PrivacyTrust Certification: What it is and How to Get it

If you're a business owner and you want to show customers how committed you are to data privacy, then consider PrivacyTrust Certification. PrivacyTrust Certification can reassure website visitors, and potential customers, that you take reasonable steps to protect any data they share with you.

Below, we discuss what PrivacyTrust Certification is, how it works, how to obtain it, and the benefits that come with having this professional certification.

What are Data Privacy Certifications?

First, let's be clear about what data privacy certifications are.

A data privacy certification demonstrates your commitment to keeping consumers' data safe. It is provided by a recognized compliance or privacy organization, and it can be used to help you find employment or boost consumer trust in your business.

There are many types of data privacy certifications. The type you choose depends on various factors, including:

• Whether you are a company or an individual
• Your career goals
• Your level of experience in a cyber or IT-related field
• The compliance standards you are expected to abide by

One of the most popular and valued certificates for businesses is PrivacyTrust Certification.

What is PrivacyTrust Certification?

PrivacyTrust Certification is a certificate showing that a business does not share consumer data with third parties without express consent. It proves that you will only share data with third parties if you have clear, informed, and revocable consent to do so.

Completing PrivacyTrust Certification shows that you have strict data protection, data handling, and privacy processes, and that you are committed to keeping data safe.

Who Offers PrivacyTrust Certification?

PrivacyTrust Certification is offered by PrivacyTrust, a company with over two decades' worth of data protection experience. Its goals are to promote data handling best practices, compliance policies, and safer online transactions.

Securing PrivacyTrust Certification shows that you take online privacy seriously, and that you care about informing consumers about what rights they have regarding their personal data.

It should be noted that PrivacyTrust was formerly known as eTrust. Should you see references to eTrust online, this is simply the same company under its original name.

Who Should Get PrivacyTrust Certified?

Any company that collects personal data - that is, data which can identify a specific individual - should consider PrivacyTrust Certification.

Having a PrivacyTrust seal shows that you do not share data with third parties without express and informed consent, and so it is particularly useful for ecommerce stores, app developers, and any company that collects payment information.

It is also helpful for businesses that collect data belonging to minors as it shows an extra level of commitment to privacy protection and compliance.

Do Businesses Require PrivacyTrust Certification?

No. There is no legal requirement to become PrivacyTrust certified. However, just because there's no legal requirement does not mean you should not pursue certification.

Business Benefits and Prospects Following PrivacyTrust Certification

As PrivacyTrust Certification is aimed at businesses, rather than individuals, it will not directly boost your employment prospects. However, it is invaluable in many other ways.

Here is a summary of the key business benefits associated with PrivacyTrust Certification:

• There is a trend towards data privacy and the protection of personal data. Certification demonstrates your commercial awareness.
• PrivacyTrust Certification could boost your professionalism and enhance your business reputation.
• With PrivacyTrust Certification, you can enhance your credibility.
• PrivacyTrust Certification could encourage consumers to trust you with their data. This could mean they are more likely to do business with you.
• A PrivacyTrust Certificate could set you apart from your competitors, which may enhance your company's value.
• PrivacyTrust Certification shows regulatory bodies and compliance agencies that you take data privacy seriously. This could help you avoid fines, or at least severe penalties, should you have an unexpected data breach.
• Your PrivacyTrust Certificate shows you have the resources available to better deal with data breaches, should they arise.

Although a PrivacyTrust Certificate cannot guarantee your company's success, it can certainly raise your company's profile in consumers' eyes, which may improve your overall profitability and business prospects.

How Long Does It Take to Become PrivacyTrust Certified?

Business owners will be pleased to know that PrivacyTrust Certification does not take long. On average, it only takes around 12 working days to complete your certification. However, it can take up to a few months in some circumstances.

If your application is denied, you will be required to amend your privacy documentation until it meets PrivacyTrust standards. If this process takes longer than two months, then PrivacyTrust Certification, once obtained, will start two months after your application date. This is important because certification does not last indefinitely, as we'll cover below.

How Much Does PrivacyTrust Certification Cost?

As of 2024, the application fee is $745. This may seem steep. However, you can seek an unlimited number of reassessments should your application fail the first time around. And there are no renewal fees. It is a one-time fee.

For many businesses, particularly those in ecommerce or who handle payment information, the PrivacyTrust Certification fee is well worth it.

How Long Does a PrivacyTrust Certificate Last?

Certification only lasts one year. After this point, you must apply for reassessment. This means that even if PrivacyTrust certified you once, it may not recertify you until you make any necessary changes to your privacy documentation.

As noted, there is no fee for reassessment. And you can continue to seek reassessment until you pass, if there are ongoing issues with your documents.

Privacy Policies and Automatic Reassessments

If you update your Privacy Policy before the renewal date, then you must notify PrivacyTrust. PrivacyTrust will then reassess your Privacy Policy and ensure that it still complies with company standards.

Should your Privacy Policy fail reassessment, don't worry. You can make the recommended (or required) changes and seek further reassessment.

How Do You Apply for PrivacyTrust Certification?

