In the United States, privacy certifications, or “trustbrands,” are seals licensed by organizations to place on their homepage or within their privacy policy. The seals typically state, or imply, that the organization has high privacy or security standards, or has had its privacy or security practices reviewed by a third party. Some seals also imply that the organization has agreed to join a self-regulatory program that may provide consumers with additional rights, such as a mechanism for resolving privacy-related disputes. Certifications or trustbrands, however, are voluntary in nature, and, for the most part are not offered by government agencies and companies are not required to obtain them.

Historically the European Union, under the EU Privacy Directive treated certifications and trustbrands in a similar way as they were treated in the United States. Companies could obtain them from third parties, if desired, but they were neither mandatory nor offered by government agencies. The EU Working Party – an advisory group composed of representatives from the EU Commission and data protection authorities of the member states – envisioned a possible greater role for certifications in helping to keep companies accountable for their privacy and security practices.¹

The EU’s new General Data Protection Regulation (“GDPR”), which goes into force in Spring 2018, envisions a much more explicit role for certifications and trustbrands; and more government oversight of organizations that offer them. Specifically, the GDPR states that data controllers and data processors (i.e., those who collect personal information and control how it is used, and those that provide services pursuant to the direction of other companies) may use “certifications” as an “element” to “demonstrate compliance” with their statutory obligations.²

The GDPR’s concept of certifications, seals, and trustbrands, differs fundamentally, however, from those concepts under current EU law and in the United States. Specifically, under the GDPR an organization that wishes to offer a certification, seal, or trustbrand will have to obtain accreditation from a government agency – i.e., the EU National Accreditation Body, or a member state’s data protection authority.³ To obtain accreditation the certifying organization must demonstrate not only its independence and expertise, but must establish procedures for issuing, reviewing, and withdrawing its certification, seal, and trustbrand to companies, and must establish procedures for avoiding conflicts of interest.⁴ Organizations that obtain the right to issue up to 3 year periods of time.⁵ All certifications, seals, and trustmarks must be registered with the European Data Protection Board.⁶

 What to think about when considering whether your organization should purchase a privacy or security certification:

1. Does the certifying agency represent that it has the ability to certify under the GDPR? If so, you should confirm that it has obtained the right to offer a certification.
2. Does the certifying agency have its own privacy or security standards?
3. Do the certifying agency’s standards attempt to match the current legal requirements in both the US and the EU?
4. Does the certifying agency intend to apply for the right to issue certifications under the GDPR?
5. Does your organization’s practices meet the certifying agency’s standards?
6. If the certifying agency’s standards change to accommodate the GDPR, is your organization prepared to modify its practices accordingly?
7. Has the certifying agency been investigated by the FTC, or another consumer protection authority, for deceptive or unfair practices?
8. If so, are you confident that the certifying agency’s seal and review process is non-deceptive and that association with the agency will not result in negative publicity?
9. Have consumers complained to the FTC or to EU regulators about the certifying agency?
10. Have plaintiff’s attorneys used the seal against other organizations by alleging that those organizations agreed to a higher standard of care by adopting the seal?

1. Article 29 Data Protection Working Party, Opinion 3/2010 on the Principle of Accountability (July 13, 2010) at ¶¶ 66-68.

2. GDPR Art. 22(2b), 23(2a), 26(2aa), 30(2a)

3. GDPR Art. 39(2a); Art. 39a; Art. 53(1c)(ad).

4. GDPR Art. 39a(2)(a), (b)-(d).

5. GDPR Art. 39(4).

6. GDPR Art. 39(5).

7. Id. at 10.

8. TRUSTe, TRUSTe Privacy index, Advertising Edition – Consumer Interests, (2014), https://www.truste.com/resources/privacy-research/us-consumer-interests-index-2014/.

9. In the Matter of True Ultimate Standards Everywhere, Inc., a corporation, d/b/a/ TRUSTe, Inc., No. C-4512 (March 18, 2015), https://www.ftc.gov/system/files/documents/cases/150318trust-edo.pdf; Federal Trade Commission v. ControlScan, Inc. Civ. No. 1 1--CV-0532 (N.D. Ga. March 8, 2010), https://www.ftc.gov/system/files/documents/cases/20100308controlscan.pdf.

[View source.]