THRESHOLD ELIGIBILITY

1. For applications received after December 31, 2006 the organization must be a member of a Better Business Bureau in the United States or Canada, or a member of the Council of Better Business Bureaus in Arlington, VA. The program will no longer accept applications from companies without a physical presence in the United States or Canada. No company with an unsatisfactory BBB rating shall qualify for the program. Charities seeking the privacy seal should contact the BBB Wise Giving Alliance program for further information on their certification and online seal program.
2. Your organization must be engaged in activity that is legal, and may not display content of such an obscene, defamatory, or hateful nature that it reflects unfavorably on the BBBOnLine Privacy Seal, or engage in any activity that lessens the BBBOnLine Privacy Program's ability to promote trust and confidence on the Internet.
3. Your website or online service must be online. If not yet launched, your website or online service must be substantially complete and available for evaluation.
4. You must have adopted and implemented an online privacy notice and posted this notice on your covered website or online service.
5. You must have charged a specific individual with the responsibility for implementing and overseeing the privacy notice for your website or online service.
6. You must have taken appropriate steps to implement the privacy notice so your organization can faithfully abide by your privacy notice provisions.

APPLICATION, FEE, & CONTRACTS

1. You must complete the BBBOnLine Privacy Business Application. You must pay the required BBBOnLine Privacy application and evaluation fees. You must complete the required portions of your BBBOnLine Privacy Site Profile. You must sign and return the BBBOnline Privacy Participation Agreement.
2. You must take appropriate steps to comply with all applicable BBBOnLine Privacy Program requirements. In order to continue participation in the BBBOnLine Privacy Program, you must agree to comply with any future BBBOnLine Privacy Program requirements.
3. You must agree to participate in the BBBOnLine Privacy Program Dispute Resolution Process and to abide by decisions entered in that program.
4. You must agree to cooperate with the BBBOnLine Privacy Program verification requirements. Verification requirements include, but are not limited to, information pertaining to: choice, individual access to data, transfer of information to outside parties, data integrity, security, and parental notice and consent (if applicable).
5. You must agree to inform the BBBOnLine Privacy Program, prior to implementation, of all material changes to your privacy notice, the scope of the BBBOnLine Privacy Seal or Kid's Seal, your information practices, or any change that would impact your standing or eligibility in the BBBOnLine Privacy Program.
6. Your completed Site Profile and Kid's Site Profile (if applicable) will be reviewed by the BBBOnLine staff. The BBBOnLine review will result in a seal award, a request for more information, or information regarding modifications needed to qualify for a seal. If modifications are needed, you will have 60 days to respond to the BBBOnLine review. Failure to respond within 60 days will render your application inactive, and will require you to re-apply and be subject to additional application and evaluation fees.
7. You must display the appropriate seal(s) on your covered website or online service within a reasonable time of notification of qualification by the BBBOnLine Privacy Program.

WEBSITE OR ONLINE SERVICE DESIGN

1. Your privacy notice must be easy to read, easy to find, and appear (at least) through a clearly labeled and direct ("one-click-away") link on all the homepages of your website or online service, all areas at which you collect personally identifiable information, and all areas on your covered website or online service where an email address is held out for your organization. Your privacy notice must list all your required disclosures in a single document.
2. If you collect Type I Sensitive Information (financial transaction information such as credit card numbers or bank account numbers, social security numbers, health care information, or other types of sensitive information) you must use encryption whenever such information is transmitted or received online.
3. If your application does not cover all your websites or online services and all the websites and online services of your corporate affiliates, then it must be clear to web-visitors relying on the display of the seal which parts of your websites or online services are covered and which parts are not.
4. If the promises made in your privacy notice do not apply to everyone about whom you may collect information online, regardless of the country in which those individuals may reside, there must be a statement (separate from your privacy notice) posted on your homepage(s), in each area where information is collected, and in each area where you hold out an email address for your organization stating that the website or online service is only for residents of those specific countries. This limitation on the scope of your privacy notice may only be made when the goods or services you offer through your covered websites or online services can only be ordered by the residents of one or more specific countries OR you maintain sister sites (not covered by your application) that are directed to the residents of other countries.
5. If you treat personally identifiable information from individuals acting solely in a business capacity different than everyone else's information, an effective means must also be employed to determine what information is actually submitted solely in a business capacity.
6. If an individual must disclose some personally identifiable information, or create a unique identifier (like a password) in order to access certain parts of your covered websites or online services - a statement explaining the consequences of refusing to provide such information must appear in your privacy notice; or at the point or time of collection.

