True Ultimate Standards Everywhere, Inc., Doing Business as TRUSTe, Inc.; Analysis To Aid Public Comment, 69850-69853 [2014-27733]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 79, Number 226 (Monday, November 24, 2014)]
[Notices]
[Pages 69850-69853]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-27733]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 132 3219]


True Ultimate Standards Everywhere, Inc., Doing Business as 
TRUSTe, Inc.; Analysis To Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed Consent Agreement.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis to Aid Public Comment describes both 
the allegations in the draft complaint and the terms of the consent 
order--embodied in the consent agreement--that would settle these 
allegations.

DATES: Comments must be received on or before December 17, 2014.

ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/trusteconsent online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``True Ultimate 
Standards Everywhere, Inc., Doing Business As TRUSTe, Inc.--Consent 
Agreement; File No. 132 32193'' on your comment and file your comment 
online at https://ftcpublic.commentworks.com/ftc/trusteconsent by 
following the instructions on the Web-based form. If you prefer to file 
your comment on paper, write ``True Ultimate Standards Everywhere, 
Inc., Doing Business As TRUSTe, Inc.--Consent Agreement; File No. 132 
32193'' on your comment and on the envelope, and mail your comment to 
the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024.

FOR FURTHER INFORMATION CONTACT: Jamie Hine (202-326-2188), Bureau of 
Consumer Protection, 600 Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, 
notice is hereby given that the above-captioned consent agreement 
containing consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of thirty (30) days. The 
following Analysis to Aid Public Comment describes the terms of the 
consent agreement, and the allegations in the complaint. An electronic 
copy of the full text of the consent agreement package can be obtained 
from the FTC Home Page (for November 17, 2014), on the World Wide Web, 
at https://www.ftc.gov/os/actions.shtm.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before December 17, 
2014. Write ``True Ultimate Standards Everywhere, Inc., Doing Business 
As TRUSTe, Inc.--Consent Agreement; File No. 132 32193'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to

[[Page 69851]]

the extent practicable, on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the 
Commission tries to remove individuals' home contact information from 
comments before placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which . . . is privileged or confidential,'' as discussed in Section 
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 
4.10(a)(2). In particular, do not include competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept 
confidential only if the FTC General Counsel, in his or her sole 
discretion, grants your request in accordance with the law and the 
public interest.
---------------------------------------------------------------------------

    \1\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/trusteconsent by following the instructions on the Web-based form. 
If this Notice appears at https://www.regulations.gov/#!home, you also 
may file a comment through that Web site.
    If you file your comment on paper, write ``True Ultimate Standards 
Everywhere, Inc., Doing Business As TRUSTe, Inc.--Consent Agreement; 
File No. 132 32193'' on your comment and on the envelope, and mail your 
comment to the following address: Federal Trade Commission, Office of 
the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex D), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Visit the Commission Web site at https://www.ftc.gov to read this 
Notice and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before December 17, 2014. You can find more 
information, including routine uses permitted by the Privacy Act, in 
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission has accepted, subject to final 
approval, an agreement containing an order from True Ultimate Standards 
Everywhere, Inc. (``TRUSTe'').
    The proposed consent order has been placed on the public record for 
thirty (30) days for receipt of comments by interested persons. 
Comments received during this period will become part of the public 
record. After thirty (30) days, the Commission again will review the 
agreement and the comments received and will decide whether it should 
withdraw from the agreement or make final the agreement's proposed 
order.
    This matter involves respondent's marketing and distribution of a 
variety of online privacy seals (``seals'') for companies to display on 
their Web sites. The FTC complaint alleges that respondent violated 
Section 5(a) of the FTC Act by falsely representing to consumers the 
frequency with which it reviews and verifies the practices of companies 
displaying its Web site and mobile seals. Specifically, the complaint 
alleges that from June 1997 until January 2013, respondent failed to 
conduct annual recertifications for almost 1,000 companies holding 
respondent's TRUSTed Web sites, COPPA/Children's Privacy, EU Safe 
Harbor, TRUSTed Cloud, TRUSTed Apps, TRUSTed Data, and TRUSTed Smart 
Grid seals. In addition, the complaint alleges that respondent provided 
to its sealholders the means and instrumentalities to misrepresent that 
respondent is a non-profit corporation. The FTC complaint describes, 
with specificity, that following respondent's transition to a for-
profit corporation in July 2008, respondent recertified numerous 
clients whose privacy policies continued to describe TRUSTe as a non-
profit entity.
    The proposed consent order contains provisions designed to prevent 
respondent from engaging in similar acts and practices in the future. 
Part I of the proposed order prohibits respondent from misrepresenting 
(1) the steps respondent takes to evaluate, certify, review, or 
recertify a company's privacy practices; (2) the frequency with which 
respondent evaluates, certifies, reviews, or recertifies a company's 
privacy practices; (3) the corporate status of respondent and its 
independence; and (4) the extent to which any person or entity is a 
member of, adheres to, complies with, is certified by, is endorsed by, 
or otherwise participates in any privacy program sponsored by 
respondent. Part II of the proposed order prohibits respondent from 
providing to any person or entity the means and instrumentalities 
(including any required or model language for use in any privacy policy 
or statement) to misrepresent any of the same items in Part I of the 
proposed order.
    Parts III and IV of the proposed order contain additional reporting 
requirements with respect to respondent's COPPA/Children's Privacy 
seal. First, the proposed order expands respondent's COPPA 
recordkeeping and reporting requirements to ten years. Second, the 
proposed order requires respondent to report (1) the number of new 
seals it awards; (2) how it assesses the fitness of members; and (3) 
any additional steps it takes to monitor compliance with the safe 
harbor requirements. Third, the proposed order expands respondent's 
COPPA requirement to retain consumer complaints and descriptions of 
disciplinary actions to include consumer complaints related to 
respondent and its safe harbor program participants as well as all 
documents related to disciplinary actions taken by respondent. Fourth, 
the proposed order imposes additional COPPA recordkeeping requirements, 
such as a requirement that respondent retain detailed explanations of 
assessments of new and existing applicants in any COPPA safe harbor 
program.

