From Safe Harbor to Privacy Shield to what is now known as the EU-US Data Privacy Framework, personal data transfers between the European Union and the United States have been on a decades-long rollercoaster.

Transferring personal data from the EU to the US has been more complicated and expensive since Schrems II. A data transfer agreement to restore personal data flows between these economic regions is critical for healthy commerce, trade, and investment. Privacy professionals have been waiting patiently for an adequacy decision since March 2022, when a new agreement was announced.

EU-US Data Privacy Framework Adequacy Decision Announced

Now that the European Commission has adopted a positive adequacy decision for the EU-US Data Privacy Framework, companies can self-certify their participation in the data transfer mechanism as of Monday, July 17, 2023. The EU-US Data Privacy Framework (and UK extension) replaces Privacy Shield and regulates transatlantic data flow starting in July 2023.

European entities that participate in the new framework are able to transfer personal data to participating companies in the United States without having to put in place additional data protection safeguards. If your company has been using another data transfer mechanism such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), there are still benefits to participating in the Data Privacy Framework.

For example, SCCs:

• Require Transfer Impact Assessments (TIA)
• May require supplementary measures
• Have to be negotiated in every contract
• Have to be updated for every new transfer

The Data Privacy Framework will require no TIA or supplementary measures and will only need to be certified/verified/renewed once a year. New transfers will qualify under the existing mechanism. As a data transfer mechanism, the Data Privacy Framework will require fewer internal resources and is more affordable for small and medium businesses when compared to SCCs.

How is the EU-US Data Privacy Framework Different from Privacy Shield?

The Court of Justice of the European Union (CJEU) overturned Privacy Shield due to U.S. government access to data, not because of commercial protection concerns.

From a business perspective, the Data Privacy Framework is similar in many ways to the former agreement. But it addresses the surveillance concerns raised in the Schrems II decision as outlined in Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities.”

Additionally, the U.S. has established a Data Protection Review Court (DPRC) to provide European individuals with a proper redress mechanism for qualifying complaints of violations of the United States law in relation to its intelligence activities.

Therefore obligations for businesses that were previously Privacy Shield verified will be minimal. The Data Privacy Framework Program FAQ explains, “the EU-U.S. DPF does not create new substantive obligations for participating organizations with regards to protecting EU personal data. The privacy principles and the process to initially self-certify and annually re-certify remain substantively the same.“

The primary action for organizations will be to clarify privacy notices for EU individuals and to confirm notices contain all disclosures required under the Data Privacy Framework notice principle.

If your data processing agreements with third parties reference Privacy Shield, these agreements should be updated to instead reference the Data Privacy Framework.

What About Schrems?

As many have suspected, Max Schrems and the NOYB aren’t satisfied with the new agreement for EU-US data transfers.

“We now had ‘Harbors’, ‘Umbrellas’, ‘Shields’ and ‘Frameworks’ – but no substantial change in US surveillance law. The press statements of today are almost a literal copy of the ones from the past 23 years. Just announcing that something is ‘new’, ‘robust’ or ‘effective’ does not cut it before the Court of Justice. We would need changes in US surveillance law to make this work – and we simply don’t have it.”

Max Schrems, NYOB

Schrems also explains there are various options for a challenge to the new framework and expects that it will be back at the Court of Justice “by the beginning of next year.”

Yet, when Alex Greenstein, Director of Privacy Shield | Data Privacy Framework at the FTC was asked about another Schrems court challenge, he expressed that the FTC and the European Commission believe they’ve addressed those concerns raised in the Schrems II decision.

For now, this current framework restores an important legal basis for transatlantic data flows and participation in the digital economy to expand economic opportunities. And in case the past is any indication, it took four years for the CJEU to examine the Privacy Shield challenge. Experts expect it will take two to three years before an EU-U.S. Data Privacy Framework CJEU examination.

Getting a Data Privacy Framework Verification

Companies must meet strict requirements to protect Europeans’ personal data under the new framework.

A Summary of Key Requirements for Participating Organizations:

• Inform individuals about data processing
• Provide free and accessible dispute resolution
• Cooperate with the U.S. Department of Commerce (DoC)
• Maintain data integrity and purpose limitation
• Ensure accountability for data transferred to third parties
• Transparency related to enforcement actions
• Ensure commitments are kept as long as data is held

For organizations that didn’t withdraw from Privacy Shield, there’s a three month grace period to update company policies to reflect the new Data

Privacy Framework. This grace period provides the FTC with continuous coverage to enforce companies’ commitments to Privacy Shield. Your Privacy Shield and Data Privacy Framework certification renewal date won’t change.

