Protecting Customer Information Online
Consumer confidence in how you protect their privacy is key to your online business. When TRUSTe certifies your Website, you get over a decade of our expertise in the issues that matter most in online privacy. Here are just a few examples of the best practices we recommend for businesses to build trust with consumers.
Your Web Site’s Privacy Statement
Your EU Certification
Complying with the Children’s Online Privacy Protection Act (COPPA)
Your Email Privacy PracticesYour Customers’ Personally Identifiable Information (PII)
Your Web Site’s Security
Your Online Behavioral Tracking Practices
Your Web Site’s Privacy Statement
Review your privacy statement to make sure it’s easy to read and understand.
Build trust with your consumers: write your privacy statement in straightforward language and organize it clearly.
Make sure your privacy statement aligns with your terms-of-service statement.
This is best done by cross-referencing your privacy statement with your terms-of-use statement. Confirming uniform privacy practices throughout your Website projects a clear and concise impression to consumers while minimizing your exposure to privacy risk.
When establishing your company’s privacy program, build internal documents with an eye to your public privacy statement.
Your posted privacy statement defines your entire privacy program. All the internal documentation of the processes and procedures you use to enforce privacy within your organization should be in lockstep with that statement. Make sure that your internal documents and policies reflect what your outward-facing privacy statement says-it’s one more step toward mitigating your privacy risk.
Back to top
Review your privacy policy regularly to make sure it accurately reflects your current data-collection and -handling practices.
It’s important to review your privacy policies annually, even if you believe that nothing has changed. Your annual business privacy review process should involve all parties who handle customer data–at minimum, management, marketing, legal, operations, and IT.
When writing or revising your privacy statement, use may or might statements sparingly.
Avoid sounding evasive and build trust upfront by using forthright language. Your privacy statement should describe actual practices consistent with the Fair Information Practice of Notice.
Add an effective date to your privacy statements.
This fulfills one of the requirements of the California Online Privacy Protection Act of 2003. The statement can be as simple as “Effective as of January 1, 2004.”
Back to top
Your EU Certification
Learn how to make your EU certification seamless.
EU Certification lets consumers and regulators around the globe know that you comply with the EU Safe Harbor Framework, which is required when transmitting personal data belonging to EU citizens. TRUSTe’s EU Safe Harbor Seal Program is the ultimate solution to expand your global presence. Learn more about the program.
Back to top
Complying with the Children’s Online Privacy Protection Act (COPPA)
Avoid COPPA violations. Do not indicate to users that an age restriction exists when collecting personally identifiable information. COPPA is triggered whenever your Website collects both age-identifying information and personally identifiable information. If you notify users at the point of data collection that an age restriction exists, they can easily circumvent the restriction. Find out about TRUSTe’s Children’s Privacy Seal program.
Back to top
Your Customers’ Personally Identifiable Information (PII)
Treat testimonial PII respecfully.
Many TRUSTe certified Websites use customer testimonials to both add credibility to their business and fortify their marketing messages. TRUSTe offers some best practice guidelines for posting testimonials that may be associated with a user’s personally identifiable information.
Notify customers if you’re about to transfer their personally identifiable information elsewhere.
If your business undergoes a transition such as an acquisition, merger or bankruptcy, you need to give your customers notice–and in some cases choice–regarding the transfer of their information to the new controlling organization.
Determine whether changes you make to your Website require you to notify all site users.
If you change the way you handle your customers’ personally identifiable information, give them notice so they can chose whether they want to continue sharing their information with you.
Back to top
Your Web Site’s Security
Consider synching up your privacy and security teams.
Corporate privacy and security teams share many common goals, but don’t always work together. If you have separate teams, synching or integrating them to better protect your customers’ data.
When is SSL (Secure Sockets Layer) encryption important?
SSL encryption is a security measure that companies must take while collecting sensitive client data online. Sensitive information includes: credit card number, Social Security number, personal health information, Tax ID numbers and bank information (routing number, account number). It’s important to avoid common encryption mishaps like failing to encrypt login or password retrieval web pages. SSL encryption on designated pages isn’t just a TRUSTe requirement-it’s a crucial way to maintain your clients’ trust.
Prepare for the case of a data security breach
It pays to familiarize yourself with the data-security-breach notification laws that might apply to your company, and to build an incident response team.
Back to top
Your Online Behavioral Tracking Practices
Minimize data collection on your Website.
You should only collect enough personal data from visitors to either provide them with your products or services or let them interact on your site. The less user information you collect-and the more you notify users that you’re collecting it-the more users will trust your organization.
When you collect consumer data on your site, take extra steps to inform users about how their information will be used.
It’s important that you communicate your practices to consumers transparently. Most organizations do this by providing a link to their privacy statement on the site’s homepage or on pages that ask for personal information. These steps build trust, which ultimately leads to a strong and loyal customer base.
Retain customer data for the shortest time possible.
Retain data for only as long as it serves a business purpose or as required by law. Know what your specific data retention requirements are based on your business model and all legally required retention rules. Different businesses are required to keep data for varying lengths of time depending on their regulatory requirements.
Back to top
If your organization shares personal information with third parties for marketing purposes, make sure you comply with SB 27, California’s “Shine the Light” Law.
SB27 requires companies that do business with California consumers and share personal information with third parties for marketing purposes to provide consumers with a designated contact point where they can request an Information-Sharing Disclosure Notice.
If you use user-profiling technologies like cookies, log files and Web beacons, notify users about it in your privacy statement.
You can get valuable marketing insight by tracking individual users’ movements on your site. But you must disclose your use of all personally identifiable information in order to comply with the Fair Information Practices guidelines.
Back to top