Just what is the standard, though? From a cursory glimpse, the privacy standard mostly amounts to a few logical rules. An internet-connected device should ask you to sign in and transmit encrypted data, for example. Companies should also be clear about how they share your data, delete that info on request and behave in an ethical manner (say, not compromising for the sake of advertisers or authoritarian governments). And security? For the most part, it amounts to asking the Cyber Independent Testing Lab to use automated testing tools to look for commonly accepted security practices. CR may also ask experts to hack devices, but it says this is "impractical" for reviewing many products.
The company stresses that this is a "first draft" of its takes on privacy and security, and that it hopes outsiders will help improve its policies. At least for now, it's setting expectations accordingly. These methods definitely won't guarantee that a product is airtight, as automated checks and basic precautions can't account for every possible vulnerability or dodgy privacy practice. Our columnist Violet Blue adds that having just one company involved in security screening could be a problem, since it'll be responsible for everything regardless of whether or not it has expertise in a given area. However, it's being fairly "aggressive" by counting deletion of user data as a positive, Violet says -- companies like Facebook might still fight that expectation.
The biggest challenge may be getting companies to treat these ratings as baselines, rather than as gold standards. The whole point is to have manufacturers thinking about privacy and security when they design a product, not to pat them on the back for accomplishing the bare minimum.