Table of Contents
- Definitions
- Introduction
- Terms of Service and Privacy Policy Documents
- Terms of Service and Privacy Policy Change Notification
- Process for Terms of Service Enforcement
- Transparency About Terms of Service Enforcement
- Identity Policy
- Security Oversight
- Third-Party Requests for User Data
- Data Control
- Data Collection
- Minimal Data Collection
- Data Use
- Data Retention and Deletion
- Threat Notification
- User Notification About Third-Party Requests for User Information
- Transparency Reporting
- Governance
- Open Source
- Interoperability
- Ownership
- Resale
- Functionality Over Time
- Privacy by Default
- Best Build Practices
- Authentication
- Encryption
- Known Exploit Resistance
- Vulnerability Disclosure Program
- Security Over Time
- Product Stability
- Personal Safety
- Open Innovation
- Business Model
- Repair Accessibility
- Repair Penalty
- Data Benefits
Minimal Data Collection
Criteria: The only information the company collects about me is what’s needed to make the product or service work correctly.
See the test in action:
Notes:
- Some devices may capture a category of information but not transmit that data to the service provider, instead using the data only locally on the device, or presenting it for the information of the owner.
- In such cases, that data capture may not be reported in the legal documents as being collected by the service provider.
- While we encourage companies to develop products that only store collected data locally on the device instead of transmitting data to the cloud, it is still a best practice for companies to inform users of all data collected, even if a piece of information does not leave the device.
Indicators
- The user information collected is only that which is directly relevant and necessary for the service.
- Product still works when all permissions not relevant to product's functionality are declined.
Methodology for Assessing Each Indicator
1) The user information collected is only that which is directly relevant and necessary for the service.
- Obtain and review a copy of the product’s legal documents.
- Find the section of the legal documents that lists the user information collected by the product or service and compare the types of information collected to the features offered by the product.
- If the legal documents provide reasons for the collection of each type of data, look for reasons that are not tied to, or go beyond what would be needed for, the operation of the service.
- Try to think through whether certain types of data collected are truly needed based upon the stated purpose of the product or service.
- Note that this reasoning will be necessarily subjective.
- Keep in mind that data may have multiple uses, e.g. an address could be necessary for billing purposes, but may also be used for marketing or customer research.
- Note that such additional potential uses may well cause a product to fail other indicators.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents provide clear and convincing descriptions of the need for each type of data collected for the operation of the product, and as long as one use of the data out of many potential uses fits the actual necessary functions of the product or service, mark PASS.
- If most of the types of data have adequate reasons for collection provided, but a small number (particularly for difficult to define categories) do not, mark PARTIAL PASS.
- If most or all of the types of data collected have no rationale for their collection that is directly related to and necessary for the operation of the service, mark FAIL.
2) Product still works when all permissions not relevant to product's functionality are declined.
- Check for methods to decline permission for the product to collect information.
- If the product has a user interface of any kind, look for a “settings” or “options” menu or screen. Search any such screens for data collection restrictions.
- If the product has an accompanying mobile app or web interface, look for any feature that allows the user to deny collection of unneeded data.
- If the product does present methods to revoke permission to collect data.
- Revoke or decline all collection not deemed to be directly related to the functionality of the product.
- Test all known functionality of the product and record whether the product still operates as before/as advertised.
- If the product operates the same after permissions not relevant to the product’s functionality are declined, mark PASS.
- If the product is collecting information that is not needed for it to operate, and if the product does not present any method by which to decline permission for collection of data determined to be unnecessary for functionality (such as the user’s date of birth or street address in a smart thermostat), mark FAIL.
- If there are no visible settings that would enable the user to control data collection or use that may affect the user’s privacy, mark FAIL.