TRUSTe APEC Privacy Framework Report

TRUSTe Report (July 11, 2009) US APEC Privacy Pathfinder Testing, Projects 1 and 3 INTRODUCTION

The United States Delegation, led by the Department of Commerce, volunteeredto participate in Pathfinder Projects 1 and 3, including testing the usefulness ofdocuments produced to understand how they might work in a cross-borderprivacy accountability process.During the period of May 13, 2009 through June 10, 2009, the US Delegationtested the utility of the Company Self-Assessment Questionnaire (Project 1Document) in determining whether participating companies’ privacy policies andrepresentations of their practices implemented the APEC Information PrivacyPrinciples (Principles). Second, the test considered the usefulness of theProject 3 guidance document, which outlined for Accountability Agents how tointerpret the Principles and map a company’s responses to the Project 1Questionnaire with adherence to the Principles.

US PARTICIPATION Participating Companies:

•

Experian (Cheetah Mail)

•

Microsoft

•

Google (Gmail)

•

Oracle

•

Hewlett Packard

•

Proctor & Gamble

•

IBM Accountability Agent: TRUSTe

TRUSTe is serving as the Accountability Agent for companies headquartered inthe United States that are participating in the APEC Privacy FrameworkPathfinder Testing. By promoting and elevating best practices for privacy and

2

business accountability, TRUSTe helps companies build trustworthy relationshipswith consumers around the world.TRUSTe certifies the privacy policies and practices of businesses that have anonline presence. Current programs and services of TRUSTe include its WebPrivacy Seal, EU Safe Harbor Seal, Children’s Privacy Seal, E-mail Privacy Seal,a Trusted Download Program, and Trusted Site Services (small businessofferings currently in beta). Service features of many TRUSTe programs includecapacity building for businesses to implement best practices, certification ofbusiness practices and awarding seals, monitoring and scanning of websites,compliance and enforcement oversight, and providing consumer complaint intakeand dispute resolution services through our Watchdog Program.

BRIEF CONCLUSIONS



It was possible to use the Project 1 Company Self-Assessment Document andthe guidance of the Project 3 Document to assess whether participatingcompanies have privacy policies and representations of their practices that areconsistent with the APEC Privacy Principles.



However, from an Accountability Agent perspective, TRUSTe determined thatthe exercise was insufficient to verify actual practices and their consistency witha company’s privacy promises and representations. The Project 3 Document haslimited utility. The current state of the Project 3 Document does not provide formeasureable requirements or verification steps for an enforceable accountabilityprogram.



In order to set a baseline for APEC Privacy Framework accountabilityprograms, there should be measurable requirements against which actualpractices of companies can be measured and verified

(See Recommendations Section of this Report and TRUSTe Report Appendix A).

THE TESTING EXERCISE Coordination of Testing

As the US Accountability Agent for the Pathfinder testing of Projects 1 and 3,TRUSTe coordinated testing with the seven US Participant Companies. Throughe-mail and group conference calls, we explained testing parameters, entered intonon-disclosure agreements with the individual companies, and established atesting schedule that ran from May 13 through July 10.

Companies Respond to the Project 1 Questionnaire

3

Each of the Participant Companies submitted responses to the Project 1Document on or after May 29. Some also included additional supportingdocuments.

TRUSTe Review

TRUSTe independently reviewed Participant Company submissions, supportingmaterials provided, and their privacy policies. TRUSTe also visually reviewedthe companies’ websites. TRUSTe followed up with companies with additionalquestions and also took company comments about the documents and testingprocess via e-mail, through company responses to the Project 1 Questionnaire,and verbally through phone contacts and meetings.At the conclusion of the testing, TRUSTe hosted conference calls with ParticipantCompanies as a group and shared its evaluation of the exercise and providedopportunities for Participant reflections on the process. Working collaborativelywith financial services sectors, TRUSTe included BITS, part of the FinancialServices Roundtable in the US, in TRUSTe-led industry calls at the initiation andconclusion of testing. BITS is participating in a parallel, independent testing ofthe Project 1 and 3 documents (with the Federal Deposit Insurance Corporation(FDIC) designated as the likely public sector accountability agent for BITS bankmembers that are subject to regulation).

TRUSTe Report on the Testing Exercise: Accomplishments, Gaps,Challenges, and Recommendations

This report reflects TRUSTe’s analysis from the perspective of an AccountabilityAgent. It also comprehensively reports all comments by Participant Companiesregarding the documents and test experience that were shared with TRUSTe(

See TRUSTe Report Appendices B and C

).

ACCOMPLISHMENTS



The primary accomplishment of the APEC Pilot was that TRUSTe couldeffectively assess whether the Participating Companies have privacy policies andrepresented practices that are consistent with the Principles. We could affirmthis conclusion with respect to each Participating Company. The analysis, perthe scope of the exercise, was limited to a review of their written responses to theProject 1 Questionnaire, their privacy policies, and a visual review of companywebsites.