Review the complete EU-U.S. and Swiss-U.S. Privacy Framework and UK Extension to the EU-U.S. and/or the Swiss-U.S. Data Privacy Framework Verification Program Assessment Criteria: Review the criteria

Swiss-U.S. Data Privacy Framework and The UK Extension

Participation in either the EU-U.S. or Swiss-U.S. Data Privacy Frameworks also enables participating organizations to participate in the UK Extension to the EU-U.S. Data Privacy Framework to enable data transfers from the UK to the U.S.

While organizations can prepare for the Swiss-U.S. Data Privacy Framework and the UK extension now, data transfer benefits under those frameworks aren’t available until each country presents an adequacy decision for the U.S.

TrustArc makes our Privacy Shield compliance process easy and straightforward.

Darren D., Chief Information Security Officer

Why Use TRUSTe vs. Self-Certification?

A Data Privacy Framework Verification and seal is the simplest, most reliable, and cost-effective way to ensure EU-U.S. personal data transfer compliance. The verification provides a robust demonstration that you’ve met the obligations of the DoC and European Commission.

The public seal shows consumers and trade partners your standard of compliance. Meaning you will not need to implement complicated supplementary measures.

Certification is administered by the U.S. DoC, which processes applications for certifications and monitors whether participating companies continue to meet the certification requirements. Compliance with the framework will be enforced by the U.S. FTC.

The TRUSTe verification process helps companies prepare for self-certification with the DoC and provides accountability oversight. Your company can self-certify with confidence knowing TRUSTe, as an Accountability Agent, has verified that your organization meets the Data Privacy Framework principles with the appropriate data protection measures in place.

Optionally companies can also use TRUSTe services for dispute resolution (independent redress mechanism).

The TRUSTe Assurance Process

• Conduct Privacy Review: Understand your data policies and practices through a privacy analysis.
• Demonstrate Compliance: Answer questions aligned with the requirements to ensure compliance with the framework principles.
• Customized Action Plan: Receive a gap analysis and action plan including written guidance on compliance posture and remediation recommendations to achieve compliance.
• Remediation and Verification: Collect, compile, or generate documents or processes to demonstrate compliance.
• Privacy Notice Review and Seal Assurance: TRUSTe serves as your verification agent for your U.S. Department of Commerce filing, including a TRUSTe-reviewed Privacy Notice, Letter of Attestation, and a seal for public posting.
• Ongoing Monitoring and Guidance: Ongoing compliance monitoring and dispute resolution provide privacy expertise for your business. Documentation and an audit trail are available in case it’s needed.

You’ve heard about the APEC CBPR Certification, but what is it? How does it help your business? What are the benefits of APEC CBPR Certification? And is it worth it?

Let’s start with the basics.

What is APEC?

Established in 1989, APEC stands for Asia-Pacific Economic Cooperation. It’s a forum for 21 Pacific Rim member economies that promotes trade, investment, and economic growth throughout the region.

Members include all countries with a coastline along the Pacific Ocean, including China, Japan, and the United States.

The 21 APEC members represent over 40% of the world’s population and over 60% of global GDP. Which is significant if you’re operating a global business.

• Australia
• Brunei Darussalam
• Canada; Chile
• People’s Republic of China
• Hong Kong
• China
• Indonesia
• Japan
• Republic of Korea
• Malaysia
• Mexico
• New Zealand
• Papua New Guinea
• Peru
• the Philippines
• the Russian Federation
• Singapore
• Chinese Taipei
• Thailand
• the United States of America
• Vietnam

APEC members work together to improve the business operating environment and reduce red tape between these economies.

Some of the ways members achieve this include faster customs procedures at borders, more favorable business climates behind the border, and aligning regulations and standards across the region.

All economies have an equal say and decision-making is reached by consensus. There are no binding commitments or treaty obligations and commitments are undertaken on a voluntary basis.

APEC also supports the multilateral trade negotiations underway in the World Trade Organization and complements the goals of the G20.

What is APEC CBPR System?

