OF SELF REGULATION
of online privacy policies is intended to assure an organization's
compliance with its privacy policies for the collection, use and
disclosure of personally identifiable information online and provide
for consumer complaint resolution. Whether administered by a third-party
privacy seal program, licensing program or a membership association,
the effective enforcement of self-regulation requires: 1) verification
and monitoring, 2) complaint resolution and 3) education and outreach.
The Online Privacy Alliance believes the best way to create public
trust is for organizations to alert consumers and other individuals
to the organization's practices and procedures through participation
in a program that has an easy to recognize symbol or seal.
an independent trusted third party that organizations are engaged
in meaningful self-regulation of online privacy, may be necessary
to grow consumer confidence. Such validation should be easily recognized
by consumers, for example through the use of a seal or other symbol.
The symbol or seal can be used to connote both compliance with privacy
policies and an easy method for consumers to contact the seal provider.
Thus, the Online Privacy Alliance supports third-party enforcement
programs that award an identifiable symbol to signify to consumers
that the owner or operator of a Web site, online service or other
articulated by the Online Privacy Alliance, has put in place procedures
to ensure compliance with those policies, and offers consumer complaint
Such a privacy
seal program (hereinafter "the seal program") should implement mechanisms
necessary to maintain objectivity and build legitimacy with consumers.
The seal program should utilize a governing structure that solicits
and considers input from the business community, consumer/advocacy
organizations and academics in formulating its policies. The seal
program should strive to create a consistent and predictable framework
in implementing its procedures. The seal program should be independent
and should endeavor to make receipt of the seal affordable for and
available to all online businesses.
A seal program
should include the following characteristics:
In order to minimize confusion and increase consumer confidence,
efforts shall be taken to ensure ubiquitous adoption, and recognition
of seals through branding efforts, including, for example, co-branding
with corporations or associations.
A seal program should be flexible enough to address issues related
to both sensitive and non-sensitive information.
A seal should be easy for the user to locate, use and comprehend.
The cost and structure of a seal should encourage broad use and
should not be prohibitive to small businesses. The cost of a seal
will vary based on a number of factors, including the extent and
complexity of review, size of the business, the amount and type
of individually identifiable information collected, used and distributed,
and other criteria.
A seal provider should be able to pursue all necessary avenues
to maintain the integrity of the seal, including trademark enforcement
A seal provider should have the ability to handle the number and
breadth of consumer inquiries and complaints about the potential
violation of online privacy policies and should have an established
set of mechanisms to address those inquiries and complaints.
A seal program
with the principles endorsed by the Online Privacy Alliance. The
scope of this requirement only applies to the participating organization
and does not apply to the Web pages of affiliates or other Web pages
linked to or from the participating organization's Web page. While
these baseline principles should be standardized, individual policies
accepted by the seal provider should allow for sector-specific variations.
The seal program must then require that an organization put in place
either self-assessment or accept the seal program's compliance review
prior to awarding the seal.
If a self-assessment
system is chosen, it must be pursuant to a rigorous, uniform, clearly
articulated and publicly disclosed seal program methodology under
which an organization would be asked to verify that its published
completely implemented and accessible; and that consumers are informed
of the consumer complaint resolution mechanisms through which complaints
are handled. A statement verifying the self-assessment should be
signed by a corporate officer or some other authorized representative
of the company. The self-assessment should then be reviewed by the
seal program to assure compliance with the methodology. Specific
criteria for when a company should improve the implementation of
its self-assessment system, adopt further measures, or circumstances
when a third-party review is required, should be part of the seal
program's methodology for acceptable self-assessment.
should be required by the seal program to ensure that those displaying
the seal continue to abide by their privacy policies and that those
policies continue to be consistent with its principles. These periodic
reviews may include, but are not limited to, auditing, random reviews,
use of "decoys" or use of technology tools as appropriate to ensure
that sites are adhering to the articulated privacy policies.
In cases where
there is evidence that the company is not abiding by its privacy
policies, the seal provider should establish clear criteria for
placing that company on probation or beginning procedures for the
seal's revocation. The seal provider should establish clearly defined
criteria for when and how a company's seal may be revoked. A company
should be given notice and the opportunity to request outside review
before its seal is revoked. Seal revocation should be a matter of
public record. The seal provider must clearly state the grounds
for revocation and establish a post-revocation appeals process.
In addition to the above criteria, the seal provider should also
strive to ensure the integrity of the seal by monitoring for misuse
third-party enforcement mechanism must provide its participants
and consumers a structure to resolve complaints and consequences
for failure to do so. Thus, a seal program must define the scope
of complaints subject to the complaint resolution process, have
a system in place to address complaints, the necessary staff to
handle the volume of complaints and the organizational depth to
resolve them. The seal program must provide a variety of easy mechanisms
to allow consumers to lodge complaints or ask questions. Seal recipients
must agree to the complaint resolution procedure.
Under the complaint
resolution system, consumers must first be required to seek redress
for their complaints from the company they believed to have aggrieved
them, before being granted access to the seal program's complaint
resolution mechanism. Where complaints cannot be adequately resolved
by the company, and where the consumer and company have exhausted
good faith efforts to reach agreement, the company should be required
to submit to a complaint resolution mechanism.
outcomes must not be contrary to any existing legal obligations
of the participating company. Failure of a company to agree with
the outcome of the seal program's complaint resolution should result
in previously identified consequences to the company. Notwithstanding
the complaint resolution process, the consumer, the company and
the seal provider may pursue other available legal recourse.
A seal program
must develop and implement policies to educate consumers and business
about online privacy.
A seal program
must develop and implement policies to encourage awareness of the
program and online privacy issues with both consumers and businesses.
Such techniques shall include: publicity for participating companies,
public disclosure of material non-compliance or seal revocation,
periodic publication of the results of the monitoring and review
procedures, or referral of non-complying companies to the appropriate