Eligibility Standards for PrivacyBot

• Your Privacy Policy and Trustmark Should Be Accessible to Site Visitors
• Your Privacy Policy Should Clearly Disclose Your Practices
• You Should Comply with Children's Privacy Legislation (if applicable)
• You Should Comply With Your Own Privacy Policy
• You Should Maintain Proper Version Control of Your Policies
• You Should Continue to Comply with Applicable Law
• You Should Implement Reasonable Data Security Measures
• You Should Identify a Privacy Representative
• You Should Make a Good Faith Effort to Mediate any Privacy Complaints
• Your Registry Statement Will Contain a Summary of Your Privacy History
• Your Site Will Undergo Automated and Manual Assessments
• PrivacyBot Does Not Endorse Your Products or Services
• These Eligibility Standards Will Evolve
  

These Eligibility Standards and our general Terms of Service apply to web sites joining the PrivacyBot Trustmark Registry.

Joining PrivacyBot is a two-step process. Start by submitting our online application. PrivacyBot will promptly set up your account, issue you the Privacy Policy and the Trustmark with simple installation instructions. At this stage, you are admitted as a "provisional" member (this status is displayed on the Registry Page presented to anyone clicking the Trustmark on your site).

To obtain full "Active" membership, you will need to submit an online Compliance Checklist (a link to the Checklist will be emailed to you). The Checklist helps ensure your Trustmark and Privacy Policy are properly posted and your practices actually comply with your stated Policy and these Eligibility Standards. Just submit the online Checklist whenever you achieve compliance.

Your Privacy Policy and Trustmark Should be Accessible to Site Visitors.

You should post your Privacy Policy in a conspicuous location at your Web Site. This gives visitors fair notice of your practices. It should be linked at the main page in a clear and prominent location and at each page where information is collected. The Privacy Policy should be linked in a location of your main page that does not require the user to scroll down. The link should be more conspicuous than surrounding links to draw attention to itself (this means it's not sufficient to place a small link at the bottom of the page). The link should mention the word "Privacy" (e.g., "Privacy Policy" or "Privacy Statement").

The PrivacyBot Trustmark should also be displayed in a prominent location. When visitors to your Site click on the Trustmark, the PrivacyBot server will fetch the public Registry Statement for your Site. Information in the Registry Statement, including your history of handling privacy complaints, is maintained and displayed in real-time. It is essential that you not cache or reproduce the Registry Statement or otherwise circumvent its normal presentation of fresh data.

We may upgrade the Trustmark Registry system with new features. For example, we may introduce a "counter" in the Trustmark and add reporting features to the Registry Statement that would allow us to take heavy site traffic into account when assessing compliance rates. We may also publish aggregated statistics showing overall "state of privacy" on the web among PrivacyBot sites. If we do release an updated Trustmark, you should install it within a reasonable time according to our instructions.

Your Privacy Policy Should Clearly Disclose Your Practices.

The Privacy Policy must be clearly and understandably written, be complete and contain no unrelated, confusing or contradictory materials. It should clearly explain to visitors:

• What personal information is collected from site visitors
• Why the personal information is collected
• How the information will be used by the site
• With whom the information may be disclosed
• What rights visitors have to access, correct or remove personal information and to opt-out of any future disclosure of their data

The types of personal information that are addressed by your Policy should include the categories identified in Steps 2-4 of the PrivacyBot Policy Drafting System.

You Should Comply with State and Federal Privacy Legislation (as applicable).

California Law:  As of July 1, 2004, California's Online Privacy Protection Act requires any commercial web site operator collecting personally identifiable information from consumers in California to post a Privacy Policy in a conspicuous location that meets minimum privacy standards. The Privacy Policy must identify what personal information is collected, how it is used, the categories of third parties with whom it might be shared and a description of any available process for consumers to review or request changes to the information collected, a description of the process for notifying consumers of changes in the Privacy Policy and the effective date of the Privacy Policy. We believe PrivacyBot can help you comply with this new legislation.

U.S. Federal Law: The Federal Children's Online Privacy Protection Act (15 USC 6501) and regulations impose minimum privacy standards on commercial web sites with features directed to children under age 13 or that knowingly collect personal information from children.

