Table of Contents
- Definitions
- Introduction
- Terms of Service and Privacy Policy Documents
- Terms of Service and Privacy Policy Change Notification
- Process for Terms of Service Enforcement
- Transparency About Terms of Service Enforcement
- Identity Policy
- Security Oversight
- Third-Party Requests for User Data
- Data Control
- Data Collection
- Minimal Data Collection
- Data Use
- Data Retention and Deletion
- Threat Notification
- User Notification About Third-Party Requests for User Information
- Transparency Reporting
- Governance
- Open Source
- Interoperability
- Ownership
- Resale
- Functionality Over Time
- Privacy by Default
- Best Build Practices
- Authentication
- Encryption
- Known Exploit Resistance
- Vulnerability Disclosure Program
- Security Over Time
- Product Stability
- Personal Safety
- Open Innovation
- Business Model
- Repair Accessibility
- Repair Penalty
- Data Benefits
Third-Party Requests for User Data
Criteria: The company complies only with legal and ethical third-party requests for user information.
See this test in action:
Indicators
- The company explains its process for responding to non-judicial government requests.
- The company explains its process for responding to court orders.
- The company explains its process for responding to requests from foreign jurisdictions.
- The company explains its process for responding to requests made by private parties.
- The company’s explanations include the legal basis under which it may comply.
- The company commits to carry out due diligence on requests before deciding how to respond and to push back on unlawful requests.
- The company provides guidance or examples of implementation of its process.
Methodology for Assessing Each Indicator
1) The company explains its process for responding to non-judicial government requests.
- Obtain and review a copy of the product’s privacy policy. Obtain and review any transparency reports that the company has published.
- Look for any information about third-party requests for user information. These are often divided into judicial/law enforcement requests (warrants, court orders, and other legal tools), non-judicial government requests, and third-party requests that do not come from governments.
- Some policies identify each of these types of requests and provide separate information, but many also combine them into a broader information sharing policy.
- For this indicator you want to find specific information about non-judicial government requests, for example, what information they require from governments as part of these requests, who reviews these requests, and how they provide user information to governments.
- If the privacy policy describes a process for responding to non-judicial government requests, mark PASS.
- If the privacy policy does not describe a process for responding to non-judicial government requests, mark FAIL.
2) The company explains its process for responding to court orders.
- Obtain and review a copy of the product’s privacy policy. Obtain and review any transparency reports that the company has published.
- Look for any information about third-party requests. These are often divided into judicial/law enforcement requests (warrants, court orders, and other legal tools), non-judicial government requests, and third-party requests that do not come from governments.
- Some policies identify each of these types of requests and provide separate information, but many also combine them into a broader information sharing policy.
- For this indicator, you want to find specific information about the process the company follows in responding to court orders. Different types of court orders may be listed, for example warrants or any court orders or legal tools used in the country where the company operates.
- If the privacy policy describes a process for responding to court orders, mark PASS.
- If the privacy policy does not describe a process for responding to court orders, mark FAIL.
3) The company explains its process for responding to requests from foreign jurisdictions.
- Obtain and review a copy of the product’s privacy policy. Obtain and review any transparency reports that the company has published.
- Look for any information about third-party requests for user information.
- For this indicator, you want to see a clear indication that any policies about information sharing distinguish based upon where the request is coming from. For example, a company may use a different process for responding to requests from the country where it operates versus a third-party country with a different legal system or processes.
- This indicator does not specify whether “requests from foreign jurisdictions” means solely government requests, or whether it includes third-parties located in a different country.
- If the privacy policy describes a process for responding to foreign jurisdiction requests, mark PASS.
- If the privacy policy does not describe a process for responding to foreign jurisdiction requests, mark FAIL.
4) The company explains its process for responding to requests made by private parties.
- Obtain and review a copy of the product’s privacy policy.
- Look for any information about third-party requests for user information.
- For this indicator, the privacy policy should distinguish between government requests and non-government third-party requests.
- If the privacy policy describes a process for responding to private party requests, mark PASS.
- If the privacy policy does not describe a process for responding to private party requests, mark FAIL.
5) The company’s explanations include the legal basis under which it may comply.
- Obtain and review a copy of the product’s privacy policy.
- Look for any information about compliance with third-party requests.
- For this indicator, the privacy policy includes legal language describing the grounds under which it may comply.
- If the privacy policy describes the legal basis under which it may comply with third-party requests, mark PASS.
- If the privacy policy does not describe the legal basis under which it may comply with third-party requests, mark FAIL.
6) The company commits to carry out due diligence on requests before deciding how to respond and to push back on unlawful requests.
- Obtain and review a copy of the product’s privacy policy. Obtain and review any transparency reports that the company has published.
- Look for any information about compliance with third-party requests.
- Look for any information regarding a legal review process for requests to assess whether they are lawful.
- Look for any information regarding ways that a company may respond to requests that they deem unlawful.
- If the privacy policy describes a commitment to carry out due diligence, mark PASS.
- If the privacy policy does not describe a commitment to carry out due diligence, mark FAIL.
7) The company provides guidance or examples of implementation of its process.
- Obtain and review a copy of the product’s privacy policy. Obtain and review any transparency reports that the company has published.
- Look for examples of how third-party requests for user data would be handled under that privacy policy.
- If the privacy policy provides examples of implementation, mark PASS.
- If the privacy policy does not provide examples of implementation, mark FAIL.