CBPR stands for Cross-Border Privacy Rules. And as you may be guessing, the APEC CBPR system seeks to facilitate compliant and safe cross-border data transfers between participating economies.

The system is administered by the Joint Oversight Panel and assisted by the CBPR Secretariat to consult with prospective APEC CBPR economies and determine whether an economy satisfies the participation requirements.

They also consult with and review applications for prospective Accountability Agents and handle Accountability Agent complaints.

The goal of the CBPR system is protect personal information while ensuring the delivery of innovative products without the barriers of different economy’s regulations through voluntary accountability.

This system helps establish standards for transferring data cross-border so that personal information is protected, and that the requirements are enforceable if violated in those jurisdictions.

It also sets the criteria for bodies to become recognized as CBPR system Accountability Agents, and a process for information controllers to be certified as compliant APEC CBPR system.

The CBPR system works to protect personal data by requiring:

• Enforceable standards – economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.
• Accountability – a company must demonstrate to an Accountability Agent that they meet the CBPR program requirements
• Risk based protections – companies must implement security safeguards for personal data
• Consumer friendly compliant handling – collaboration with Accountability Agents to resolve disputes between consumers and certified companies
• Consumer empowerment – companies must provide consumers with the opportunity to access or correct their personal data
• Consistent protections – all participants must agree to abide by the 50 CBPR program requirements
• Cross-border enforcement cooperation – regulatory authority cooperation on the enforcement of program requirements

An APEC economy must demonstrate that it can enforce compliance with the CBPR System’s requirements before joining.

There are currently nine participating APEC CBPR System economies: United States, Mexico, Japan, Canada, the Republic of Korea, Australia, Chinese Taipei, and the Philippines.

The APEC Privacy Framework

Created in 2005 and updated in 2015, the APEC Privacy Framework was designed to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.

The APEC CBPR system requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework.

The preamble of the updated APEC Privacy Framework states,

”APEC economies realize that a key part of efforts to improve consumer confidence and ensure the growth of electronic commerce and innovation must be cooperation to promote both effective information privacy protection and the free flow of information in the Asia Pacific region, while respecting domestic laws and regulations, applicable international frameworks for information privacy protection, and strengthening information security in the Asia Pacific region.”

This framework is based on the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, which are recognized as the global minimum standard for privacy and data protection.

The APEC Privacy Framework establishes a multilateral mechanism that enables Privacy Enforcement Authorities to cooperate in cross-border privacy law enforcement.

This mechanism is the Cross-border Privacy Enforcement Arrangement (CPEA).

Any Privacy Enforcement Authority in any APEC member economy can participate.

Any public body that is responsible for enforcing Privacy Law, and has the power to conduct investigations or pursue enforcement proceedings is a Privacy Enforcement Authority.

Businesses can demonstrate their adherence to the APEC Privacy Framework by certifying their privacy practices to the following standards:

• Cross Border Privacy Rules (CBPR) System – which governs “data controller” privacy practices
• Privacy Recognition for Processors (PRP) System – which governs “data processor” privacy practices

You’ll notice the certifications differ based on whether the entity is a data controller or data processor.

APEC CBPR Certification

CBPR certification is currently available to companies headquartered in Japan, Korea, Singapore, and the United States. An independent Accountability Agent is needed to certify your organization’s compliance with the CBPR Program Requirements.

Applications are sent to APEC-recognized Accountability Agents who will begin the compliance review process to verify compliance with the CBPR system.

If an applicant meets the minimum criteria required, the Accountability Agent will be responsible for monitoring its compliance with the CBPR system criteria.

This criteria assesses an applicants:

• Notice of personal information and privacy policies
• Collection limitations to specific purposes stated at time of collection
• Use, transfer, and disclosure of personal information
• Choice for individuals in relation to the collection, use, and disclosure of their personal information
• Integrity of personal information maintained by the controller
• Security safeguards to protect individuals’ personal information from loss, unauthorized access or disclosure, or other misuses
• Access and correction for individuals to update their information when reasonable
• Accountability to complying with measures that make the other criteria operational

While this is just intended to be a summary, you can review the complete APEC Cross-Border Privacy Rules System Program Requirements.

5 Benefits of APEC CBPR Certification

Alignment with Global Frameworks and Global Trade Facilitation

An APEC CBPR certification is based on the same principles that inform the OECD Guidelines, the Fair Information Practice Principles, the EU-U.S. Privacy Shield, and the General Data Protection Regulation.