Children's sites (including general audience sites with kids' areas) need to bring their privacy practices into line with the following rules before posting the PrivacyBot Trustmark or Privacy Policy on their site.

If you operate a children's site, then you need to:

• Provide a written privacy policy on your web site explaining what information is collected from children, how the information will be used and your disclosure practices for such information
• Link the privacy policy in a conspicuous location at your site, including the main page, any separate entrance to a kids' area and in close proximity to data collection forms
• Obtain verifiable parental consent for the collection, use or disclosure of personal information from children (with limited exceptions described below). The notice to parents should provide at least the same level of disclosure as the sample Notice accompanying your PrivacyBot Policy.
• Allow parents to consent to collection and use of personal information, separately from consenting to disclosure
• Provide parents a simple method, upon request, to see a description of specific types of personal information collected from their child and allow them to obtain such information
• Provide parents a simple method to stop further collection, use or disclosure of previously collected information and to have such information deleted from your records
• Not condition a child's participation in a game, prize or other activity on divulging more personal information than is reasonably needed to participate in such activity
• Use reasonable procedures to protect confidentiality, security and integrity of personal information collected from children.

Verifiable parental consent is not required to collect an email address or online contact information from a child if only used to respond directly to the child:

• On a one-time basis to a specific request (provided it is not used to recontact the child and is not maintained in retrievable form)
• More than once within the scope of a specific request (e.g., subscription to an online newsletter); provided, your site makes a reasonable effort before recontacting the child to notify the parent of your Privacy Policy and permit the parent to opt-out)

Verifiable parental consent is not required to collect the name or online contact information of a parent or child:

• Solely to notify parents of your Privacy Policy or obtain verifiable parental consent to your practices (provided such information is deleted if parental consent is not obtained within a reasonable time)
• Solely to protect the safety of a child participating in activities on your Site (provided the information is not disclosed or used for other purposes and you make reasonable effort to notify the parent and permit the parent to opt-out)
• You may also disclose such information to protect the security or integrity of your Site, to guard against liability and to respond to judicial process and law enforcement investigations (provided the information is not disclosed or used for other purposes and you make reasonable effort to notify the parent and permit the parent to opt-out of such uses)

Parents should be given a simple method to obtain a description of any personal information collected from their children, to have the data deleted from your records and to opt-out in the future. So long as you observe the rule discussed above regulating game/prize situations, you may otherwise terminate access to your Site to a child whose parent won't permit your Site to collect, use or maintain personal information about their child.

Final Regulations implementing the Children's Online Privacy Protection Act became effective April 21, 2000. For more information, visit the Federal Trade Commission's web site at http://www.ftc.gov. Your Policy and practices should comply on an ongoing basis with these Eligibility Standards and all material requirements of the Act and the Regulations.

You Should Comply with Your Own Privacy Policy.

Your Site should comply with its own Privacy Policy before displaying that Policy or the PrivacyBot Trustmark. You must continue to comply with it during your membership in the Trustmark Registry.

New sites are admitted to PrivacyBot on a "provisional" basis until an Compliance Checklist is submitted (you will receive an email with a hyperlink to the online Checklist).

We monitor the public Registry Statement for all Sites. The Registry Statement shows how many privacy complaints were filed against your Site through the PrivacyBot Mediation Service, the nature of those complaints and how many were not resolved during the Mediation Period. We consider both the number of complaints and the qualitative nature of complaints in assessing compliance. Even one complaint of a serious nature may result in a manual assessment.

Sites exhibiting a pattern or practice of noncompliance, or which have a complaint filed against it of a serious nature, will be subjected to closer assessment. For example, you may be contacted by our staff and required to submit a Compliance Checklist or pay for an independent audit as a condition of membership. We may also conduct "data seeding" exercises on a random or targeted basis. Noncompliant sites will be suspended or terminated from the Registry. Some cases may be referred to the FTC for further inquiry. Sites may cancel their membership at any time.

You Should Maintain Proper Version Control of Your Policies.

You should maintain proper version control over your posted Privacy Policies. This includes the following:

• Sequentially number any new versions of your Privacy Policy that you post (e.g., privacypolicyver1.htm, ...ver2, etc.)
  
