Statement of Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny In the Matter of True Ultimate Standards Everywhere, Inc. (“TRUSTe”) November 17, 2014 We write to express our strong support for the complaint and consent order in this case. The Commission unanimously supports Count I of the complaint in this matter, which is of paramount importance, in light of TRUSTe’s unique role in increasing consumer trust in the global marketplace and ensuring the effectiveness of relevant self-regulatory frameworks. TRUSTe operates privacy-related self-regulatory and oversight programs for businesses and offers certified privacy seals for program participants, including (1) COPPA/Children’s Privacy, which certifies compliance with the Children’s Online Privacy Protection Act and implementing regulations; (2) EU Safe Harbor, which certifies compliance with the U.S.-EU Safe Harbor Framework; (3) TRUSTed Apps, which certifies the privacy practices of mobile applications; and (4) APEC Privacy, which certifies compliance with the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System.1 In Count I, the Commission alleges that TRUSTe promised consumers it would annually recertify its self-regulatory program participants for compliance with TRUSTe’s privacy program requirements, but that, in many instances, it failed to do so. Annual recertification is a cornerstone of the service TRUSTe provides. It helps ensure that companies (1) continue to follow TRUSTe’s program requirements, (2) do not make material changes to their practices or policies without appropriate consent, and (3) periodically consider the impact of technology and marketplace developments in their privacy practices. TRUSTe did not fulfill its obligations; today’s order helps to ensure that TRUSTe will do so in the future. Consumers who see the TRUSTe seal on a website or mobile app should be confident that a trusted third party has kept its promise to review and vouch for the privacy practices of that website or mobile app. We also believe that Count II represents an appropriate use of “means and instrumentalities” liability. At the time TRUSTe provided model language for its clients’ privacy policies stating that TRUSTe was a nonprofit entity, there is no question that the statement was true. However, after TRUSTe informed clients of its for-profit status in 2008, many clients neglected to update their policies and continued to represent that TRUSTe was a nonprofit entity. These ongoing representations by TRUSTe’s clients clearly became deceptive once TRUSTe converted to a for-profit entity. Yet for five years, TRUSTe continued to recertify some companies that included this deceptive statement, that TRUSTe itself had disseminated, in their privacy policies. TRUSTe was well-positioned to rectify the misrepresentation about its own corporate status – it could have elected simply not to recertify the companies in question until the misrepresentation was cured. It failed to take this straightforward step and instead continued to bless the language at issue by giving the companies its seal of approval. In Shell Oil Company and FTC v. Magui Publishers, Inc., which Commissioner Ohlhausen cites in her statement, the Commission concluded that by providing customers with 1 TRUSTe’s APEC Privacy certification program was not the subject of the allegations in the complaint. TRUSTe became an “Accountability Agent” for the APEC Cross-Border Privacy Rules System in June 2013, and issued its first certification under that program in August 2013. 1 deceptive statements, the respondent furnished the means and instrumentalities for its clients to engage in deceptive acts or practices.2 In this case, although TRUSTe disclosed to clients its change in status, it continued to recertify privacy policies using language TRUSTe had itself supplied about its corporate status that was no longer true. TRUSTe’s recertification of these inaccurate privacy policies is the conduct we take aim at – it provided a stamp of approval of a false representation which TRUSTe’s clients then passed along to consumers via their websites. As such, TRUSTe provided its clients with the means and instrumentalities to deceive others. The application of means and instrumentalities liability in this case is consistent with the principle underlying Shell and Magui Publishers, namely, that one who places the means of deception in the hands of another is also liable for the deception under Section 5.3 The inclusion of this count is particularly appropriate here, given TRUSTe’s unique position in the privacy self-regulatory ecosystem. Companies that purport to hold their clients accountable to protect consumer privacy should themselves be held to an equally high standard. 2 In the Matter of Shell Oil Co., 128 F.T.C. 749 (1999); FTC v. Magui Publishers, Inc., No. 89-3818RSWL(GX), 1991 WL 90895 (C.D. Cal. Mar. 28, 1991), aff’d 9 F.3d 1551 (9th Cir. 1993). 3 Commissioner Ohlhausen suggests that the allegations underlying Count II would be more appropriately viewed through the lens of secondary “aiding and abetting” liability. Regardless of whether one could construct alternative theories of liability, our concern is with TRUSTe’s own actions. As discussed above, the deception here was the result of TRUSTe’s own actions. 2