As such, a CBPR certification will help align your organization’s policies to various international privacy frameworks.

This will lower the compliance burden and save your employees time to implement a patchwork of privacy regulations.

If you haven’t started a privacy program yet, completing the necessary actions within the CBPR certification process will create a data privacy roadmap for your business.

Using a baseline of standard privacy protections for personal information, businesses can become a trusted entity for protecting consumer data.

An APEC CBPR certification makes conducting business in participating economies easier and helps to facilitate the increasing trade relationship between APEC economies.

The United States, Mexico, Canada Agreement, which substituted the North America Free Trade Agreement to mutually benefit employees and businesses and grow the North American Economy, also formally recognizes the APEC CBPR System to further facilitate global trade.

Using vendors, outsourcing operations, or partnering with APEC economies can reduce your business costs through access to labor, materials, and new supply chains. All of which is beneficial to the growing global economy.

Jurisdiction-Specific Data Transfer Benefits

This cohesive set of privacy rules allows the responsible transfer of data between participating economies. Rather than spending time and money sorting every individual jurisdiction, participants have an approved network for cross-border transfers.

The CBPR certification gives companies and employees confidence that the transaction will adhere to data protection standards while eliminating unnecessary burdens.

In Japan, companies that have a CBPR certification do not have to obtain consent to transfer data to another country, which is otherwise required under Japanese law.

An APEC CBPR certification may also make it easier for an organization to obtain approval for its Binding Corporate Rules in the European Union.

Since 2013, APEC member Economies and EU officials have been collaborating to promote interoperability between the two regional transfer mechanisms.

In-Network Transactional Streamlining

If you have an APEC CBPR certification, the privacy practices of your organization will be in line with other CBPR-certified organizations, thereby facilitating transactions between participants.

The certification opens businesses up to a wide range of partners and new locations to support your business growth goals.

Some of the companies included in the CBPR certification are:

• Apple Inc
• Asurion LLC
• Electronic Arts
• Expedia Inc
• General Electric Company
• Hewlett Packard Enterprise Company
• International Business Machines Corporation
• Johnson Controls Inc
• Mastercard
• PGA Tour Inc
• Rackspace Technology Global Inc
• Workday Inc

Create Competitive Differentiation and Increase Consumer Trust

Consumers globally are standing up to companies that don’t establish transparent data practices, or adhere to privacy regulations such as GDPR. Alignment with global privacy frameworks and a certification seal demonstrate that a business values consumer privacy.

People still want a relationship with businesses, they just want more control over how their data is collected, used, and shared. Enabling this control generates consumer trust in your business.

It helps your marketing and communications teams as well. If consumers can better communicate their preferences to businesses, you can respond with more relevant messages to better meet their needs.

Rather than spending time and effort on mass promotions, messages can be more personalized and generate a better ROI.

And because not every business has been forced to catch on (through regulations in their region), consumer first data practices can set you apart from your competition. At least, it’s worked for Apple, anyway.

Compliance and Resolution Efforts

Part of maintaining consumer trust is giving data subjects a method for resolving disputes with your organization.

Obtaining a CBPR certification means your Accountability Agent will handle the frontline consumer complaints and dispute resolution. This helps to ensure key issues are addressed before they become larger problems.

Facilitate the compliant transfer of data among participating APEC economies

TRUSTe, a subsidiary of TrustArc, was unanimously approved to be the first Accountability Agent to certify data transfer practices under the CBPR framework for data controllers and the APEC PRP framework for data processors.

First, TrustArc will assess your privacy program’s operations to understand and work with you to remediate any compliance risks. You’ll receive expert guidance through the process with our powerful technology.

Based on the information gathered from the assessment, you’ll be guided through the remediation process with support to ensure the required changes are complete.

As proof of the TRUSTe Certification, an official Letter of Attestation can be shared with your business partners, providing your organization with competitive differentiation.

Xiaomi Scores Big on User Privacy Protection

User privacy has become front and center for organizations across the globe – and for a good reason. More data is being collected than ever before.

Trends, such as big data and analytics and the Internet of Things, have accelerated how data is collected, stored, and used. This acceleration has also inspired a flurry of user privacy laws, leaving teams scrambling to keep up.