[[Page 69852]]

    Part V of the proposed order requires respondent to pay $200,000 to 
the United States Treasury as disgorgement.
    The purpose of this analysis is to facilitate public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the proposed complaint order or to modify in any way 
the proposed order's terms.
    By direction of the Commission, Commissioner Ohlhausen voting 
``yes,'' consistent with the views expressed in her partial dissent.

Donald S. Clark,
Secretary.

Statement of Chairwoman Edith Ramirez, Commissioner Julie Brill, and 
Commissioner Terrell McSweeny

    We write to express our strong support for the complaint and 
consent order in this case.
    The Commission unanimously supports Count I of the complaint in 
this matter, which is of paramount importance, in light of TRUSTe's 
unique role in increasing consumer trust in the global marketplace and 
ensuring the effectiveness of relevant self-regulatory frameworks. 
TRUSTe operates privacy-related self-regulatory and oversight programs 
for businesses and offers certified privacy seals for program 
participants, including (1) COPPA/Children's Privacy, which certifies 
compliance with the Children's Online Privacy Protection Act and 
implementing regulations; (2) EU Safe Harbor, which certifies 
compliance with the U.S.-EU Safe Harbor Framework; (3) TRUSTed Apps, 
which certifies the privacy practices of mobile applications; and (4) 
APEC Privacy, which certifies compliance with the Asia-Pacific Economic 
Cooperation Cross-Border Privacy Rules System.\1\
---------------------------------------------------------------------------

    \1\ TRUSTe's APEC Privacy certification program was not the 
subject of the allegations in the complaint. TRUSTe became an 
``Accountability Agent'' for the APEC Cross-Border Privacy Rules 
System in June 2013, and issued its first certification under that 
program in August 2013.
---------------------------------------------------------------------------

    In Count I, the Commission alleges that TRUSTe promised consumers 
it would annually recertify its self-regulatory program participants 
for compliance with TRUSTe's privacy program requirements, but that, in 
many instances, it failed to do so. Annual recertification is a 
cornerstone of the service TRUSTe provides. It helps ensure that 
companies (1) continue to follow TRUSTe's program requirements, (2) do 
not make material changes to their practices or policies without 
appropriate consent, and (3) periodically consider the impact of 
technology and marketplace developments in their privacy practices. 
TRUSTe did not fulfill its obligations; today's order helps to ensure 
that TRUSTe will do so in the future. Consumers who see the TRUSTe seal 
on a Web site or mobile app should be confident that a trusted third 
party has kept its promise to review and vouch for the privacy 
practices of that Web site or mobile app.
    We also believe that Count II represents an appropriate use of 
``means and instrumentalities'' liability. At the time TRUSTe provided 
model language for its clients' privacy policies stating that TRUSTe 
was a nonprofit entity, there is no question that the statement was 
true. However, after TRUSTe informed clients of its for-profit status 
in 2008, many clients neglected to update their policies and continued 
to represent that TRUSTe was a nonprofit entity. These ongoing 
representations by TRUSTe's clients clearly became deceptive once 
TRUSTe converted to a for-profit entity. Yet for five years, TRUSTe 
continued to recertify some companies that included this deceptive 
statement, that TRUSTe itself had disseminated, in their privacy 
policies. TRUSTe was well-positioned to rectify the misrepresentation 
about its own corporate status--it could have elected simply not to 
recertify the companies in question until the misrepresentation was 
cured. It failed to take this straightforward step and instead 
continued to bless the language at issue by giving the companies its 
seal of approval.
    In Shell Oil Company and FTC v. Magui Publishers, Inc., which 
Commissioner Ohlhausen cites in her statement, the Commission concluded 
that by providing customers with deceptive statements, the respondent 
furnished the means and instrumentalities for its clients to engage in 
deceptive acts or practices.\2\ In this case, although TRUSTe disclosed 
to clients its change in status, it continued to recertify privacy 
policies using language TRUSTe had itself supplied about its corporate 
status that was no longer true. TRUSTe's recertification of these 
inaccurate privacy policies is the conduct we take aim at--it provided 
a stamp of approval of a false representation which TRUSTe's clients 
then passed along to consumers via their Web sites. As such, TRUSTe 
provided its clients with the means and instrumentalities to deceive 
others. The application of means and instrumentalities liability in 
this case is consistent with the principle underlying Shell and Magui 
Publishers, namely, that one who places the means of deception in the 
hands of another is also liable for the deception under Section 5.\3\ 
The inclusion of this count is particularly appropriate here, given 
TRUSTe's unique position in the privacy self-regulatory ecosystem. 
Companies that purport to hold their clients accountable to protect 
consumer privacy should themselves be held to an equally high standard.
---------------------------------------------------------------------------