COLLECTING & MAINTAINING INFORMATION

1. If you collect and maintain personally identifiable information or prospect information, you must have in place procedures to help assure the accuracy of this information.
2. If you collect and maintain personally identifiable information or prospect information, you must maintain written security policies to protect the personally identifiable information and prospect information you collect against unauthorized access, and you must perform an annual review of this written security policy.
3. If you collect and maintain personally identifiable information or prospect information, you must maintain logs to help implement your physical security and electronic security procedures.
4. If you collect and maintain personally identifiable information or prospect information, the computer equipment in which such information is stored, and any other copy of such information, must be located in an appropriately secure physical environment that includes doors, locks, etc. to keep unauthorized individuals from accessing the information.
5. If you collect and maintain personally identifiable information or prospect information, you must have appropriate security measures in place to prevent unauthorized electronic access to personally identifiable information or prospect information.
6. If you collect and maintain personally identifiable information or prospect information, you must provide training with respect to your organization's information practices to your personnel who interact with or otherwise have access to personally identifiable information or prospect information.
7. If you collect and maintain personally identifiable information or prospect information, you must provide the subjects of this information the ability to access their own information. In the context of an access request, for any personally identifiable information or prospect information to which you cannot provide access, either because it is not maintained in retrievable form, or the requestor cannot meet any reasonable frequency or fee limits, you must instead provide:
   1. an explanation why access cannot be provided,
   2. a contact for further inquiries, and
   3. a reference to the provisions in your privacy notice that discuss the type of data collected and how it is used, or provide the individual with materials on these matters that are at least as complete as the information provided in the privacy notice.
8. If you collect and maintain personally identifiable information or prospect information, you must provide the subjects of this information the ability to make factual corrections to their own information. This process must not be limited by frequency or fee.
9. If you collect and maintain personally identifiable information or prospect information, you must take reasonable steps to authenticate the identity of the individual requesting access to information or requesting correction to information.
10. If you collect and maintain personally identifiable information or prospect information, AND you place frequency or fee limits on the ability of a data subject to later access their own information, you may not, except in extraordinary circumstances, impose frequency or fee limits that require intervals of more than a year between requests, or impose a fee of more than $15 (U.S. or equivalent) per response.
11. If you collect and maintain personally identifiable information or prospect information, AND you place frequency or fee limits on the ability of a data subject to later access their own information, you must clearly describe these limits in your posted privacy notice OR you must have a procedure to inform individuals of these limitations at the time of request and allow individuals to withdraw that request without having it counted against a frequency limit.

DIRECT MARKETING

1. If you use personally identifiable information or prospect information to market back to the subject of that information, you must provide a method by which individuals may at any time opt-out of your marketing. Should you market to prospects, you must also provide prospects a choice as to whether or not they receive marketing from you and you must explain this choice at least at the time of any first marketing contact between your organization and the prospect.

SHARING INFORMATION

1. If you share personally identifiable information or prospect information with outside parties or corporate affiliates with different privacy notices, you must provide a means by which individuals may prevent this transfer of information by either opting-in or opting-out of this transfer. You must also take meaningful steps to try to ensure that these outside parties or corporate affiliates are aware of your privacy and security policies, and that they will take reasonable precautions to similarly protect such information. Regardless of the provision of opt-ins or opt-outs, prospect information may never be shared with these outside parties or corporate affiliates with different privacy notices if it may be used by these or subsequent parties for marketing. This prohibition on such transfers applies without regard to any choice about third party transfers made by the individual submitting the information. If the types of outside parties or corporate affiliates with whom you share personally identifiable information or prospect information is not clearly described in your privacy notice, the types of outside parties or corporate affiliates with different privacy notices with whom you share personally identifiable information or prospect information must instead be clearly and conspicuously disclosed at the point of collection.
2. If agents or contractors of your organization receive or have access to personally identifiable information or prospect information, all such agents and contractors must have agreed to hold this information in confidence, not use it for any purpose except to carry out the service they are providing your organization, and honor your organization's privacy and security policies in the way this information is handled.
3. If you share Type II Sensitive Information with outside parties or corporate affiliates with different privacy notices, you must only share such information when individuals have expressly or affirmatively opted-in to the sharing of this information, unless its processing meets one of the opt-in exceptions.
4. You must provide individuals the opportunity to opt-out or otherwise prohibit any unrelated use of information that is not described in the privacy notice at the time information was collected, and does not meet one of the four exceptions.

