The Crunch: TrustArc has worked for more than 20 years to help brands communicate their trustworthiness by complying with privacy regulations. The company’s established line of privacy assessment and certification services is a trusted industry standard, but many businesses know TrustArc by another name. Founded as TRUSTe in 1997, the company rebranded as TrustArc in June 2017 to reflect the array of solutions it offers, including custom consultations and software for automating privacy management and compliance reporting. In a dynamic online world where data security and risk assessment are part of an increasingly complex and demanding regulatory framework, TrustArc’s scalable solutions streamline compliance assessment and monitoring, helping brands protect data for consumers and partners.
As brands have transitioned more of their business online, the regulatory framework surrounding data privacy has grown increasingly complex and demanding — as has the responsibility of e-commerce brands to demonstrate regulatory compliance to both consumers and partners.
San Francisco, California-based TrustArc has worked in data privacy assessment and management since 1997, when it was founded as TRUSTe. It began as a nonprofit organization that certified that businesses had met a range of regulatory and industry standards that helped the reassure users they could safely share their data online. The green TRUSTe privacy seal displayed on thousands of websites worldwide became an iconic symbol of regulatory compliance and brand trustworthiness.
“Historically, Europe has taken a far stricter stance regarding consumer privacy than the US,” Dave said. “And because e-commerce naturally tends to transcend national boundaries, EU policies have taken on a global importance. Any brand of any size is likely to have customers in Europe.”
By the time TRUSTe got up and running, in what were still the early days of the web, the EU had been operating a comprehensive data privacy directive for more than two years. In 2000, the EU decided that US companies could opt into the directive under a safe harbor framework, allowing US brands doing business in Europe to transfer data from Europe to the US.
In the ensuing years, e-commerce and mobile computing exploded, and the internet became a cloud-based advertising and social media platform. Tracking technology and targeted advertising became enablers of the web, not the other way around.
In response to those transformations, the European Parliament passed the General Data Protection Regulation (GDPR) in 2016. Scheduled to go into effect in May 2018, the GDPR consolidates all EU privacy requirements into one big regulation, Dave told us. “It addresses everything from breach response requirements to the ‘right to be forgotten,’ with requirements around privacy risk assessments, data transfer — dozens and dozens of requirements,” he said.
Moreover, under the GDPR, the burden is on brands to demonstrate compliance. “You have to be able to document and report every piece of personal data that you collect on individuals in the EU,” Dave said. “What you collect, where you collected it, who you shared it with, why you’re sharing it with them, what kind of security provisions you have in place, what your retention policies are.”
“It’s driving a huge new demand for automated privacy management solutions like TrustArc,” Dave said.
Building Automated Solutions to Solve Complex Compliance Issues
TrustArc is ideally positioned to meet current demands because, as TRUSTe, it had been incorporating automation technology into compliance management since 2007.
“For the first 10 years or so of TRUSTe’s existence, the certifications were done manually through inspections,” Dave said. “The company realized that managing privacy was getting more and more challenging, and a natural consequence was to introduce technology into the process.”
In 2008 TRUSTe became a for-profit entity and invested into building out a broader set of in-house tech capabilities. In 2011, it introduced its first commercial automation product to help brands address industry requirements around targeted advertising.
In 2012, the company introduced a product to help brands manage an EU policy directive regarding the cookies that websites leave on computers, and a tracking, scanning, and monitoring solution to help them understand the activity taking place on their sites.
“At that point, we started to have a pretty good-sized technology footprint while continuing to offer our certifications,” Dave said. “We realized that the future was going to be about providing a robust technology platform to help brands operationalize how they managed privacy from the ground up.”
Consultation & Technology for Privacy Management & Assessment
Giving brands more control meant putting power in the hands of the brands themselves so they could proactively address their own issues as they changed and grew in response to the dynamic shifts taking place around them.
To do that, TrustArc began engaging with brands from a consulting perspective to help them understand where they stood in the compliance landscape and how TrustArc’s technology products could fit in. “In many cases, we also helped them implement TrustArc solutions,” Dave said.
The Assessment Manager module was introduced in 2015 to give companies a systematic way to check on the privacy implications of a certain action and then have the tools to respond. “It gives companies the ability to automate privacy risk assessments in-house,” Dave said.
TrustArc also helps corporate privacy departments monitor and manage all the personal data in their systems. The TrustArc Data Flow Manager automatically creates data inventories, and data flow maps that in the past had to be created manually and maintained in spreadsheet form. As a consequence of how it compiles and accesses data, Data Flow Manager can also quickly pull the reports brands need to comply with GDPR.
By 2016, more than half of TRUSTe’s revenues were coming from its technology offerings, which had evolved into a modular Privacy Platform that could change over time as the regulatory environment and other industry realities changed. Meanwhile, the GDPR — with all its regulatory and reporting demands — had been adopted. The time had come to formulate a new way of communicating the breadth of TRUSTe’s technology products and services to the global e-commerce community.
Rebranding to Address a Broader Array of Data Privacy Imperatives
The TrustArc branding gave the company a broader umbrella under which to have those discussions about depth, Dave said. The TRUSTe brand continues to house the legacy certifications business while TrustArc operates the tech consulting and solutions business. And, as the GDPR looms in 2018, consultations grow more critical.
“There’s no one-size-fits-all solution when it comes to working with us. We’re finding that brands are coming to us with a wide range of ‘privacy maturity’ levels,” Dave said. “You might think there’s a direct correlation between the size of the company and its level of privacy maturity, but nothing could be further from the truth.”
The discussions take place in the form of what TrustArc calls its “GDPR readiness assessment.” A company might decide to handle implementation on its own, but often “they’re going to conclude they need offerings like our Privacy Platform to help them address some of the different requirements,” Dave said.
Another change brought on by the GDPR is that companies found to be in violation of its provisions can incur fines of 2-4% of worldwide sales. “The reality is setting in,” Dave said. “Our data shows that over 60% of relevant companies haven’t begun their implementation plan around the GDPR. So it’s having a massive impact.”
GDPR Compliance & Beyond: How Data Flow Manager Provides Data Security for Companies
As internet privacy and security come more into focus, the e-commerce industry has been subject to increasing regulatory compliance demands. Without a partner to help, many online companies can find themselves expending valuable resources on compliance.
The TrustArc Privacy Platform is technology that can solve those compliance woes, and, because it is constantly evolving to address new mandates and risks, it can help companies deal with future issues.
“We’re starting to see a shift from companies investing in privacy management from a compliance perspective to doing it proactively because they believe it’s a differentiator for their business,” Dave said. “Our research demonstrates that consumers prefer to do business with companies they believe respect their privacy.”
And that trust may be an even more significant driver from a B2B perspective.
“Companies want to do business with other companies that have good privacy and security practices in place. We’re seeing a lot of cases where companies are investing in privacy because their business clients require it,” Dave said.
Through all the change that’s taken place in the online privacy assessment and management arena, and within TrustArc itself, one thing has remained: TrustArc’s commitment to helping brands back up what they say about data privacy.