TrustArc Blog

What you Need to Know About the GDPR: Practical Steps to Address GDPR Compliance

May 09, 2017

While some organizations have written about the impending GDPR deadline and potential fines, or re-printed an exact copy of the text itself, TRUSTe has taken the 200+ pages of the GDPR and translated it into practical implementation steps for an organization of any size or maturity. The implementation steps are grouped into five actionable phases: Building a Program and Team Assessing Risks and Creating Awareness Designing and Implementing Operational Controls Managing and Enhancing Controls Demonstrating Ongoing Compliance A sample implementation step is developing a DPIA program, which includes creating templates, conducting DPIAs, managing remediation, and providing compliance reports. The guide also … Continue reading What you Need to Know About the GDPR: Practical Steps to Address GDPR Compliance

COPPA is Not Just for Kids’ Websites Anymore

November 03, 2014

School children using digital tablet outside

This article was first published in the IAPP Privacy Tracker blog on 10/28/14 

By Joanne Furtsch, Director of Product Policy at TRUSTe, CIPP/C, CIPP/US

It’s not just online services and websites targeted toward children that need to be diligent about following Children’s Online Privacy Protection (COPPA) regulations. A few months ago the Federal Trade Commission (FTC) took two companies to court for violating COPPA.

These most recent cases highlight two ends of the spectrum of COPPA violators: One was an app specifically targeted toward children, while the other was a popular app for all audiences that had a faulty age-gate mechanism and was collecting personal information from children under age 13 who were using the app.

Regardless of the audience a website or online service is intended for, these recent cases underscore the importance for companies to ensure they comply with COPPA.

COPPA first went into effect in 2000. It only applies to children under 13 because that age group was deemed the most vulnerable to online marketing (although best practices suggest asking parental permission for all minors). Two years ago the FTC revised the COPPA Rule to keep pace with rapidly changing technology by adding five additional regulations to the existing set of rules. The updates include expanding the types of personal information companies cannot collect from minors under the age of 13 unless the company gets verifiable parental consent (VPC).

Read more “COPPA is Not Just for Kids’ Websites Anymore”

TRUSTe Congratulates IBM on APEC Certification

August 20, 2013

TRUSTe congratulates IBM on the milestone achievement of being the first company to certify their data transfer practices with TRUSTe under the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CPBR) system. One of the certification requirements is to have an Accountability Agent to certify compliance with the CBPRs. TRUSTe as the first Accountability Agent for APEC’s privacy framework, worked closely with IBM to ensure both online and offline data collection points were in compliance with the CBPR system.  TRUSTe will monitor ongoing compliance and deliver consultative services throughout the partnership. The safe handling of consumers’ personal information is crucial … Continue reading TRUSTe Congratulates IBM on APEC Certification

Too prescriptive for innovation? The current impasse with the proposed EU regulation

November 12, 2012

Saira Nayak
Policy Director | TRUSTe


It’s hard to say what the future is for the proposed EU data protection regulation.  Nearly a year after its announcement in January 2012, the proposed reg – in particular it’s more prescriptive requirements – continue to engender controversy and discussion among stakeholders on both sides of the Atlantic.  Industry opposition to the more burdensome requirements has grown louder; even the US Chamber has gotten involved in the lobbying effort to alter the proposals.

The concerns with the proposed reg aren’t just limited to industry.  Yesterday, the UK ICO Commissioner, Christopher Graham, told an audience that the proposed reg is unworkable for regulators– because of its prescriptive proposals (it forces them to fine companies for example), and requirements that would require a large staff to implement (a resource many DPAs don’t have in Europe).

Additional concerns with the proposed reg were summarized in last week’s report by  the UK House of Commons Justice Select Committee, who told the European Commission that they would need to “go back to the drawing board” on the current Data Protection proposals.

Yet it’s unclear whether the primary author of the proposed reg, EU Commissioner Viviane Reding would agree – which means we may be at an impasse.  Reding of course is the EU’s Commissioner for Justice, Fundamental Rights & Citizenship – data protection falls within her portfolio. Read more “Too prescriptive for innovation? The current impasse with the proposed EU regulation”