Frequently Asked Questions
BBB National Programs’ Global Privacy Division manages various certification and independent accountability mechanisms to support businesses looking to align with internationally recognized standards for cross-border privacy. Businesses that participate in our trusted Global Privacy Division programs know they are receiving first-class services along with up-to-date guidance on global privacy compliance obligations and standards from our deep bench of privacy experts. Learn more about the programs:
To promote free trade throughout the Pacific Rim. Together, those economies created a multilateral privacy framework to help facilitate the responsible cross-border transfer of personal information. Known as the Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems, these frameworks include a set of privacy best practices that represent a global baseline for data protection.
BBB National Programs is an approved Accountability Agent within the CBPR system, meaning that BBB National Programs is empowered to certify U.S. businesses and their global subsidiaries to the CBPR standard. That’s where our CBPR certification comes in. We provide a certification to businesses that can demonstrate compliance with the CPBR.
The CBPR accountability system allows certified businesses to commit to an achievable compliance mechanism backed by their Accountability Agent and participating governments. This multi-layered accountability system ensures that enhanced privacy protections apply to personal information, even when it moves across borders.
Similarly, Privacy Recognition for Processors (PRP) was created to serve as a certification for vendors that process personal data on behalf of other companies, consistent with the same security and accountability requirements under CBPR.
These systems are growing in relevance beyond the Asia Pacific region as more jurisdictions recognize that the baseline privacy standards included in these privacy certifications are compatible with their privacy and data protection laws. Because of this, many companies choose to certify their entire global operations to the CBPR standard.
The Vendor Privacy Program (VPP), is designed to match the privacy and security standards of the BBB National Programs’ PRP certification, mentioned above in FAQ 1. The only difference is that VPP businesses can be headquartered anywhere in the world, not just in the United States. This certification allows vendors around the world to demonstrate that they meet the requirements—and embrace similar layers of accountability—as vendors in the PRP system.
VPP allows participating businesses to demonstrate to current and potential customers and consumers implementation of an accountable privacy and security program based on internationally recognized standards. Vendors with a VPP certification confirm that they will meet the established data protection standards outlined in the Vendor Privacy Program Requirements, and are backed by BBB National Programs’ commitment to delivering independent accountability to privacy promises.
STEP 1: Confirm your company is eligible.
STEP 2: Submit the application form to BBB National Programs.
STEP 3: Review and refine relevant data privacy policies and practices with a BBB National Programs certification specialist to confirm that you meet Program Requirements. See “What should I expect when I apply for a certification?”
STEP 4: Receive your company’s customized Findings Report along with access to the BBB National Programs certification seal.
After you apply, the BBB National Programs team will contact you directly to process your application. BBB National Programs takes a hands-on approach to working with participating businesses to keep them informed about both the substantive privacy requirements of our programs, as well as the administrative requirements to achieve and maintain their certification.
After we have reviewed your account and processed your payment, you will be introduced to your certification specialist or “certifier.” This person will guide you through the certification process, working to compare your policies and procedures to the requirements of the privacy certification for which you have applied. Depending on the maturity of your program, this process can take as little as a few weeks. If gaps are identified, you will need to address those before gaining the certification.
Once approved:
- You will receive a privacy seal and language to include in your privacy policy showcasing your certification.
- As soon as the seal is added to your website, you will appear on the public list of certified companies.
- You will receive a confidential Findings Report, showing the results of our privacy review and explaining how your policies and procedures meet or exceed global privacy standards.
Your participation in a BBB National Programs global privacy certification requires that you remain responsive to outreach from our privacy team. Our ongoing monitoring of your privacy policy and our consumer dispute resolution services mean that we may be in touch with urgent questions about your privacy practices that will require your full attention. Otherwise, you can expect to remain certified until it is time for your annual re-certification. At that time, you will go through a similar review process of your privacy practices, to ensure that they continue to exceed the high baseline standards.
The program requirements for the Cross-Border Privacy Rules certification include fifty controls that expand across nine privacy principles including: Notice, Collection Limitation, Use of Personal Information, Choice, Integrity of Personal Information, Security Safeguards, Access and Correction, and Accountability.
To complete the certification process, you will need to provide information on your organization’s operational policies and technical security controls, with supporting documentation and evidence.
Our certification team will assist you in navigating these questions, no matter how developed your privacy program.
Here are available privacy certifications and their associated costs. To learn more about our Data Privacy Framework Services, contact us at euprivacy@bbbnp.org.
Privacy Recognition for Processors (PRP): $6,000
Vendor Privacy Program (VPP, equivalent to PRP but for non-U.S. organizations): $6,000
Cross-Border Privacy Rules (CBPR): price based on global annual revenue of covered entities under the certification
Less than $5 million (fee of $2,500)
$5,000,001 to $50 million (fee of $5,000)
$50,000,001 to $500 million (fee of $10,000)
$500,000,0001 to $2 billion (fee of $20,000)
$2,000,000,001 to $50 billion (fee of $25,000)
More than $50 billion (contact us)
BBB National Programs’ privacy program certifications are thorough, internationally recognized, and maintain a component of continued oversight once certification is attained. The substantive requirements of the standard align well with other privacy standards around the world, including U.S. state laws and even the GDPR. Many of the key CBPR principles require a business to have systems designed to prevent harm to individuals from wrongful collection and misuse of information. Therefore, privacy protections need to be in place to meet local laws, regulations, and enforcement mechanisms. Certification is evidence that you demonstrated to BBB National Programs, an independent third party how you achieved compliance under these frameworks and more broadly, is evidence of your overall commitment to consumer privacy.
Once your organization is fully certified by BBB National Programs, you will appear on the CBPR Compliance Directory (or PRP Compliance Directory) for certified organizations.
In addition, you will receive a customized Findings Report, which maps your demonstrated policies and practices against the Program Requirements of the relevant certification. This confidential report can even be shared with your business partners as a mechanism of demonstrating more granular information about how you achieved certification.
BBB National Programs will also issue your organization a unique seal to place on your public-facing website. This seal will provide your customers with a link to engage with our robust dispute resolution process.
BBB National Programs is the first ever U.S. non-profit to be approved by participating governments as a recognized CBPR and PRP Accountability Agent. Our programs serve to build a more trusted marketplace for consumers through the development and delivery of effective third-party accountability and dispute resolution programs.
Privacy certifications from BBB National Programs (such as CBPR, PRP, and VPP) cover the global privacy operations of a business, based on the policies and procedures that the business has implemented. An independent review from our Global Privacy Division includes the type of interactions a business might expect in seeking other industry standard privacy and security certifications (such as SOC-2 or ISO 27701). Our team of experts will focus on ensuring that your business has implemented robust policies and procedures throughout your operations that map to the requirements of the certification you are seeking.
This type of certification is very different from a professional privacy certification, such as those offered by the International Association of Privacy Professionals. Professional certifications are credentials for individual professionals, whereas BBB National Programs’ privacy certifications cover an entire program.
Yes. Our team will help you determine which certification(s) make the most sense for your business. If you serve the role of both a controller and a processor for personal data, you may benefit from obtaining multiple certifications, such as CBPR and PRP.
You may also wish to consider joining BBB National Programs' Data Privacy Framework Services, the chosen independent recourse mechanism of 1000+ businesses to meet compliance obligations and bring accountability to their public commitments that align with the European Union data protection standards.