 
this matter, which is of paramount importance, in light of TRUSTe's 
unique role in increasing consumer trust in the global marketplace and 
ensuring the effectiveness of relevant self-regulatory frameworks. 
TRUSTe operates privacy-related self-regulatory and oversight programs 
for businesses and offers certified privacy seals for program 
participants, including (1) COPPA/Children's Privacy, which certifies 
compliance with the Children's Online Privacy Protection Act and 
implementing regulations; (2) EU Safe Harbor, which certifies 
compliance with the U.S.-EU Safe Harbor Framework; (3) TRUSTed Apps, 
which certifies the privacy practices of mobile applications; and (4) 
APEC Privacy, which certifies compliance with the Asia-Pacific Economic 
Cooperation Cross-Border Privacy Rules System.\1\
---------------------------------------------------------------------------

    \1\ TRUSTe's APEC Privacy certification program was not the 
subject of the allegations in the complaint. TRUSTe became an 
``Accountability Agent'' for the APEC Cross-Border Privacy Rules 
System in June 2013, and issued its first certification under that 
program in August 2013.
---------------------------------------------------------------------------

    In Count I, the Commission alleges that TRUSTe promised consumers 
it would annually recertify its self-regulatory program participants 
for compliance with TRUSTe's privacy program requirements, but that, in 
many instances, it failed to do so. Annual recertification is a 
cornerstone of the service TRUSTe provides. It helps ensure that 
companies (1) continue to follow TRUSTe's program requirements, (2) do 
not make material changes to their practices or policies without 
appropriate consent, and (3) periodically consider the impact of 
technology and marketplace developments in their privacy practices. 
TRUSTe did not fulfill its obligations; today's order helps to ensure 
that TRUSTe will do so in the future. Consumers who see the TRUSTe seal 
on a Web site or mobile app should be confident that a trusted third 
party has kept its promise to review and vouch for the privacy 
practices of that Web site or mobile app.
    We also believe that Count II represents an appropriate use of 
``means and instrumentalities'' liability. At the time TRUSTe provided 
model language for its clients' privacy policies stating that TRUSTe 
was a nonprofit entity, there is no question that the statement was 
true. However, after TRUSTe informed clients of its for-profit status 
in 2008, many clients neglected to update their policies and continued 
to represent that TRUSTe was a nonprofit entity. These ongoing 
representations by TRUSTe's clients clearly became deceptive once 
TRUSTe converted to a for-profit entity. Yet for five years, TRUSTe 
continued to recertify some companies that included this deceptive 
statement, that TRUSTe itself had disseminated, in their privacy 
policies. TRUSTe was well-positioned to rectify the misrepresentation 
about its own corporate status--it could have elected simply not to 
recertify the companies in question until the misrepresentation was 
cured. It failed to take this straightforward step and instead 
continued to bless the language at issue by giving the companies its 
seal of approval.
    In Shell Oil Company and FTC v. Magui Publishers, Inc., which 
Commissioner Ohlhausen cites in her statement, the Commission concluded 
that by providing customers with deceptive statements, the respondent 
furnished the means and instrumentalities for its clients to engage in 
deceptive acts or practices.\2\ In this case, although TRUSTe disclosed 
to clients its change in status, it continued to recertify privacy 
policies using language TRUSTe had itself supplied about its corporate 
status that was no longer true. TRUSTe's recertification of these 
inaccurate privacy policies is the conduct we take aim at--it provided 
a stamp of approval of a false representation which TRUSTe's clients 
then passed along to consumers via their Web sites. As such, TRUSTe 
provided its clients with the means and instrumentalities to deceive 
others. The application of means and instrumentalities liability in 
this case is consistent with the principle underlying Shell and Magui 
Publishers, namely, that one who places the means of deception in the 
hands of another is also liable for the deception under Section 5.\3\ 
The inclusion of this count is particularly appropriate here, given 
TRUSTe's unique position in the privacy self-regulatory ecosystem. 
Companies that purport to hold their clients accountable to protect 
consumer privacy should themselves be held to an equally high standard.
---------------------------------------------------------------------------