PRIVACY NOTICE DISCLOSURES

1. Your privacy notice must clearly disclose its effective data.
2. Your privacy notice must clearly disclose how individuals may contact your organization in the instance there are questions or concerns about your privacy and security policies.
3. If you collect and maintain no personally identifiable information or prospect information, your privacy notice must clearly explain the fact that no personally identifiable information or prospect information is collected and maintained.
4. If you collect and maintain personally identifiable information or prospect information, your privacy notice must state your organization's commitment to online data security.
5. If you collect and maintain personally identifiable information or prospect information, your privacy notice must clearly state all the types of personally identifiable information or prospect information you collect and maintain (including email correspondence).
6. If you collect and maintain personally identifiable information or prospect information, your privacy notice must clearly describe (with only four exceptions) how each type of personally identifiable information or prospect information is used. Such uses may include, but are not limited to, sharing information, order fulfillment, record keeping, marketing, or making it publicly available through a chat room or by other means.
7. If you associate passive or behavioral information (like cookies, web-bugs, purchase histories, or other tracking data) with names or similarly specific identifiers, your privacy notice must clearly explain that these types of passive or behavioral information are being collected. Your privacy notice must clearly explain that these types of passive or behavioral information are linked to identifiable information. Your privacy notice must clearly explain how these types of passive or behavioral information are used.
8. If you use personally identifiable information or prospect information to market back to the subject of that information, you must clearly explain in your privacy notice how individuals may at any time opt-out of your marketing.
9. If you share personally identifiable information or prospect information with outside parties or corporate affiliates with different privacy notices, your privacy notice must clearly disclose the fact that information is shared. Your privacy notice must clearly explain how an individual may prevent the transfer of their information by either opting-in or opting-out of this transfer. If the types of outside parties with whom you share personally identifiable information or prospect information is not clearly and conspicuously disclosed at the point of collection, your privacy notice must also clearly disclose the types of outside parties or corporate affiliates with whom the information is shared.
10. If your application does not cover all your websites and online services, and all the websites and online services of your corporate affiliates, your privacy notice must clearly explain that it does not cover all your websites or online services. If there are any links from the covered websites or online services to non-covered websites or online services, your privacy notice must also clearly identify by URL (or some other specific identifier) these non-covered websites or online services.
11. If the promises made in your privacy notice do not apply to everyone about whom you may collect information online, regardless of the country in which those individuals may reside, this limitation must be clearly disclosed in your privacy notice.
12. If you treat personally identifiable information from individuals acting solely in a business capacity (such as a purchasing agent) different than everyone else's information, this limitation must be clearly disclosed in your privacy notice.
13. If an individual must disclose some personally identifiable information, or create a unique identifier (like a password) in order to access certain parts of your covered websites or online services, you must provide a statement explaining the consequences of refusing to provide such information if such a statement is not also available at the point or time of collection.
14. If you enhance or merge personally identifiable information or prospect information with data from outside parties for the purposes of marketing, your privacy notice must clearly disclose this practice.
15. If there are other organizations that can directly collect and maintain personally identifiable information or prospect information, either actively or passively, from individuals while those individuals remain on your covered website or online service, your privacy notice must clearly disclose the fact that these other organizations are collecting such information. Your privacy notice must clearly identify these other organizations. Your privacy notice must give a URL (or some other form of contact information) that would allow an individual to evaluate the privacy and security policies of these other organizations.
16. If you collect personally identifiable information or prospect information, but do not maintain any of this information, your privacy notice must clearly disclose this fact.
17. If all or some of the personally identifiable information or prospect information you collect is maintained, the means by which the subjects of this information may later access their own information must be clearly described in your privacy notice.
18. If all or some of the personally identifiable information or prospect information you collect is maintained, the means by which the subjects of this information may later correct their own information must be clearly described in your privacy notice.
19. If all or some of the personally identifiable information or prospect information you collect is maintained AND you place frequency or fee limits on the ability of a data subject to later access their own information, you must clearly describe these limitations in your privacy notice.
20. After you are granted the Privacy Seal, your privacy notice must mention your participation in the BBBOnLine Privacy Program and provide a link to the BBBOnLine website.

STAFF DETERMINATIONS

1. By staff determination, a website or online service displaying content that does not violate the BBBOnLine Privacy Threshold Eligibility Requirements, but is inappropriate for children under the age of 13, will be required to employ a proven method for screening out children.
2. By staff determination, a website or online service displaying content that does not violate the BBBOnLine Privacy Threshold Eligibility Requirements, but is also inappropriate for children under the age of 13, will not be allowed to display the Privacy Seal on any online areas other than the homepage and privacy notice.
3. If an organization does not already request a children's seal, the BBBOnLine staff reserves the right to require an organization and those portions of their website or online service to comply with the Kid's Seal Requirements if all or part of the website or online service to be covered by a seal is found directed to children.