• If you change your Privacy Policy, be sure to make corresponding changes to the Privacy Summary table and any machine-readable (XML) version you may have posted to keep them current.
  
• For 3 years, keep a copy of all versions and their effective dates and furnish them to PrivacyBot upon request.

You Should Continue to Comply with Applicable Law.

PrivacyBot Registrants must comply with applicable law, including the Children's Online Privacy Protection Act and regulations (by April 21, 2000, if applicable to your site). This is an ongoing obligation that applies to any subsequent legislation extending privacy regulation to other web sites (at the Main Menu, click-- Privacy Links, to track privacy legislation). From time to time, we may notify you of new requirements added to these Eligibility Standards.

Should your privacy practices or applicable law change, you should revise your Policy to keep it current (if you operate a children's site and materially change your practices, you must obtain new parental consent to use personal information of children for new purposes). You can access the Account Manager at PrivacyBot.com to create an updated Privacy Policy for your site. A small fee may apply. If you decide to make substantial modifications to your Policy on your own, you should have it reviewed to ensure it still meets these Eligibility Standards. You can have your attorney or adviser review it, or upload the Policy for our review for a small fee (at the Main Menu, click-- Send Revised Policy for pricing and availability).

PrivacyBot Registrants must not be engaged in illegal conduct, or publish content which is obscene, defamatory or infringing of others' rights under applicable law, which is hateful or harassing, or which violates or encourages others to violate any law. We may suspend or terminate registration of any site that we believe reflects unfavorably on the PrivacyBot Trustmark.

You Should Implement Reasonable Data Security Measures.

You should implement technical, administrative and operational security measures that are reasonable under the circumstances to protect the confidentiality, security and integrity of any personal information collected from users. Such measures may include:

• Designating a privacy czar responsible for data security issues and notifying employees and trading partners of their responsibilities
• Using Nondisclosure Agreements (NDA's) with employees and trading partners, as needed (visit the QuickForm Contracts site if you need to draft an NDA for consultants, or an Employee Confidentiality & Invention Assignment Agreement for in-house workers)
• Implementing technical protections (e.g., passwords, firewalls, encryption, secure servers and intrusion detection and security scanning software)
• Operating a physically secure computing environment

You Should Identify a Privacy Representative.

Your Privacy Policy should disclose the name or position, and the method for users to contact your Site's representative for handling  questions relating to matters covered by the Policy. When you register with PrivacyBot, you should also identify an official representative to receive PrivacyBot documents and official notices, including any Complaints filed by users with the PrivacyBot Mediation Service. This person will be responsible for managing your PrivacyBot account and any Complaints (access- Account Manager for this purpose).

You Should Make a Good Faith Effort to Mediate any Privacy Complaints.

If you ever receive a Notice of Mediation and Complaint, you should make a good faith effort to consider the merits of the Complaint and attempt a resolution. PrivacyBot does not take sides or decide the outcome of Complaints. Instead, it offers a communication channel and program incentives to help both parties resolve consumer complaints without formal action. Mediation is voluntary and nonbinding. You can terminate a Complaint during the Mediation Period by accessing the Account Manager)(see the Mediation Rules).

Your Registry Statement will Contain a Summary of Your Privacy History.

Users clicking the Trustmark on your Site will be displayed a Registry Statement fetched from the PrivacyBot server. It includes a history of any pending privacy Complaints against your Site and a summary notation of any unfavorable mediation outcomes. We also display the total number of complaints filed against your Site and the general nature of those complaints (details of disputes are not revealed).

Your Site Will Undergo Automated and Manual Assessments.

Note: Sites with features directed to children under 13, or which knowingly collect information from children are subject to U.S. privacy laws. New sites are admitted on a "provisional" basis until a Compliance Checklist is submitted.

