TRUSTe issues privacy ultimatum to Batteries.com. Are you next?

"After looking over more than two years worth of membership records for a precedent, I can honestly say that we haven't seen [a privacy violation] that was this bad."

That is TRUSTe Executive Director Fran Maier commenting on the seriousness of a recent privacy transgression by Batteries.com that was first reported in this column. That column details an account of how my personal information found its way from the Batteries.com customer database into the Men's Journal subscription database without my approval. When I purchased a replacement battery for my cordless phone from Batteries.com, I had no idea it would result in a subscription to a publication.

As a TRUSTe licensee, Batteries.com pays $599 per year for the right to display TRUSTe's Privacy Seal on its site. According to TRUSTe's home page, "When you see the TRUSTe seal, you can be assured that you have full control over the uses of your personal information to protect your privacy. After I reported that Batteries.com may have violated TRUSTe's policies, Fran Maier said she had no choice but to launch an investigation into the licensee's practices.

Not only did batteries.com's behavior put its own future at risk by violating TRUSTe policies, it was also threatening the credibility of the TRUSTe seal. After all, if the seal doesn't guarantee some recourse in the event that a TRUSTe licensee reneges on its promise to protect the privacy of its customers, what good is the seal?

Maier says that the investigation into Batteries.com concluded with the following six findings, all of which constituted violations of TRUSTe's policies.

1. Batteries.com provided personal data to a third party called sungifts.com, an organization that had a relationship with Men's Journal and it did this for marketing purposes.
2. Batteries.com did not obtain approval from TRUSTe. It needs to do that because that sharing of information constitutes a material change to the privacy practice under which the license was granted.
3. Batteries.com did not notify customers that practices were changing in terms of sharing with third party. Such notification is required of all TRUSTe licensees.
4. In transferring its customers' personal identity information (names, email addresses, physical address, etc.) Batteries.com did not honor the preferences of the customers that opted out from receiving marketing communications from batteries.com. (The marketing communication in question is an email that was sent Batteries.com customers that informed them they would begin receiving the publication unless they opted-out again.)
5. Related to item number 4, the opt-out page requires a link to a privacy statement which it did not have.
6. Batteries.com already transferred the personal data outside of its organization to sungifts.com before the opportunity to opt-out was presented. It needs to go the other way around.

Maier said she believes, after conducting the investigation, that the violations were unintentional. But, Maier added, it doesn't matter whether the transgression was intentional or not. "Either way, the outcome would have been the same," said Maier. "We issued a notice to Batteries.com that their license would be terminated unless certain action was taken within 20 days."

The required remedies in that notice were as follows:

1. Batteries.com must identify those customers whose opt-outs were not honored, send them an apology explaining TRUSTe's role and the requirement that TRUSTe has put on them as a result of the policy violations.
2. Batteries.com must update its list management and other practices to ensure that opt-outs are respected.
3. Batteries.com must update its privacy statement and other disclosures within its user interface (shopping cart, opt-outs opportunities, etc) to reflect its information practices and TRUSTe's program requirements.
4. Once the privacy statement and disclosure step is completed, Batteries.com must announce to all customers the change in its privacy statement and its practices and the role that TRUSTe has played in those changes and announcements.
5. Batteries.com must allow for TRUSTe to conduct an in-house audit and review of their Batteries.com's privacy and information practices.
6. Batteries.com must, at its own expense, have its executives, marketing and customer service staffs attend TRUSTe-taught privacy training sessions.

According to Maier, while TRUSTe demands a fee for the training, those fees don't come close to the total expense so far borne by TRUSTe in investigating the matter and in sending its trainers to Batteries.com for on-site training. "Batteries.com has 20 days to do those things that can be done within a 20-day period and to commit to doing those things that will take longer," said Maier. "The company has agreed to satisfy the remedies. But, if for some reason, they don't, then they're out [of the TRUSTe program]."

In responding to my first report on the incident, some readers suggested that TRUSTe needs to practice a policy of zero-tolerance and that the seal should have been pulled immediately from the site.

Maier's response: "Ultimately, what would be better? To have a merchant out there that's not in the program that's violating its customers' privacy? Or to keep them in the program so that there's one more merchant on the Internet that is respecting its customers' privacy?" I agree with Maier. As important as TRUSTe's Privacy Seal is, it's not in enough places and not enough Internet users are aware of the difference between a site that bears the seal and one that doesn't. It makes more sense to keep Batteries.com in the program then to kick them out. Perhaps one day, when more Internet users are more informed about what the TRUSTe Privacy Seal stands for, their collective desire to shop elsewhere unless a site has that seal will cause Maier to reconsider TRUSTe's tolerance level for violations. But for now, the program is still working to achieve that critical mass.

I suggested to Maier that TRUSTe consider making available a Better Business Bureau-like audit trail on its licensees. That way, even if a site has the TRUSTe seal, customers could see whether the site has any past violations. This would represent the best of both worlds: Keep Batteries.com in the program, but make sure Internet users are able to see that, at one time, its nose wasn't so clean.

In response, Maier said, "We're trying to get more people to join the seal program, but there is some sensitivity to reveal the history of complaints. The number of complaints is usually in ratio to the size of the site. Larger ISPs and networks, for example, get more complaints than small sites, but not more as a percentage of their visitors. So, in considering a program like that, we have to figure out how to put that history in a context that doesn't unfairly burden the larger sites.

"Version 9.0, the next revision of our license agreement, is due this fall. It will have a provision in it that allows us to keep a termination notice on our site for a year after a merchant has been terminated. The current license agreement is not clear on this. So, there's more clarity coming. We don't have an answer yet on maintaining the history on licensees that, after a violation, end up keeping their seal. I recognize there are some blanks in the license agreement, and we're going to fill them. That's why we go through a license review and revision every year."

While TRUSTe fortifies its license agreements, the question for online merchants or e-commerce site operators should be whether you could be violating your customers' privacy and, once TRUSTe does start publishing more information on violation history, whether you want to risk the chance of showing up on that list. Probably not. The bigger the TRUSTe program gets, the more will the absence of its seal from your site affect your business; success or failure. It's better to have Fran Maier on your side, than not.

Is TRUSTe on the right track? Where do you fall in the tolerance spectrum? Should first time violators get a little slack before being kicked out of the program completely? Should there be a probation period and publication of histories? Or should there be zero tolerance? Share your thoughts with your fellow readers using ZDNet's TalkBack . Or write to me at david.berlind@cnet.com. If you're looking for my commentaries on other IT topics, check the archives.