BY BRIAN QUINTON

Between phishing, pharming andflat-out flim-flammery, the Webis beginning to look like a much

less trustworthy place for consumers totransact their business. A February 2005survey by security provider RSA Tech-nologies suggested that one-quarter ofInternet users may have cut back ontheir online shopping out of fears for thesecurity of their personal information—their credit card numbers, social securitydata, bank accounts or even just their e-mail address. That’s not a problem ifyou’re an established and trusted brandname, working off the large fund ofcredibility and goodwill of, say, an Ama-zon.com. But what do you do if you’re asmall online merchant, a niche retaileror a start-up? How can you convincepotential first-time users that you’recommitted to handling their data safelyand conscientiously?

One route to credibility is to join aprivacy seal organization and display asymbol on your Web site that denotesgood stewardship of your customers’data. Larry Ponemon, president of ThePonemon Institute and a consumer pri-vacy expert, puts it bluntly: “If you’recollecting customer information on theWeb and you’re not showing somemembership in a privacy watchdogorganization, then shame on you.” Inthe current climate of heightenedawareness about identity theft, thatomission could lose you sales to a com-petitor with a clear—and visible—dataprotection policy.

TRUSTe is an independent non-profit organization that operates pri-vacy certification and seal programs for1,300 sites around the Web. Many ofthese are large companies in the tech-nology space: AOL, Microsoft, Intuit,and IBM. Others are big corporationsfacing the consumer more directly:The New York Times, The CarlsonCompanies, Intercontinental Hotels,Holiday Inn.

But the majority of those 1,300 sitesbelong to small to mid-sized compa-nies, says Fran Maier, president andexecutive director of TRUSTe. Thesecompanies may be far from having thelargest market share in their field; infact, they may not have a profile thatcould be called a “brand”. And for thatreason, they see wisdom in compensat-ing for that by offering customers theextra assurance that comes with a dealof good privacy conduct from an orga-nization like TRUSTe.

“We’ve done some research on thisand found that for many small compa-nies, their brand does not say a lotabout trust or privacy,” says FranMaier, president and executive directorof TRUSTe. “Smaller companies oftensee joining us as a way to build brandvalue, trusted relationships with con-sumers, and in the end higher transac-tions.” While the big companies canpay as much as $75,000 in annual feesfor the right to display the TRUSTeseal, Maier says the organization has astepped membership fee that can be aslittle as $600 a year for small operators.

Of course, the seal is only the out-ward symbol of a lot of hard workinvested in safeguarding the privacyand security of consumer data. In orderto be certified by TRUSTe, Web com-panies have to design, publish andabide by a privacy statement that makesclear what they do withy the informa-tion that they collect online. They mustagree to give their customers a choiceas to whether that information will besharing with third parties for marketingpurposes, and to agree to dispute medi-ation in cases where customers feeltheir information has been usedunfairly. Many small Web operatorsdon’t have the in-house legal chops todraw up these policies on their own. Inthose cases, TRUSTe can offer guid-ance and counsel in constructing aclear, effective privacy policy.

Once a Web merchant has signedon and been certified, TRUSTe standsbetween that merchant and the cus-tomer, checking regularly to make surethe site’s privacy practices match theprivacy statement. Maier says that about10% of applicants for TRUSTe certifi-cation don’t actually wind up complet-ing their applications, and the organiza-tion terminates about one membershipa year for non-compliance.

“Some of our recent terminationswere among smaller companies, and Ithink they occurred because these com-panies didn’t realize that we would bemonitoring their compliance. I thinkthat some companies actually do wantto spam their customers and just want

Good Web-keeping Seal Helps Small Brands

Reprinted with permission from the April 27, 2005 issue of Direct ® (www.directmag.com)Copyright 2005, PRIMEDIA Business Magazines & Media Inc. All rights reserved.

DRT-57-EK

to seem trustworthy. Unfortunately,that’s not a practice we can get behind.”

Apart from the Web seal, TRUSTemembers are kept apprised of legal andtechnological developments in privacyprotection, on both the state and fed-eral levels—something that can be hardfor a small Web business to monitorbut crucial to know, given the Internet’smass reach.

Consumers can click on theTRUSTe seal when they find it on aWeb site and find out more informa-tion on the site’s privacy and data pro-tection policies. They can also filter onthe seal when looking up merchants insome shopping comparison enginessuch as Shopzilla.

TRUSTe administers several othercertification programs dealing withonline privacy and user protection. Infact, the organization is working ondeveloping another seal program aimedat small online companies that want tosolicit e-mail permissions. Called a“point of collection” seal , this symbolwould be displayed at whatever point inthe Web site offered the user an oppor-tunity to sign up to receive communica-tions. “It would say, ‘When you sign uphere, you’re not going to getspammed,’” Maier says. “One of thebiggest issues for Web companies is get-ting permission to send e-mail. Thisbasically lets consumers sign up for e-mail from the site and still be confidentthat they’re not going to get anythingelse.” TRUSTe also performs the certi-fication called for under the BondedSender e-mail program, in which com-panies vow not to spam and post a mon-etary bond as pledge of their intentions.

In addition, Maier says, TRUSTeconsiders it important to take part inthe many discussions now going onabout privacy policies, both amongWeb merchants and in the offlineworld, where companies amass dataabout consumers as a by-product ofdoing business. Last week, the organi-zation issued a set of guidelines for con-sumer data handling and is now solicit-ing comment from its members. Thosehigh-level best practices include train-ing all employees in a company-widesecurity policy data; “need to know”access procedures within the company;encryption of data sent across publicnetworks, especially via wireless LANsor Bluetooth; and regular tests andmonitoring to make sure proceduresare being followed.

Admittedly, it’s hard to set data pro-tection guidelines that will cover allTRUSTe members, simply becausetheir needs and risks are so various. Alarge financial site will have to dedicatemany resources to implementing safedata collection and storage; a smallWeb merchant may only need to makesure not to ask for more informationthan he or she needs.

Other guidelines put out by thegroup speak more directly to small andmid-sized Web operations. In earlyApril, TRUSTe responded to new viru-lence in the phishing epidemic by col-laborating with Ernst & Young on awhite paper about reassuring customersagainst identity theft. Entitled “HowNot to Look like a Phish”, the papergives tips on how to avoid tactics thatphishers commonly use in their scams,either through e-mail or on the Web.

These include:

• Don’t request customers’ personalinformation directly from an e-mailhyperlink.

• Don’t use “Click Here” hyperlinks;direct customers to your Web sitewith a visible URL.

• Personalize the body of the e-mailmessage with non-threateningdetail, such as a first or last name.(But not in the subject line—a spam-mer's trick.)

• Be careful about applying time chal-lenges or restrictions to your mes-sages. Phishers usually flag theirmessages as “urgent” and ask forimmediate responses, to get thebiggest haul they can before they’redetected.

• On the Web, make your domainnames are clean-cut and crisp; don’tsend customers to Web sites viacomplex domains or IP addresses—atactic phishers use to get around thehurdle of domain name servers.

• Don’t use pop-up windows for datacollection, especially those withoutaddress bars or navigation elements.Some fraud artists gather ID data byapplying fake pop-ups to legitimateWeb sites.

Web merchants who adhere tothese suggestions will not only avoidthe taint of fraud in their own customercontacts but will help consumers breakthe bad online habits that often makethem prey for scam artists and IDthieves. “That helps everyone in theend--merchants and consumers, largeand small,” Maier says. D

685 Market Street, Suite 270San Francisco, CA 94105

(415) 520-3405