Although this is a time-consuming task, respecting user privacy and achieving GDPR compliance have their benefits. Organizations that prioritize user privacy effectively build trust with consumers.

Whether your organization’s consumers are other businesses or the general population, privacy management is becoming a differentiator.

People and organizations are putting more weight on user privacy as a factor in their decision making.

In fact, Forrester’s research revealed that three-quarters (75%) of organizations say they consider the safeguarding of customers’ privacy to be a competitive differentiator.

Your customers want to do business with organizations they can trust.

For that reason, it’s easy to see why Xiaomi, a consumer electronics company, upholds the highest standards of user privacy policies and practices.

Exciting Products without Sacrificing User Privacy

Xiaomi is a Global Fortune 500 company founded on the core value of privacy. They manufacture consumer electronics such as smartphones and smart hardware connected by an IoT platform.

As one of the world’s leading smartphone companies, Xiaomi’s IoT platform has over 400 million connected smart devices. Or in other words, a plethora of data.

Rather than profit from its user data, Xiaomi took the path less traveled. From its inception in 2010, it has adopted the concept of privacy by design in its product development process.

Xiaomi is constantly seeking innovative technologies to protect user privacy.

By following 5 privacy principles, Xiaomi embraces its vision to make friends with users and be the coolest company in the users’ hearts.

Friends are transparent. Friends aren’t out there selling your stuff behind your back or sending you spammy messages. Friends have your back. Just like Xiaomi has their customer’s backs.

Before GDPR was passed, Xiaomi established its Security and Privacy Committee in 2014. Two years later, Xiaomi became the first Chinese enterprise to receive TrustArc’s Enterprise Privacy certification.

After adopting the GDPR of the EU compliance assessment in 2018, Xiaomi has continued to improve data protection and user privacy through assessments and certification.

How Xiaomi’s User Privacy Protection Keeps Improving

Staying true to its values, Xiaomi wanted to ensure that its processing of personal information is performed in compliance with the General Data Protection Regulation.

To do so, Xiaomi decided to conduct an independent audit of its data protection and security management through TrustArc.

Cui Baoqiu, Xiaomi Vice President and Chairman of the Security and Privacy Committee, explains in a press release, “the GDPR Validation Assessment is an important step in continuously enhancing the company’s data and security compliance. 

We regularly engage with TRUSTe, as well as other credible institutions globally to warrant that Xiaomi’s user privacy protection, including GDPR compliance, keeps improving and perfecting its practices to offer our users reliable and trustworthy products and services.

I’m very pleased to see that Xiaomi has completed TRUSTe’s annual audit of GDPR privacy compliance, which demonstrates our commitment to privacy protection.” 

The TrustArc GDPR Validation Requirements focus on privacy program level measures in eight areas:

1. Integrated Governance
2. Risk Management
3. Resource Allocation
4. Policies and Standards
5. Processes
6. Awareness and Training
7. Monitoring and Assurance
8. Reporting and Certification

The measures in this assessment are designed to provide reasonable assurance that all 40 GDPR Validation Requirements are met.

Due to Xiaomi’s commitment to user privacy at its core, it has met the applicable validation requirements for processing personal information.

Compliance Inspires Brand Loyalty

An organization with as much data as Xiaomi can’t risk the consequences of violating GDPR or the loss of customer trust.

Meeting the GDPR validation requirements gives Xiaomi executives peace of mind when it comes to user privacy and data security.

While some organizations are just starting to comply with privacy regulations, Xiaomi has embraced user privacy from the beginning.

This demonstrated commitment to privacy protection sets Xiaomi apart from its competitors and inspires a friendship with its customers.

No matter the size of the organization, user privacy is no longer a “nice to have” – it’s a “must have” to stay competitive in today’s market.

Don’t treat customer privacy as just another thing to do. Embrace user privacy to build consumer trust and loyalty to your brand.

How Did Merck Successfully Achieve the First APEC-based BCR Approval?

On March 1^st, Merck & Co. Inc. formally concluded their Binding Corporate Rules (BCR) approval process with the Belgian Data Protection Authority, becoming the 82^nd company to achieve the compliance landmark. But in a global first, Merck based its BCR application on its APEC Cross Border Privacy Rules (CBPR) certification.

This work was facilitated by Merck’s use of a common referential developed by the Article 29 Working Party and APEC’s Data Privacy Sub Group in 2014 to facilitate interoperability between companies seeking certification under both systems.

