Year Ahead: U.S. Public Policy
According to John Kamp of Wiley Rein & Fielding, here are five pieces of legislation to watch out for. »Learn More

Year in Review: Global Privacy Policy
Cynthia Rich of Morrison & Foerster surveys the five top privacy policy developments around the globe. »Learn More

Year Ahead: 2004 at TRUSTe
TRUSTe executive director Fran Maier introduces five issues TRUSTe will tackle over the next 12 months. »Learn More

TRUSTe News
Four of the nation's biggest names in privacy join the TRUSTe Board of Directors »Learn More

Stay Current!
Upcoming privacy and security events around the nation. »Learn More

TRUSTe Tech Tip
Make one small change to your privacy statement to comply with the new California privacy law. »Learn More

Welcome New Licensees
The newest Web sites to display the TRUSTe seal. »Learn More

U.S. Legal and Legislative Developments to Follow -- Warily -- in 2004
By John Kamp

In 2004, watch for U.S. legislators and enforcers to engage in some aggressive policy actions in the realm of privacy and consumer protection. However, we need to be wary of laws, regulations, and enforcement actions enacted under the mantle of privacy but really having little to do with the central issue. Here, I predict, are the most important privacy policy developments we will see in 2004:

1. Homeland security, especially airline passenger screening. Everyone who has endured the current passenger screening system is relieved we have it, worries about how well it really works, and knows there must be a better way. Almost inevitability, however, this "better way" will require more than personal searches at the gate -- it will require screening databases to determine if passengers are who they say they are and if they are threats to the others on the plane. The implications for privacy are clear. Indeed, Congress already has delayed the so-called CAPPS II plan for airline screening because of privacy concerns.

2. Smart tags. Major companies and the U.S. Department of Defense are now requiring that "smart tags," or RFID (radio frequency ID) devices, which use radio frequencies to enable tracking of the tag, be placed on any object that needs to be tracked for any purpose, including public safety. Such technology may eventfully replace existing inventory tags in retail stores. As smart tags become more fully deployed, expect their use to raise privacy concerns.

3. Wireless spam. Tucked into the CAN-SPAM Act last year is a requirement that the FCC conduct a public rulemaking about the privacy implications around the use of GPS capabilities in mobile phones. Indeed, phone carriers will soon know where we are in addition to who we are, who we call, and our billing and paying patterns. Watch the FCC rulemaking carefully for clues not only about privacy, but about who will have control over the databases containing the information the carriers are collecting -- and when and how marketers might access them.

4. Congressional action. Although Congress is not expected to take up a major privacy bill before the election, expect action in smaller bills. Be particularly watchful of privacy provisions attached to seemingly unrelated bills. The wireless spam provisions mentioned above were added quietly to the CAN-SPAM Act. Already, business interests are proposing amendments to existing telemarketing acts to fix the fax provision of the Federal Communication Act. If they succeed, members of Congress will seek to add all sorts of other provisions.

5. California, California, California. In 2003 California passed 15 new privacy laws, including a spam law that propelled Congressional passage of the federal CAN-SPAM Act, which preempted state spam laws. California is the largest market for many national companies, and its privacy laws often create a de facto national standard. For example, AB 68, which goes into effect on July 1, 2004, will require that all Web sites have privacy policies (see "Tech Tip" below to find out how this applies to TRUSTe sealholders). Other California laws, especially the broad reach of its provisions related to security breaches, make California as significant a presence in the arena of privacy as the federal government.

John Kamp is of counsel at Wiley Rein & Fielding.

Privacy Developments Around the Globe
By Cynthia Rich

This year governments around the world have felt even more pressure to enact privacy legislation. Paradoxically, although countries in Asia, Europe, and North America are becoming more aware of the need for global rules for data processing, resolving the issue of global data transfers is becoming more challenging as the number of disparate national privacy laws increases. Here are five of 2003's most significant developments in privacy policy outside the United States:

1. Asia-Pacific.The intergovernmental organization Asia-Pacific Economic Cooperation (APEC) is developing a new privacy framework to encourage the development of appropriate privacy protections and ensure the free flow of information in the region. The goal of this initiative is to offer companies in APEC member countries a more flexible alternative to the EU privacy approach to cross-border data transfers.

2. Japan. On May 23, 2003, Japan enacted a Personal Information Protection Law regulating the acquisition and dissemination of personal information for commercial use. Under the law, which will become effective on April 1, 2005, businesses must provide notice about the purposes for which they collect and use information, obtain prior consent to share information with third parties, and respond to access and correction requests from individuals. Unlike the EU Data Protection Directive,Japan's law does not impose any additional requirements on cross-border data transfers.

3. European Union. While the European Commission recognizes that its cross-border data transfer rules are overly burdensome and in need of improvement, the June 3, 2003, consultative paper issued by the Article 29 Working Party dashed hopes for rapid progress toward developing a more streamlined approach to data protection.

4. Latin America. The prospects for privacy legislation in Mexico and Latin America are improving, due largely to outrage felt across the region over ChoicePoint's sale of citizens' personal data to the U.S. Immigration and Naturalization Services. Mexico is expected to introduce a new, more business-friendly bill in 2004 in response to industry concerns raised about previous bills. Colombia, Brazil, and Peru also have privacy legislation pending.

5. Canada. As of January 1, 2004, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) comes fully into effect. PIPEDA now applies to all personal information collected, used, or disclosed in the course of commercial activities by all private-sector organizations, except in provinces that have enacted legislation deemed substantially similar to the federal law. To date, Quebec is the only province with legislation that applies.

Cynthia Rich is a senior international policy analyst in the Washington, D.C., office of Morrison & Foerster LLP. She is a member of the firm's international privacy practice, which advises clients on legal issues relating to privacy and transborder data transfers around the world.