    \2\ In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999); FTC 
v. Magui Publishers, Inc., No. 89-3818RSWL(GX), 1991 WL 90895 (C.D. 
Cal. Mar. 28, 1991), aff'd 9 F.3d 1551 (9th Cir. 1993).
    \3\ Commissioner Ohlhausen suggests that the allegations 
underlying Count II would be more appropriately viewed through the 
lens of secondary ``aiding and abetting'' liability. Regardless of 
whether one could construct alternative theories of liability, our 
concern is with TRUSTe's own actions. As discussed above, the 
deception here was the result of TRUSTe's own actions.
---------------------------------------------------------------------------

Partial Dissent of Commissioner Maureen K. Ohlhausen

    I support Count I of the complaint in this matter because of 
TRUSTe's unique position of consumer trust as a third party certifier. 
However, I do not support the use of ``means and instrumentalities'' 
liability in Count II of the complaint and dissent as to that Count.
    TRUSTe was initially organized in 1997 as a non-profit. Before July 
2008, TRUSTe required every certified client Web site to include in its 
privacy policy a description of TRUSTe stating in part, ``TRUSTe is [a] 
non-profit organization.'' On July 3, 2008, TRUSTe changed its 
corporate form from non-profit to for-profit. The company announced the 
change to its clients and requested that all clients update the 
relevant privacy policy language on their Web sites. Some clients did 
not update their Web sites. When TRUSTe recertified such Web sites, 
TRUSTe would typically request, but not require, that the client update 
their privacy policy to reflect the change to for-profit status.
    Count II of our complaint alleges that by recertifying Web sites 
containing privacy policies that inaccurately describe TRUSTe as a non-
profit, TRUSTe provided the means and instrumentalities to its clients 
to misrepresent that TRUSTe was a non-profit corporation. The 
majority's statement argues that TRUSTe, by ``recertify[ing] a 
statement that was untrue,'' provided to its clients the means and 
instrumentalities to deceive consumers.\1\
---------------------------------------------------------------------------

    \1\ In the Matter of True Ultimate Standards Everywhere, Inc., 
FTC File No. 1323219, Statement of Chairwoman Edith Ramirez, 
Commissioner Julie Brill, and Commissioner Terrell McSweeny, at 2 
(Nov. 17, 2014).

---------------------------------------------------------------------------

[[Page 69853]]

    I disagree with this use of means and instrumentalities. To be 
liable of deception under means and instrumentalities requires that the 
party itself must make a misrepresentation, as the Commission detailed 
in Shell Oil Company.\2\ According to the majority in that case, 
``[T]he means and instrumentalities doctrine is intended to apply in 
cases . . . where the originator of the unlawful material is not in 
privity with consumers'' and ``it is well settled law that the 
originator is liable if it passes on a false or misleading 
representation with knowledge or reason to expect that consumers may 
possibly be deceived as a result.'' \3\ For example, in FTC v. Magui 
Publishers, Inc., the court found the defendant directly liable for 
providing the means and instrumentalities to violate Section 5 when it 
sold Salvador Dali prints with forged signatures to retail customers, 
who then sold the prints to consumers.\4\
---------------------------------------------------------------------------

