Posted by Alexander Hanff on November 22, 2014.
As many people will know I was in Brussels earlier this week delivering two presentations at the IAPP Europe Data Protection Congress. I was there to talk about encrypted email in the first session and mobile privacy (more specifically the risks BYOD pose to corporate networks, data and infrastructure) in the second session.
On Wednesday morning just before the conference kicked off, I was at the registration desk going through the formalities when Commissioner Julie Brill (FTC) spotted me. She approached me and introduced herself (not that she needed to, I have seen her at a number of events over the years) and said she had been wanting to talk to me about my TRUSTe comments. She explained she had wanted to reply over Twitter but couldn’t see how to put what she needed to say into 140 characters less.
So, to recap, I asked the FTC on Twitter, why the financial penalty against TRUSTe had been so low when they presumably made millions of dollars in revenues from the “over 1000 incidences” where they failed to carry out audits and re-certification annually.
Commissioner Julie Brill confirmed to me in Brussels that TRUSTe had indeed received millions in revenues from these incidents (which is unsurprising considering it costs upwards of $15000 to get TRUSTe certification as far as I understand it) but that the penalty against them had been means tested.
She went on to explain that had the FTC fined TRUSTe at a similar level or higher to the revenues TRUSTe made through these incidences, it would have forced TRUSTe into bankruptcy.
Here is a kicker to the story though – despite the consent order and penalties, TRUSTe still have clients out there on two year packages that have not been audited after their first year. I know this because the general counsel of one company has approached me and disclosed that his company are still waiting for TRUSTe to audit them after their first year – and I would be incredibly surprised if that company is the only one.
So it seems even after the FTC action, TRUSTe still don’t have their house in order and TRUSTe privacy seals still cannot be trusted.