Building Trust

Getting Ready for the 2016 Online Trust Audit

Got Trust?  The Online Trust Audit continues to serve as benchmark of security, privacy and consumer protection best practices for organizations throughout the world.  Consistent with OTA’s view such standards and practices need to continually evolve to reflect the threat landscape, new standards and regulatory requirements, this year’s methodology and scoring is being updated.

Initial changes for the 2016 methodology have focused on two primary areas, adoption of current SSL standards and the global privacy landscape, (already applied to the 2016 Presidential Candidates audit and planed audit for the upcoming eFile audit). As with past methodology updates made each year, the SSL tools have been enhanced to reflect compliance with current standards and protocols, while placing increased weighting on the exposure of known vulnerabilities and risks.

Through a multi-stakeholder review process the working group agreed to “raise the bar”.  Starting in 2016, sites with scores of SSL C’s will automatically receive failing grades in security, resulting in an overall audit fail.  This change was necessitated as the primary causes of C grades are typically easy to address and a site with such scores should not be considered in the same mix as those site qualifying for the Honor Roll with A or B SSL scores.

On the privacy front previous bonus points for short/layered notices and Do-Not-Track, (DNT) disclosures will move to part of the core privacy policy scoring methodology.   With the goals of supporting responsible privacy practices and the progress of the DNT standard through the W3C standard process, the disclosure (or more often the lack there of) of honoring or not honoring browser based Do-No-Track settings has been integrated into the core privacy score.  Sites which fail to disclose their status in honoring such user settings, or which function when third-party cookies are blocked, lose points as part of the core privacy policy scores. While some  sites currently point to self-regulatory solutions such as those proposed by the Digital Advertising Alliance (DAA), OTA — along with the privacy community, Federal Trade Commission and European Union — does not believe such solutions address the core consumer issues of data collection and usage and intent of the DNT standard.

Make a commitment and move from compliance to stewardship.  To see if your site and brand is postured to qualify for the 2016 Honor Roll, visit the Online Trust Audit Methodology.  Share your comments and help enhance data protection drive responsible privacy and data collection practices.