AOTA Releases Top 10 Privacy Practices

The Authentication and Online Trust Alliance Wednesday published a list of top 10 data privacy practices the trade group contends will help foster consumer trust in e-commerce, spur economic growth and head off industry-crippling legislation.

The tips were released in recognition of the second annual so-called Data Privacy Day, a consumer-education effort launched in Europe in 2007. The U.S. House of Representatives on Monday approved a resolution to declare Jan. 28 Data Privacy Day.

Organizations in the United States, Canada, and 27 European countries reportedly participated in Data Privacy Day activities this year.

“As data collection continues to become a valuable asset for building business relationships, so does the responsibility of the companies who are the custodians of that data,” said AOTA chairman and founder Craig Spiezle in a statement. “Consumers are demanding increased control of how their data is used. It is no longer the wild-west of business practices. It’s imperative that businesses adopt these principles or suffer the consequences of a consumer trust meltdown and invite regulation.”

Following are the recommended AOTA business practices:

*Ensure all privacy policies are discoverable, transparent, and written to ensure consumer comprehension, accessible from every page of a site and email sent.

*Contact users providing them company privacy policy upon any program changes and periodically for consumer review with provisions for consumer choice or their data usage.

*Establish and publish procedures for data collection, transfer and retention, and commit to performing third-party or self audits for compliance.

*Support collaborative global public-privacy efforts to increase consumer awareness and education as well as the adoption of fair information practices privacy/security regimes, (e.g., appointment of national Chief Privacy officer)

*Support self-regulatory efforts to adopt standard data retention/use policies.

*Set and publish standards of privacy, security, and data retention policies with clear accountability between first party sites and third party content providers and advertisers.

*Create response plans for accidental disclosure of personal information and data breaches including notification to consumers and governmental agencies and providing relevant remedies to consumers, such as no-charge credit record monitoring services to consumers affected, or other remedies as appropriate.

*Commit to authenticating all outbound e-mail be authenticated with Domain Keys Identified Mail (DKIM) and/or Sender ID Framework (SIDF) to combat forged email and potential privacy exploits within six months.

*Transactional sites adopt Extended Validation Secure Sockets Layer (EV SSL) Certificates, within six months or upon existing certificate expiration.

*All consumer facing sites obtain privacy certification and seals from a third party provider or other third-party consumer dispute resolution mechanisms.