    \2\ In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999); FTC 
v. Magui Publishers, Inc., No. 89-3818RSWL(GX), 1991 WL 90895 (C.D. 
Cal. Mar. 28, 1991), aff'd 9 F.3d 1551 (9th Cir. 1993).
    \3\ Commissioner Ohlhausen suggests that the allegations 
underlying Count II would be more appropriately viewed through the 
lens of secondary ``aiding and abetting'' liability. Regardless of 
whether one could construct alternative theories of liability, our 
concern is with TRUSTe's own actions. As discussed above, the 
deception here was the result of TRUSTe's own actions.
---------------------------------------------------------------------------

Partial Dissent of Commissioner Maureen K. Ohlhausen

    I support Count I of the complaint in this matter because of 
TRUSTe's unique position of consumer trust as a third party certifier. 
However, I do not support the use of ``means and instrumentalities'' 
liability in Count II of the complaint and dissent as to that Count.
    TRUSTe was initially organized in 1997 as a non-profit. Before July 
2008, TRUSTe required every certified client Web site to include in its 
privacy policy a description of TRUSTe stating in part, ``TRUSTe is [a] 
non-profit organization.'' On July 3, 2008, TRUSTe changed its 
corporate form from non-profit to for-profit. The company announced the 
change to its clients and requested that all clients update the 
relevant privacy policy language on their Web sites. Some clients did 
not update their Web sites. When TRUSTe recertified such Web sites, 
TRUSTe would typically request, but not require, that the client update 
their privacy policy to reflect the change to for-profit status.
    Count II of our complaint alleges that by recertifying Web sites 
containing privacy policies that inaccurately describe TRUSTe as a non-
profit, TRUSTe provided the means and instrumentalities to its clients 
to misrepresent that TRUSTe was a non-profit corporation. The 
majority's statement argues that TRUSTe, by ``recertify[ing] a 
statement that was untrue,'' provided to its clients the means and 
instrumentalities to deceive consumers.\1\
---------------------------------------------------------------------------

    \1\ In the Matter of True Ultimate Standards Everywhere, Inc., 
FTC File No. 1323219, Statement of Chairwoman Edith Ramirez, 
Commissioner Julie Brill, and Commissioner Terrell McSweeny, at 2 
(Nov. 17, 2014).

---------------------------------------------------------------------------

[[Page 69853]]

    I disagree with this use of means and instrumentalities. To be 
liable of deception under means and instrumentalities requires that the 
party itself must make a misrepresentation, as the Commission detailed 
in Shell Oil Company.\2\ According to the majority in that case, 
``[T]he means and instrumentalities doctrine is intended to apply in 
cases . . . where the originator of the unlawful material is not in 
privity with consumers'' and ``it is well settled law that the 
originator is liable if it passes on a false or misleading 
representation with knowledge or reason to expect that consumers may 
possibly be deceived as a result.'' \3\ For example, in FTC v. Magui 
Publishers, Inc., the court found the defendant directly liable for 
providing the means and instrumentalities to violate Section 5 when it 
sold Salvador Dali prints with forged signatures to retail customers, 
who then sold the prints to consumers.\4\
---------------------------------------------------------------------------

    \2\ In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999).
    \3\ Id. at *10 (Public Statement of Chairman Pitofsky, 
Commissioner Anthony and Commissioner Thompson) (emphasis added). 
Similarly, Commissioner Orson Swindle's dissent stated that under 
FTC precedent, ``means and instrumentalities is a form of primary 
liability in which the respondent was using another party as the 
conduit for disseminating the respondent's misrepresentations to 
consumers.'' Id. at *14-15 (Dissenting Statement of Commissioner 
Orson Swindle) (emphasis added). Swindle's dissent likewise 
emphasized that a defendant ``may not be held primarily liable 
unless it has actually made a misrepresentation.'' Id. (quoting In 
re JWP Inc. Securities Lit., 928 F. Supp. 1239, 1256 (S.D.N.Y. 
1996)). See also FTC v. Magui Publishers, Inc., Civ. No. 89-
3818RSWL(GX), 1991 WL 90895, at *14, (C.D. Cal. 1991), aff'd, 9 F.3d 
1551 (9th Cir. 1993) (``One who places in the hands of another a 
means or instrumentality to be used by another to deceive the public 
in violation of the FTC Act is directly liable for violating the 
Act.'').
    \4\ Magui Publishers, Inc., 1991 WL 90895, at *17.
---------------------------------------------------------------------------

