The Federal Trade Commission (FTC) recently announced an enforcement action against TRUSTe, a provider of privacy certifications for online businesses. The settlement resolves allegations that TRUSTe deceived consumers about its recertification program of companies’ privacy practices, as well as perpetuated misrepresentations about TRUSTe’s status as a non-profit entity.

FTC Chairwoman Edith Ramirez stated that “[s]elf-regulation plays an important role in helping to protect consumers. But when companies fail to live up to their promises to consumers, the FTC will not hesitate to take action.” While industry self-regulation through third-party certification programs may assist to communicate privacy standards to consumers, companies must take responsibility for and regularly review their own privacy policies and practices.

Since approximately June 1997, TRUSTe has offered companies a “seal” that can be displayed on company websites and mobile applications indicating that the companies meet designated privacy requirements as established by TRUSTe. These requirements include transparency of company practices, verification of privacy practices, and consumer choice regarding the collection and use of personal information. In an FTC blog post, an FTC attorney noted: “Because consumers can’t test the accuracy of [company privacy] claims, they often rely on third-party seals trusted for their expertise and independence… TRUSTe’s Certified Privacy Seals are pretty much everywhere you look on the web.”

For companies that display the privacy seal, TRUSTe purports to recertify privacy seal holders on an annual basis to identify, among other things, material changes to any company privacy policies; changes in company business models; and compliance with external third-party program requirements, such as the Children’s Online Privacy Protection Act (COPPA) or U.S. Department of Commerce self-certification to the U.S./EU Safe Harbor. The FTC’s complaint alleges that from 2006 until January 2013, TRUSTe failed to conduct annual recertifications of companies holding TRUSTe privacy seals in more than 1,000 incidences, despite statements on the TRUSTe website that such recertifications occur each year.

The consent order imposes $200,000 in disgorgement, to be submitted to the U.S. Treasury Department, and additional reporting requirements regarding TRUSTe’s COPPA safe harbor, which the FTC approved in 2001. The settlement also resolves FTC allegations that TRUSTe misrepresented its status as a nonprofit entity.

In a statement supporting the settlement, FTC Chairwoman Ramirez noted that TRUSTe holds a “unique position in the privacy self-regulatory ecosystem” by holding companies accountable for protecting consumer privacy, and thus TRUSTe “should themselves be held to an equally high standard.” Although the FTC did not announce any action being taken against those companies that continued to display the TRUSTe seal despite the lack of any annual recertifications, companies should be conducting their own annual assessments of their privacy practices.