In addition, PrivacyBot's Trustmark and Registry systems provide a nonintrusive first-level mechanism to assess compliance by all Sites with our Eligibility Standards. PrivacyBot may also perform up to two annual "data seeding" exercises to assess compliance on both a random and targeted basis. If your Site demonstrates a pattern or practice of unresolved privacy Complaints, if Complaints of a serious nature are filed against your Site, or if manual assessments reveal a problem, you will be requested to provide additional assurances of your compliance. For example, you may be contacted by our staff and asked to submit a Compliance Checklist or undergo an independent manual audit at your own expense as a condition of membership. PrivacyBot will suspend or terminate your Site for noncompliance. You may terminate your membership if you no longer wish to participate (but may not reapply for at least six months). In some cases, PrivacyBot may refer cases to the FTC for further inquiry.

PrivacyBot Does Not Endorse Your Products or Services.

Sites accepted into the PrivacyBot Registry may display the PrivacyBot Trustmark during the term of their registration and so long as they comply with our Eligibility Standards and TOS. Permission to display the Trustmark does not mean PrivacyBot endorses your Site or any of its features, products or services. If your Site is suspended or terminated from the PrivacyBot Registry, you will promptly remove the Trustmark from your Site.

These Eligibility Standards Will Evolve.

Internet privacy laws, regulations, treaties and consumer expectations are rapidly evolving. These Eligibility Standards are likely to be updated in the future. As we update our Eligibility Standards, we will notify you if we think you should create an updated Privacy Policy to reflect these new requirements. We charge a small fee for updated Policies to cover ongoing legal monitoring and maintenance costs (see Pricing Information). You can update your Policy at any time by accessing the Account Manager.

Definitions to U.S. Federal Children's Online Privacy Protection Act

Personal Information is defined by the Children's Act as individually identifiable information about the individual collected online, including:

• First and last name;
• Home or other physical address including street name, city, town and zip code
• Email address or other online contact information, including instant messaging user identifier, screen name that reveals an individual's email address;
• Telephone or fax number;
• Social security number
• Persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information or combinations of information that permit a person to be contacted online;
• Other information concerning the child or its parents that is combined with an identifier

See Steps 2-4 of the PrivacyBot Drafting System for a broader description of the types of personal information that web sites may be collecting.

Content of the Privacy Policy.  To be complete, according to the Children's Act, your Privacy Policy must give the following notice:

• The name, phone number and email address of all web site operators collecting or maintaining personal information from children through the site;
• The types of personal information collected from children and whether the information is collected actively or passively;
• How such information may be used by the site (e.g., fulfilling a requested transaction, recordkeeping, marketing back to the child, or making it publicly available in a chat room or otherwise);
• Whether the personal information is disclosed to third parties and, if so, the types of business in which such third parties are engaged, the general purpose for which the information is used, whether the third parties have agreed to maintain the confidentiality, security and integrity of the information
• That the parent has the option to consent to the collection and use of their child's personal information, without consenting to its disclosure to third parties;
• That the site will not condition the child's participation in a game, prize or other activity on the child divulging more personal information than is reasonably needed to participate in the activity;
• That the parent can review and have deleted the child's personal information and refuse to permit further collection or use of the child's information (and state the procedures for doing so);

"A Web Site Directed to Children" according to the Children's Act, is a commercial website or online service (or portion thereof) that is targeted to children under age 13. Factors to consider are the site's subject matter, visual or audio content, age of models, language or other characteristics of the site, the use of child-oriented ads and empirical evidence regarding the intended audience. A site is not deemed directed at children merely because it contains links, indices or other references to other children's sites.

"Verifiable Parental Consent" according to the Children's Act, means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, the parent: (a) receives the site's request for consent (including a copy of the Privacy Policy) and (b) authorizes any collection, use and/or disclosure of the personal information.

One challenge in writing the regulations was to find feasible methods to prevent kids simply from impersonating their own parents during the consent process. At least until April, 2002, the regulations permit a "sliding scale" approach that imposes easier consent requirements on less risky activities. For information that will only be used internally by the site, it may rely on email as an effective communication method for obtaining parental consent. However, email notification/consent must be followed by a delayed confirmatory email to the parent and a letter or phone call.

For riskier activities, such as public posting of children's chat messages or disclosure of information to third parties, the regulations require a "print-and-send" letter, a credit card number, a phone call with trained personnel, digital signatures or similarly effective methods. These rules will be revisited as verification technology and services evolve. If the site's practices materially change, it must obtain new parental consent to any materially different practices. This would include changes occurring as a result of corporate mergers among web sites.

