THE CPA AND THE COMPUTER

June 2000

WEBSITE CERTIFICATION: THE TRUSTe ALTERNATIVE

By Linda Lee Larson and Steven D. Hall

A potentially profitable new market for CPA firm services is being driven by the enormous growth in electronic commerce over the World Wide Web. Websites must be secure and offer consumer privacy if customer confidence is to be developed and preserved. To allay consumer fears and improve consumer confidence, the AICPA and the Canadian Institute of Chartered Accountants (CICA) developed the WebTrust assurance service.

As would be expected, other website certification seal programs are also competing in the market. These include the TRUSTe privacy seal program, the ICSA certified products program, and the Better Business Bureau's On-Line Reliability and On-Line Privacy Seal programs. The TRUSTe privacy seal program is perhaps the most popular of these alternative programs.

The TRUSTe Program

TRUSTe was founded by the Electronic Frontier Foundation (EFF) and the CommerceNet Consortium. The EFF is a nonprofit organization that works to promote privacy, free expression, and social responsibility in new media. CommerceNet works to promote expanded sales transactions over the Internet. Together, these two organizations formed TRUSTe in late 1996. The purpose of the TRUSTe organization is to accelerate Internet-based sales by making the Internet a better place to do business. The TRUSTe privacy seal program was officially launched on June 10, 1997.

In contrast to the broad business focus of the WebTrust assurance seal, the primary focus of the TRUSTe seal program is protection of consumer privacy. TRUSTe certifies websites of companies that agree to protect the privacy and personal information of persons visiting them. This is important because technology that can gather (and potentially disseminate) personal information about individuals visiting Internet websites exists and is being used. The TRUSTe philosophy is that individuals have a right to expect a website to disclose their policies regarding how personal information is being used.

The TRUSTe privacy seal program provides the business community with a standardized, low-cost solution to address consumer anxiety about sharing personal information online. Another goal of the program is to reassure the government that the industry can successfully self-regulate its activities and protect the public. To that end, TRUSTe has developed a turnkey program that addresses the privacy concerns of consumers, websites, and government officials.

Privacy Principles

The TRUSTe program is based upon a set of program principles, an oversight program, and a consumer complaint resolution process. To qualify, a company must have an acceptable privacy policy that it agrees to adhere to. The privacy policy must state in detail the safeguards that are in place to protect the privacy of the consumer's personal information.

TRUSTe believes that companies must write their own privacy policy statement, as no generic policy will work for everyone. The TRUSTe program enables companies to develop privacy statements that reflect the information gathering and dissemination practices of their site. However, the stated practices must comply with the standard TRUSTe fair information practices and privacy principles, which have been approved by the U.S. Department of Commerce, Federal Trade Commission, and prominent industry-represented organizations and associations. TRUSTe has an online privacy wizard to help companies develop their very own privacy statement.

The license agreement self-assessment form (available as Appendix A at www.truste.org/webpublishers/pub_selfassessment.html) documents in great detail the procedures in place regarding the collection and use of information gathered by the website. Section VIII of the form addresses the special concerns regarding sites of interest to children.

An annual license fee to display the TRUSTe "trustmark" on a site is determined by the company's annual revenue. The fee is typically much less than a WebTrust seal.

Annual Revenue (in millions)	Annual License Fee
0 - $1	$299
$1 - 5	$399
$5 - 10	$499
$10 - 25	$1,499
$25 - 50	$2,499
$50 - 75	$3,499
$75 or more	$4,999

Source: www.truste.org

After the paperwork and the appropriate fee are sent in, an account executive will review the website. If everything is in compliance with the TRUSTe program principles, a trustmark will be issued. Concern over potential misuse of the TRUSTe trustmark has led to the creation of a hotlink from the seal to a list of TRUSTe licensees or a statement authenticating that the site is a licensed program participant.

Oversight Process

The site is then monitored over time in two different ways. First, TRUSTe conducts compliance reviews by visiting authorized websites and entering identifying information. Depending on severity, breaches noted during the review are investigated. This process may include an on-site visit by a TRUSTe auditor. If an auditor determines that a site is noncompliant and proper and immediate corrective action is not taken, TRUSTe may revoke the trustmark.

If TRUSTe is not satisfied with the response of the website after it has exhausted all its remedies, extreme violations are referred to the appropriate legal authority, which in the United States may include the attorney general's office, Federal Trade Commission, or Consumer Protection Agency. TRUSTe may also pursue breach of contract or trademark infringement litigation against the site.

Second, TRUSTe encourages online users to report violations of posted privacy policies, misuse of the trustmark, or other privacy concerns about a site. TRUSTe requires that consumers first attempt to resolve the issue with the website directly. If not satisfied with the licensee's response, consumers can file a complaint with TRUSTe, which will serve as a liaison. TRUSTe posts an online watchdog report for reporting complaints or concerns.

TRUSTe states that it investigates each complaint and works with the website to resolve the issue. If the licensee does not respond promptly and effectively, one of TRUSTe's official auditors may be called upon to go on-site to perform a compliance review.

Status. As of early January 2000, more than 1,000 participants, including AOL, Microsoft, Disney, IBM, Netscape, Compaq, and State Farm Insurance Companies, had enrolled in the TRUSTe program. According to Media Metrix, an estimated 88% of all U.S. Internet users will visit a TRUSTe-licensed site during any given month.

Consulting and Assurance Opportunities

The TRUSTe-related services that a CPA firm could offer would depend upon the in-house expertise of the firm. Adding TRUSTe-related services would be a natural extension for firms that already have e-commerce and WebTrust expertise. CPA firms can assist websites in establishing privacy standards that will comply with TRUSTe policies and standards.

Some CPA firms are already involved in this effort. At present at least three of the Big Five CPA firms have already embraced TRUSTe to a certain extent. At least two of the Big Five websites list TRUSTe services (along with WebTrust) among their offerings of e-commerce assurance services. KPMG LLP developed TRUSTe's self-assessment form. As of February, both KPMG LLP and PricewaterhouseCoopers LLP are listed as "official auditors" for TRUSTe, liable to be called upon to perform on-site reviews if violations are reported or suspected. On March 11, 1999, Ernst & Young LLP and TRUSTe jointly released a white paper outlining a model "enhanced verification program for online privacy." That paper proposes that a "trusted third-party review" be conducted to enhance the existing TRUSTe program. (See the paper at www.truste.org/webpublishers/pub_verification.html). Specifically, this document proposes that "TRUSTe certify qualified CPA and consulting firms meeting the criteria for high privacy assurance reviews." *