In October 2013, TRUSTe certified Merck as the first healthcare company and the second multinational company under the CBPR system.

“The value of this approach is that we obtained both CBPR and BCR approvals while maintaining the substance and structure of our existing global privacy program.

The practical effect is that we gained greater efficiency in how we manage cross-border data transfer and global data processing without adding complexity to how we operate,” said Hilary Wandall, Chief Privacy Officer.

A Faster BCR Approval Process

As was reported in a recent review of CBPR benefits by Information Integrity Solutions, the first phase of Merck’s BCR approval took less than three months. In comparison, the mutual recognition phase took an additional nine months.

In addition to the time to complete the EU cooperation procedure and transition between the approval phases, the entire approval process was approximately three months faster than the 18-month average.

Most importantly, because Merck based its BCR approval on its previously-approved CBPR certification, a broadly BCR-compliant global privacy program was already in place. As a result, according to Merck’s internal estimates, the total cost of its BCR was approximately 90% less than it would have otherwise been.

Future BCR-CBPR Project

When announcing the referential’s endorsement in March 2014, Isabelle Falque-Pierrotin, Chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party called it a “very political and symbolic act” for companies seeking to obtain both BCR and CBPR certification.

FTC Chairwoman Edith Ramirez noted that “[i]nteroperability is absolutely critical,” adding that “[w]ithout the ability to work across systems, we simply can’t effectively protect the privacy of consumer data, and that’s why as part of the U.S. delegation to the APEC data privacy subgroup, the FTC has been actively involved, along with the Department of Commerce, in developing the CBPRs and also working on this referential.”

Earlier this month, Article 29 affirmed that work on the BCR-CBPR project would be a key component of its 2016-2018 work plan.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers.

TrustArc TRUSTe was named the first accountability agent for the system in June 2013.

Last week, a globally recognized brand approached us to advise on a Letter of Inquiry from the Council of Better Business Bureau (CBBB) regarding compliance with OBA principles. TRUSTe welcomed the opportunity to help jump in and advise on a corrective course of action, including immediate next steps.

We all know the CBBB, in its role as a consumer advocate, helps consumers resolve service disputes with companies that they have purchased products from, but did you know that the CBBB also administers the Online Interest-Based Advertising (OBA) Accountability Program, under the policy guidance of the Advertising Self-Regulatory Council? The Accountability Program is the independent enforcement agent of the Digital Advertising Alliance (DAA).

The mission of the Accountability Program is to build consumer trust in Online Behavioral Advertising (OBA) by ensuring that companies engaged in OBA comply with the OBA Principles.

Do the OBA Principles Apply to Non-Members?

As a business, you may be thinking, “I am not a member of the Advertising Self-Regulatory Council or the Digital Advertising Alliance (DAA), so these principles do not apply to me and my website.”

Not so, it would seem. If your website allows the collection of information by third parties for interest-based ads, or allows the serving of interest-based ads then you are considered a “covered entity” by the Accountability Program and are required to comply with OBA Principles.

We understand that several websites have received Inquiry Letters regarding Online Behavioral Advertising Practices from the Accountability Program recently. The inquiry process is confidential so it is unclear how many letters have gone out in this most recent wave of mailings from the Accountability Program. A Letter of Inquiry is sent when the Accountability Program has reason to believe that the company may not be in compliance with some aspect of the OBA Principles.

Once a company receives a Letter of Inquiry, the Accountability Program works with the company through the inquiry process to determine if there is an issue of non-compliance and, if so, helps the company come into compliance. At the end of the process, the Accountability Program issues a published decision along with an accompanying press release. To date, there have been 19 public decisions.

If your site allows interest-based advertising or third-party data collection, chances are that the CBBB will be assessing your OBA compliance in the near future. My advice to large ecommerce and publisher websites – make things easier on yourselves by proactively assessing your OBA exposure and implement simple OBA compliance mechanisms on your site.

The good news is TRUSTe has just the solution to ensure compliance with the OBA principles and consequently the CBBB Online Interest-Based Advertising (OBA) Accountability Program. TRUSTe technology assesses whether a site is a “covered entity,” and if so, provides you with an OBA compliance solution that adheres to the principles of the Accountability Program.

Chat with us before the CBBB chats with you.