The past year was another great year for TRUSTe. Some of last year's privacy imperatives will continue to be our focus in 2004, and some new initiatives make it onto the plate:

1. Building a stronger, streamlined certification process.

To remain in line with the regulatory and legislative perspectives, TRUSTe will be adding explicit requirements for email and removing the shelf-life preferences option from privacy policies. The new license agreement and program requirements will come out in February 2004.

Based on feedback from sealholders, we have streamlined the self-assessment, removing redundant questions and adding a glossary of terms. We will soon be streamlining the renewal process as well. Once existing sealholders have signed on to license agreement v. 9.0, available this spring, those going through renewal will no longer be required to fill out the self-assessment every year. Rather, they will be allowed to amend it either when they make material changes to their privacy statements or every third year, unless they assign the TRUSTe license to another company or are investigated by TRUSTe.

2. Restoring trust to email.

Spam continues to take its toll on email for consumers. Building on its success with the Bonded Sender program, TRUSTe will continue to develop products to help senders mark their legitimate email. We will focus new product development on leveraging our consumer brand to help consumers identify responsible senders.

3. Preempting wireless privacy violations.

With the successful launch of our forthcoming Wireless Privacy Standards in early 2004 we are building the foundation for a Wireless Privacy Seal program. As part of the CAN-SPAM Act, the Federal Communications Commission has been asked to review the issue of wireless spam. TRUSTe and the Wireless Advisory Committee will be watching these developments closely

4. Exploring new privacy frontiers.

Three emerging privacy issues are catching the eye of TRUSTe in 2004: spyware, radio frequency ID, and vendor privacy certification. You will be hearing more about these issues in upcoming issues of this newsletter.

5. Continue expanding member benefits.

Continuing our successful partnership with the International Association of Privacy Professionals, in June 2004 we will hold the first major privacy conference on the West Coast, with a focus on technology, California policy leadership, and building trust into your brand.

Fran Maier is the executive director of TRUSTe. Contact her at fmaier@truste.org.

On January 13, TRUSTe announced four new additions to its board of directors: Joseph Alhadeff, Hans Peter Brondmo, Peter Cullen, and Bennie Smith. As TRUSTe prepares for its next phase of growth, these new members bring extensive industry experience that will help boost future privacy initiatives.

Joseph Alhadeff is vice president for global public policy and chief privacy officer for Oracle Corporation, a leading supplier of information management software. Alhadeff is responsible for managing Oracle's global electronic commerce, Internet policy, and privacy. He also serves as vice chair of the Business and Industry Advisory Committee to the Organization for Economic Cooperation and Development.

Hans Peter Brondmo is senior vice president of strategy and corporate development for Digital Impact, which provides online direct marketing solutions to Fortune 1000 companies. Brondmo has successfully launched several high-tech companies and is the author of the best-selling The Eng@ged Customer: The New Rules of Internet Direct Marketing. He is currently the chair of an anti-spam technology working group for a coalition of more than 40 leading email service providers.

Peter Cullen brings more than a decade of experience in the privacy arena to his position as chief privacy strategist at Microsoft. At Microsoft he is directly responsible for managing the development and implementation of programs that enhance the privacy of Microsoft products, services, processes, and systems, both internally and worldwide.

Bennie Smith is chief privacy officer for , which provides tools for advertisers, direct marketers, and Web publishers to plan, execute, and analyze their marketing programs. Smith is currently responsible for guiding privacy policies and practices across the company's business units and works with catalog retailers and Fortune 100 companies to institute effective privacy policies.

"These four individuals reflect not only the depth and quality of our management team, but also the diverse backgrounds needed to battle emerging privacy issues," said Fran Maier, executive director and president of TRUSTe. "The quality of these new board members also demonstrates TRUSTe's growing influence in public policy and its commitment to building an international framework for trust."

For a list of all current TRUSTe board members, visit our Web site.

Tip: TRUSTe will be requiring all licensees to add an effective date to their privacy statements in order to comply with the new California Online Privacy Protection Act of 2003.

The California Online Privacy Protection Act of 2003 (or AB 68), which goes into effect on July 1, 2004, requires owners of commercial Web sites that collect personal information from consumers to post a privacy statement and to comply with it. The privacy statement must do the following:

• Identify what categories of personal information are collected through the Web site
• Identify the types of third parties with whom the Web site owner may share this information
• Describe the process though which consumers can review their personal information collected through the Web site and request changes
• Describe the process for notifying consumers of any material changes in the Web site's privacy practices
• Identify the effective date of the privacy statement

The law also requires the privacy statement to be conspicuously posted and easily accessible by consumers, for example, by providing a link to the privacy statement on the Web site's home page.

TRUSTe's program requirements as outlined in License Agreement v 8.0 fully comply with the new law, with the exception of the last requirement listed above. TRUSTe will soon be updating its program requirements to require an effective date to be included on the privacy statement.

TRUSTe members should update their privacy statements now to include an effective date -- a statement as simple as "Effective as of January 1, 2004." It is recommended that the effective date appear toward the beginning of the privacy statement.

- Joanne B. Furtsch, senior account manager

TRUSTe would like to congratulate the following new licensees on successfully completing our certification process:

Accountants World, Adjuvant, Appvault, Easy-EFILE, eLeadz, Infocrossing, Market Tools, Oodalay, Proplanner, WebIntellects, Y.F. Direct.

Got Feedback?
We would like to hear what you think of the TRUSTe Advocate. Send an email with your comments and suggestions to newsletter@truste.org.

TRUSTe is an independent, nonprofit organization that administers the Internet's first and largest privacy seal program.

685 Market Street, Suite 560
San Francisco, CA 94105
(415) 618-3400
Email: privacyseals@truste.org
Web: www.truste.org