Robert, you are mistaken that TRUSTe does not hold members to specific privacy standards. The TRUSTe program requirements actually take legislation and best practice across industry verticals and create a "best-of-breed" set of requirements; which is not the current state of legislation. Further, it should be noted that SiteAdvisor's own review methodology does not consider many (if not all) of these privacy principles in its review of websites.
TRUSTe program requirements are actually more robust than any one industry?s legal requirements. Some examples:
? Third Party Dispute Resolution - Most regulatory schemes do not require an Independent third party dispute resolution process for consumers that believe a privacy policy has been violated.
? Online Privacy Policies - Up until recently, posting a privacy policy was not required by law. Outside the healthcare and financial services sectors, it is still not required (except in California) for most businesses.
? Third Party Use restrictions - Requiring use (not disclosure of) third party information to be opted into is not standard across industries.
? Disclosure and Use restrictions - This requirements is much more restrictive than any industry regulatory schemes. There is no exception for disclosure or use unrelated to the purpose for which the data was collected (outside fraud protection and legal process). Most opt-out schemes do not discuss use; only disclosure.
? Security Requirements - Outside the financial and healthcare services, there isn?t an affirmative, express obligation around security, or notice of security breaches.
? Consumer Access and correction - Most businesses do not have an obligation to allow the consumer access and correct data about them.
TRUSTe program requirements are actually more robust than any one industry?s legal requirements. Some examples:
? Third Party Dispute Resolution - Most regulatory schemes do not require an Independent third party dispute resolution process for consumers that believe a privacy policy has been violated.
? Online Privacy Policies - Up until recently, posting a privacy policy was not required by law. Outside the healthcare and financial services sectors, it is still not required (except in California) for most businesses.
? Third Party Use restrictions - Requiring use (not disclosure of) third party information to be opted into is not standard across industries.
? Disclosure and Use restrictions - This requirements is much more restrictive than any industry regulatory schemes. There is no exception for disclosure or use unrelated to the purpose for which the data was collected (outside fraud protection and legal process). Most opt-out schemes do not discuss use; only disclosure.
? Security Requirements - Outside the financial and healthcare services, there isn?t an affirmative, express obligation around security, or notice of security breaches.
? Consumer Access and correction - Most businesses do not have an obligation to allow the consumer access and correct data about them.
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/313/1394#1394