    Unlike Shell and Magui Publishers, the statement that TRUSTe 
provided to its clients was indisputably truthful at the time. During 
the period in which TRUSTe required client privacy policies to state 
that TRUSTe was a non-profit, TRUSTe was, in fact, a non-profit. Once 
TRUSTe changed to for-profit status, it no longer required clients to 
state its non-profit status and actively encouraged clients to correct 
their privacy policies. TRUSTe did not pass to clients any false or 
misleading representations regarding its for-profit status. Nor was 
TRUSTe's recertification of Web sites a misrepresentation of TRUSTe's 
non-profit status to its clients; during recertification TRUSTe again 
clearly communicated its for-profit status to clients by requesting 
that its clients update their privacy policies. Because TRUSTe 
accurately represented its non-profit status to its clients, TRUSTe 
cannot be primarily liable for deceiving consumers under a means and 
instrumentalities theory.
    TRUSTe's alleged recertifications of untrue statements are more 
properly analyzed as secondary liability for aiding and abetting.\5\ In 
Magui Publishers the court found that the defendant forgers were not 
only directly liable for their own misstatements, but also secondarily 
liable for the retailers' fraudulent misrepresentations to consumers 
because defendants ``supplied their deceptive art work, certificates 
and promotional materials to their retail customers with full knowledge 
these customers would use the materials to deceive consumers.'' \6\ The 
court explained that aiding and abetting has three components: ``(1) 
The existence of an independent primary wrong; (2) actual knowledge by 
the alleged aider and abettor of the wrong and of his or her role in 
furthering it; and (3) substantial assistance in the commission of the 
wrong.'' \7\
---------------------------------------------------------------------------

    \5\ ``[A] respondent who has provided assistance to another 
party that has made misrepresentations is at most secondarily 
liable--in particular, for aiding and abetting another's 
misrepresentations.'' Shell Oil Co., 128 F.T.C. 749, *15 (1999) 
(Swindle Dissent) (citing Wright v. Ernst & Young LLP, 152 F.3d 169, 
175 (2d Cir. 1998), cert. denied, 119 S.Ct. 870 (1999); Shapiro v. 
Cantor, 123 F.3d 717, 720 (2d Cir. 1997); Anixter v. Home-Stake 
Production Co., 77 F.3d 1215, 1225 (10th Cir. 1996) (``the critical 
element separating primary from aiding and abetting violations is 
the existence of a representation, made by the defendant.'')).
    \6\ Magui Publishers, Inc., 1991 WL 90895, at *15.
    \7\ Id. at *14.
---------------------------------------------------------------------------

    It is not clear that TRUSTe's clients committed an independent 
primary wrong. However, TRUSTe certainly had knowledge of the 
misstatements in the privacy policies and of TRUSTe's role in 
facilitating those misstatements. And, arguably, its certifications may 
have provided substantial assistance in deceiving consumers. 
Regardless, because TRUSTe never misrepresented its corporate status, 
TRUSTe's actions regarding its corporate status at most comprise aiding 
and abetting its clients' actions.
    Perhaps all this seems like legal hairsplitting, but it is not. 
Under the Supreme Court's decision in Central Bank of Denver v. First 
Interstate Bank of Denver,\8\ the FTC ``may well be precluded from 
bringing Section 5 cases under an aiding and abetting theory.'' \9\ By 
prosecuting activities more properly analyzed as aiding and abetting 
under the guise of means and instrumentalities liability, I am 
concerned that we are stepping beyond the limits the Supreme Court has 
established. I therefore dissent from Count II.

    \8\ Cent. Bank, N.A. v. First Interstate Bank, N.A., 511 U.S. 
164 (1994).
    \9\ Shell Oil Co., 128 F.T.C. 749, *19 (Swindle Dissent).

[FR Doc. 2014-27733 Filed 11-21-14; 8:45 am]
BILLING CODE 6750-01-P