On November 17, 2014, the Federal Trade Commission (FTC) announced a settlement with True Ultimate Standards Everywhere (TRUSTe) resolving allegations that TRUSTe failed to conduct annual recertifications for its privacy seal program and perpetuated a misrepresentation that it was a non-profit entity.¹ The FTC alleged that these practices were deceptive and in violation of Section 5 of the FTC Act. The settlement is noteworthy not only because TRUSTe is a well-known provider of privacy certifications, but also because the complaint involves a "means and instrumentalities" claim and the settlement includes a $200,000 disgorgement, which are both rare for a Section 5 privacy case.

Background

TRUSTe provides privacy seals to companies that meet its privacy certification requirements in areas such as mobile apps, websites, cloud storage, Children's Online Privacy Protection Act (COPPA), and the U.S.-EU Safe Harbor Framework.² In order to maintain a certification, companies must correctly display applicable TRUSTe seals on their websites and mobile applications and undergo annual recertifications by TRUSTe. An annual recertification includes a review of the company's privacy policy, validation of seal requirements, changes in the company ownership or business model, and compliance with third-party program requirements, such as COPPA or Safe Harbor. Companies must also include a statement provided by TRUSTe in their privacy policy that describes TRUSTe and its mission. TRUSTe was founded as a non-profit corporation but transitioned to a for-profit company on July 3, 2008.

In its first claim, the FTC alleged that it found over 1,000 instances between 2006 and January 2013 in which TRUSTe did not conduct annual recertification reviews of companies displaying a TRUSTe privacy seal, even though TRUSTe's certification programs required such reviews. The FTC alleged that TRUSTe's failure to conduct the reviews made its statements regarding the required recertifications false or misleading, and thus a violation of Section 5 of the FTC Act.³ On the same day that the FTC announced the settlement, TRUSTe CEO Chris Babel published a blog post noting that the 1,000 instances represent less than 10 percent of the total number of annual reviews that the company was scheduled to conduct during the time in question.⁴

In its second claim, the FTC alleged that TRUSTe furnished the "means and instrumentalities" for companies it certified to misrepresent TRUSTe's non-profit status. The mission statement TRUSTe provided to its clients prior to July 3, 2008, accurately stated that TRUSTe was a non-profit company. After TRUSTe became a for-profit company, however, it allegedly recertified some of its clients even though their privacy policies still described TRUSTe as a non-profit. The FTC alleged that by providing the language describing TRUSTe as a non-profit and continuing to certify clients using that language, TRUSTe furnished the means and instrumentalities for the commission of deceptive acts or practices in violation of Section 5.

Settlement

In the FTC Settlement,⁵ TRUSTe agreed to:

• not misrepresent the steps it takes to certify a company's privacy practices;
• not misrepresent the frequency of its recertifications;
• not misrepresent its corporate status;
• not misrepresent the extent to which a company participates in one of TRUSTe's compliance programs;
• not provide companies the means and instrumentalities with which to make, directly or by implication, any misrepresentations about TRUSTe's certification processes, compliance programs, or its corporate status;
• undertake additional reporting obligations for ten years as part of its existing annual reporting requirements for its COPPA safe harbor program; and
• maintain detailed reports for ten years on assessments conducted on new and existing applicants for its COPPA safe harbor program, including the frequency of the assessments, documents related to consumer complaints alleging violations of the COPPA program by TRUSTe or a participant, documents related to records of disciplinary actions taken against participants in the COPPA program, and documents related to approvals of COPPA program participants' use of verifiable parental consent mechanisms.

Among other administrative requirements in the settlement, TRUSTe also agreed to pay $200,000 to the U.S. Treasury as disgorgement.

Implications

Companies certified by TRUSTe should ensure that they have removed all references to TRUSTe's prior non-profit status from their privacy policies. The settlement also serves as a general reminder that statements made in a company's privacy policy must be accurate.

The settlement is also significant because it includes two issues not typically found in FTC Section 5 privacy cases. First, the settlement requires TRUSTe to pay $200,000 in disgorgement, which is an unusual form of relief in a pure Section 5 privacy case. The FTC does have the authority to obtain civil penalties in certain privacy cases—those involving violations of the Fair Credit Reporting Act, the COPPA Rule, or an existing FTC order. Disgorgement and redress, however, are more common in the FTC's traditional fraud cases. The inclusion of disgorgement in this settlement may signal that the FTC will begin seeking monetary relief in addition to injunctive relief in future privacy settlements.

Second, not all of the FTC commissioners agreed upon the inclusion of a "means and instrumentalities" claim against TRUSTe. Commissioner Maureen Ohlhausen dissented from the FTC's second claim, stating that for a company to "be liable of deception under means and instrumentalities [the company] itself must make a misrepresentation."⁶ Commissioner Ohlhausen argued that TRUSTe did not make the statements regarding its non-profit status, and at most aided and abetted its clients' actions by not requiring clients to update the inaccurate statements. Chairwoman Ramirez and Commissioners Brill and McSweeny disagreed with Commissioner Ohlhausen's argument, stating that TRUSTe's recertification of the inaccurate privacy policies is consistent with previous FTC cases, In the Matter of Shell Oil Co.⁷ and FTC v. Magui Publishers,⁸ because TRUSTe "place[d] the means of deception in the hands" of its clients. The distinction between making a claim under "means and instrumentalities" versus "aiding and abetting" is significant because, as noted by Commissioner Ohlhausen, the FTC "may well be precluded from bringing Section 5 cases under an aiding and abetting theory."⁹ In any event, the FTC's inclusion of a "means and instrumentalities" claim in its complaint may reflect an increased willingness by the FTC to consider a broader range of legal theories when bringing future privacy cases. As a result, companies should ensure the accuracy of not only their own privacy representations, but also representations that others may be making with their assistance.

¹ Press Release, FTC, "TRUSTe Settles FTC Charges It Deceived Consumers Through Its Privacy Seal Program," November 17, 2014, http://www.ftc.gov/news-events/press-releases/2014/11/truste-settles-ftc-charges-it-deceived-consumers-through-its.

² Privacy Certifications, TRUSTe.com, http://www.truste.com/products-and-services/enterprise-privacy/certifications.

³ Complaint, In the Matter of True Ultimate Standards Everywhere, Inc., FTC No. 1323219 (Nov. 17, 2014), available at http://www.ftc.gov/system/files/documents/cases/141117trustecmpt.pdf.

⁴ Chris Babel, "TRUSTe's Agreement with the FTC," TRUSTe Blog, November 17, 2014, http://www.truste.com/blog/2014/11/17/truste-ftc/.

⁵ Agreement Contain Consent Order, In the Matter of True Ultimate Standards Everywhere, Inc., FTC No. 1323219, November 17, 2014, available at http://www.ftc.gov/system/files/documents/cases/141117trusteagree.pdf.

⁶ Partial Dissent of Commissioner Maureen K. Ohlhausen, In the Matter of True Ultimate Standards Everywhere, Inc., November 17, 2014, http://www.ftc.gov/system/files/documents/public_statements/599081/141117trustedisstmtmko.pdf (hereinafter Ohlhausen Dissent).

⁷ 128 F.T.C. 749 (1999).

⁸ No. 89-3818RSWL(GX), 1991 WL 90895 (C.D. Cal. Mar. 28, 1991), aff'd 9 F.3d 1551 (9th Cir. 1993).

⁹ Ohlhausen Dissent, supra note 6 (quoting In the Matter of Shell Oil Co., 128 F.T.C. 749, *19 (1999)(Swindle Dissent)).