    \2\ In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999).
    \3\ Id. at *10 (Public Statement of Chairman Pitofsky, 
Commissioner Anthony and Commissioner Thompson) (emphasis added). 
Similarly, Commissioner Orson Swindle's dissent stated that under 
FTC precedent, ``means and instrumentalities is a form of primary 
liability in which the respondent was using another party as the 
conduit for disseminating the respondent's misrepresentations to 
consumers.'' Id. at *14-15 (Dissenting Statement of Commissioner 
Orson Swindle) (emphasis added). Swindle's dissent likewise 
emphasized that a defendant ``may not be held primarily liable 
unless it has actually made a misrepresentation.'' Id. (quoting In 
re JWP Inc. Securities Lit., 928 F. Supp. 1239, 1256 (S.D.N.Y. 
1996)). See also FTC v. Magui Publishers, Inc., Civ. No. 89-
3818RSWL(GX), 1991 WL 90895, at *14, (C.D. Cal. 1991), aff'd, 9 F.3d 
1551 (9th Cir. 1993) (``One who places in the hands of another a 
means or instrumentality to be used by another to deceive the public 
in violation of the FTC Act is directly liable for violating the 
Act.'').
    \4\ Magui Publishers, Inc., 1991 WL 90895, at *17.
---------------------------------------------------------------------------

    Unlike Shell and Magui Publishers, the statement that TRUSTe 
provided to its clients was indisputably truthful at the time. During 
the period in which TRUSTe required client privacy policies to state 
that TRUSTe was a non-profit, TRUSTe was, in fact, a non-profit. Once 
TRUSTe changed to for-profit status, it no longer required clients to 
state its non-profit status and actively encouraged clients to correct 
their privacy policies. TRUSTe did not pass to clients any false or 
misleading representations regarding its for-profit status. Nor was 
TRUSTe's recertification of Web sites a misrepresentation of TRUSTe's 
non-profit status to its clients; during recertification TRUSTe again 
clearly communicated its for-profit status to clients by requesting 
that its clients update their privacy policies. Because TRUSTe 
accurately represented its non-profit status to its clients, TRUSTe 
cannot be primarily liable for deceiving consumers under a means and 
instrumentalities theory.
    TRUSTe's alleged recertifications of untrue statements are more 
properly analyzed as secondary liability for aiding and abetting.\5\ In 
Magui Publishers the court found that the defendant forgers were not 
only directly liable for their own misstatements, but also secondarily 
liable for the retailers' fraudulent misrepresentations to consumers 
because defendants ``supplied their deceptive art work, certificates 
and promotional materials to their retail customers with full knowledge 
these customers would use the materials to deceive consumers.'' \6\ The 
court explained that aiding and abetting has three components: ``(1) 
The existence of an independent primary wrong; (2) actual knowledge by 
the alleged aider and abettor of the wrong and of his or her role in 
furthering it; and (3) substantial assistance in the commission of the 
wrong.'' \7\
---------------------------------------------------------------------------

    \5\ ``[A] respondent who has provided assistance to another 
party that has made misrepresentations is at most secondarily 
liable--in particular, for aiding and abetting another's 
misrepresentations.'' Shell Oil Co., 128 F.T.C. 749, *15 (1999) 
(Swindle Dissent) (citing Wright v. Ernst & Young LLP, 152 F.3d 169, 
175 (2d Cir. 1998), cert. denied, 119 S.Ct. 870 (1999); Shapiro v. 
Cantor, 123 F.3d 717, 720 (2d Cir. 1997); Anixter v. Home-Stake 
Production Co., 77 F.3d 1215, 1225 (10th Cir. 1996) (``the critical 
element separating primary from aiding and abetting violations is 
the existence of a representation, made by the defendant.'')).
    \6\ Magui Publishers, Inc., 1991 WL 90895, at *15.
    \7\ Id. at *14.
---------------------------------------------------------------------------

    It is not clear that TRUSTe's clients committed an independent 
primary wrong. However, TRUSTe certainly had knowledge of the 
misstatements in the privacy policies and of TRUSTe's role in 
facilitating those misstatements. And, arguably, its certifications may 
have provided substantial assistance in deceiving consumers. 
Regardless, because TRUSTe never misrepresented its corporate status, 
TRUSTe's actions regarding its corporate status at most comprise aiding 
and abetting its clients' actions.
    Perhaps all this seems like legal hairsplitting, but it is not. 
Under the Supreme Court's decision in Central Bank of Denver v. First 
Interstate Bank of Denver,\8\ the FTC ``may well be precluded from 
bringing Section 5 cases under an aiding and abetting theory.'' \9\ By 
prosecuting activities more properly analyzed as aiding and abetting 
under the guise of means and instrumentalities liability, I am 
concerned that we are stepping beyond the limits the Supreme Court has 
established. I therefore dissent from Count II.

    \8\ Cent. Bank, N.A. v. First Interstate Bank, N.A., 511 U.S. 
164 (1994).
    \9\ Shell Oil Co., 128 F.T.C. 749, *19 (Swindle Dissent).

[FR Doc. 2014-27733 Filed 11-21-14; 8:45 am]
BILLING CODE 6750-01-P