"Reasonable Efforts to Contact the Parent" (according to the Children's Act) include, for purposes of these narrow exceptions, notice by email or regular mail. However, it does not include asking a child to print a notice form or sending an email to the child's address. For the parental consent exceptions to apply, the notice must state: (a) that the child's name or email address was collected to respond to the child's request (or to protect the child's safety, as applicable), (b) a simple method for the parent to opt-out and require deletion of such information, and (c) that the site may use the information for the stated purpose if the parent fails to respond.

Acceptable Security Methods according to the Children's Act, include using secure web servers, firewalls, deleting personal information once it is no longer being used, limiting employee access to personal information, training employees and screening third parties to whom data may be disclosed.

California Online Privacy Protection Act of 2003 (California Business & Professions Code, Section 22575), effective July 1, 2004:

SECTION 1.  This act shall be known as, and may be cited as, the Online Privacy Protection Act of 2003.

SECTION. 2.  The Legislature finds and declares all of the following:

(a)    Each operator of a commercial Web site  or online service has an obligation to post privacy policies that inform consumers who are located in California of the Web site's or online service's information practices with regard to consumers' personally identifiable information and to abide by those policies.

(b)    It is the intent of the Legislature to require each operator of a commercial Web site or online service to provide individual consumers residing in California who use or visit the commercial Web site or online service with notice of its privacy policies, thus improving the knowledge these individuals have as to whether personally identifiable information obtained by the commercial Web site through the Internet may be disclosed, sold, or shared.

(c)    It is the intent of the Legislature that Internet service providers or similar entities shall have no obligations under this act related to personally identifiable information that they transmit or store at the request of third parties.

SECTION 3.  Chapter 22 (commencing with Section 22575) is added to Division 8 of the Business and Professions Code, to read:

CHAPTER 22.  INTERNET PRIVACY REQUIREMENTS

22575.

(a)    An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual  consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on  its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22578. An operator shall be in violation of this subdivision only if the operator fails to post its policy within  30 days after being notified of noncompliance.

(b)    The privacy policy required by subdivision (a) shall do all of the following: (1) Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. (2) If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process. (3) Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service  of material changes to the operator's privacy policy for that Web site or online service. (4) Identify its effective date.

22576.    An operator of a commercial Web site or online service that collects personally identifiable information through the Web site or online service from individual consumers who use or visit the commercial Web site or online service and who reside in California shall be in violation of this section if the operator fails to comply with the provisions of Section 22575 or with the provisions of its posted privacy policy in either of the following ways: (a) Knowingly and willfully. (b) Negligently and materially.

22577.  For the purposes of this chapter, the following definitions apply:

(a)    The term "personally identifiable information" means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and  maintains in personally identifiable form in combination with an identifier described in this subdivision.

(b)    The term "conspicuously post" with respect to a privacy policy shall include posting the privacy policy through any of the following: (1) A Web page on which the actual privacy policy is posted if the Web page is the homepage or first significant page after entering the Web site. (2) An icon that hyperlinks to a Web  page on which the actual privacy policy is posted, if the icon is located on the homepage or the first significant page after entering the Web site, and if the icon contains the word "privacy."  The icon shall also use a color that contrasts with the background color of the Web page or is otherwise distinguishable. (3) A text link that hyperlinks to a Web page on which the actual privacy policy is posted, if the text link is located on the homepage or first significant page after entering the Web site, and if the text link does one of the following: (A) Includes the word  "privacy."  (B) Is written in capital letters equal to or greater in size than the surrounding text. (C) Is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language. (4) Any other functional hyperlink that is so displayed that a reasonable person would notice it. (5) In the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

(c)    The term "operator" means any person or entity that  owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from  a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes.  It does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner.

(d)    The term "consumer" means any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes.

22578.    It is the intent of the Legislature that this chapter is a matter of statewide concern.  This chapter supersedes and preempts all rules, regulations, codes, ordinances, and other laws adopted by a city, county, city and county, municipality, or local agency regarding the posting of a privacy policy on an Internet Web site.

22579. This chapter shall become operative on July 1, 2004.