Applying for PrivacyTrust Certification is fairly simple. We can summarize the main steps as follows:

• Start the process by applying online. Simply click the "Apply Online" link and complete the relevant details, being sure to include your company's website URL.
• PrivacyTrust conducts an initial review, which takes up to three days. This preliminary check ensures that your website is live and functional, and that you have a Privacy Policy in place.
• Your Privacy Policy will be reviewed next. This involves comparing the contents of your Policy against PrivacyTrust's own internal standards.
• Should revisions to your Privacy Policy be necessary, you can complete these and your resubmission will be reviewed in a few working days.
• Once your application is successfully completed, you will receive the PrivacyTrust seal and a live link to include on your website. The link allows consumers to check that the seal is legitimate.

Until the application process is complete, you can't use the PrivacyTrust seal on your website. Any attempts to do so could make it harder to apply for certification in the future.

Drafting a PrivacyTrust Compliant Privacy Policy

Your Privacy Policy must comply with strict standards, should you wish to pursue PrivacyTrust Certification. The exact requirements vary depending on your business, but every Privacy Policy should contain at least the following information about third party data sharing.

Use of Data

Confirm if you collect personal data, define what personal data is, and most importantly, why you collect such data. Confirm at this stage if you do share data with third parties and your reasons for doing so.

Here's an example from TrainerRoad. First, it confirms the types of data collected. It then also explains that the company won't share data with third parties unless they have consent to do so.

What's so helpful about this example is that it's set out right at the start of the Privacy Policy, so users have a full understanding of the company's core approach to personal data handling from the outset. It also clearly defines personal data, which may still be an unfamiliar concept to some users.

And finally, although the paragraphs are quite lengthy, the section on third party data sharing is only a few lines long and separated from the rest of the content, so it stands out by being easy to read:

Dolly and Dotty, for example, confirms in the "We may use your information to" section, that it does not share data with third parties, for direct marketing purposes, without a user's consent:

In the "Disclosures" section, it confirms that it won't share data with certain third parties unless it is reasonably necessary for the purposes already identified within the Privacy Policy:

Tracking Technologies Used

Be clear about whether you use tracking technologies, such as cookies or identifiers, and how users can change their preferences.

You should do this in two ways:

• Describing your use of tracking technologies in your Privacy Policy
• Using a cookie banner, or similar mechanism, to obtain consent

LMNT confirms in its Privacy Policy that it uses advertising cookies and transmits data to advertising partners. Using the website means agreeing to such processes:

And Wattbike confirms that it uses cookies, and shares data with third-party analytics partners, in a pop-up banner. Users can't access the website without accepting or changing their preferences:

Your Contact Information

Make it easy for users to contact you with queries about your Privacy Policy. The contact methods you offer should be free so that all users are able to contact you.

Strava, for example, has three options: email, mailing address, and a support ticketing system:

How Does PrivacyTrust Certification Help With General Privacy Law Compliance?

PrivacyTrust will assess your wider compliance with global privacy laws, such as the EU's General Data Protection Regulation (GDPR). Since global privacy laws vary, PrivacyTrust is more concerned with your more general privacy practices and how you communicate your commitment to data safety with users.

Here is a summary of the key markers you will be assessed against.

Do You Inform Users About Their Privacy Choices?

The more transparent you are about a user's privacy choices, the better. PrivacyTrust won't certify a site that isn't transparent and that doesn't adequately inform users about their privacy choices.

To obtain PrivacyTrust Certification, you must inform users about their privacy choices.

Strava, for example, has a privacy "label" which summarizes its core privacy practices. This makes the company's privacy procedures more accessible to users, and it shows a commitment to personal data protection:

Do You Include Opt Out and Unsubscribe Options?

PrivacyTrust won't certify a site that doesn't include appropriate (and legally required) opt out and/or unsubscribe options and mechanisms. To obtain PrivacyTrust Certification, you must include these mechanisms.

If you send emails or promotional messages, include unsubscribe links so that people can opt out of receiving further messages at any time.

For example, emails from Wattbike all include a clear options to unsubscribe or change email preferences:

You should also make it simple for users to change their cookie and tracking technology preferences.

For example, you can click Zwift's "Cookie Preferences" link within its website footer, and a box pops up for you to manually adjust the cookies you are happy to accept:

Do You Provide Links to Your Privacy Policy?

Your Privacy Policy must be easy to access at any time, and free to the public. Otherwise, you will be in violation of privacy laws and will not obtain PrivacyTrust Certification.

Link your Privacy Policy to your homepage, and from any page or section where you obtain personal data. This could be, for example, at checkout or account signup.

LMNT, for example, has a clear link to its Privacy Policy within the website footer alongside other key documentation:

And before you complete checkout in Zwift's online store, you can view the Privacy Policy:

Summary

PrivacyTrust Certification is an approval rating offered to businesses by the globally recognized PrivacyTrust organization. The certificate is proof that PrivacyTrust has assessed the company's privacy standards as being robust and professional. But most specifically, the certificate shows that the company does not share data with third parties without express, clear, and informed consent.

To complete certification, businesses must submit a link to their website and their Privacy Policy.

The Privacy Policy must inform users that they have the right to opt-out of third party data sharing.

There must also be a mechanism for the user to consent to cookies and sharing data with third parties, rather than just relying on implied consent.

• It can take anywhere from 12 days to a few months to become PrivacyTrust Certified, and it costs $745 to apply for assessment (this includes unlimited reassessments).
• PrivacyTrust Certification is only valid for a year. You must seek recertification after this date.
• Should you update your privacy documentation in the meantime, you should inform PrivacyTrust and seek recertification.