Data Retention and Deletion

See the test in action:

• Smart lock
• Smart pressure cooker
• Smart baby monitor

Notes:

• This test features three separate criteria by which to assess the test’s success. Each criteria features a unique set of indicators and a related methodology.
• Some devices may capture a category of information but not transmit that data to the service provider, instead using the data only locally on the device, or presenting it for the information of the owner.
• In such cases, that data capture may not be reported in the legal documents as being collected by the service provider.
• While we encourage companies to develop products that only store collected data locally on the device instead of transmitting data to the cloud, it is still a best practice for companies to inform users of all data collected, even if a piece of information does not leave the device.

Criteria: The company retains data only as long as relevant and reasonably necessary to provide service to me.

Methodology for Assessing Each Indicator

1) The company on its own deletes outdated and unnecessary personal information, or renders that data to be reasonably de-identified.

• Obtain and review a copy of the service provider’s legal documents.
• Look for sections of the legal documents dealing with data deletion or retention.
  • This information may be in its own section with titles incorporating words such as “deletion” or “retention.”
  • This information may also be included elsewhere in the legal documents, such as alongside the list of types of data collected.
  • Do not confuse commitments about the user’s ability to delete personal information with this indicator, which focuses on the service’s obligation to delete personal information when it is no longer needed to perform the service.
• If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
• If legal documents state that personal information is deleted or anonymized “only as long as needed for providing the service” (or other similar language), mark PASS.
  • Many services will include a blanket clause that data may be retained in order to comply with legal obligations; such language should not cause the service to fail this indicator.
• If there is a strong commitment to deleting data, but only after an excessive or vague retention period, or if there are strong deletion commitments for most types of personal information, but less strong (or no) commitments for some other types, mark PARTIAL PASS.
• If the service’s legal documents are silent about the circumstances in which the service will delete personal information, or specifies that data will be retained longer than would be necessary to operate the service, mark FAIL.

2) The company provides specific retention periods for different types of information that are reasonably scoped to get rid of outdated and unnecessary personal information.

• Look for sections of the legal documents dealing with data retention.
  • If the service collects many different types of data, look to see if specific retention periods are given that are scoped to how personal the information in question is.
  • If the service does not collect many types of data, fewer different retention periods may still be appropriate, particularly if those periods are very short.
• If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
• If the legal documents give specific and limited retention periods for particular types of data, mark PASS.
• If there are specific retention periods for a few types of data, but not all of them, or not types that are particularly sensitive, mark PARTIAL PASS.
• If the service does not indicate that it has specific retention periods with reasonable scoping, mark FAIL.

Criteria: I can delete the data the company has about me that is not needed to provide the service.

Methodology for Assessing Each Indicator

1) The company offers easy-to-find and -use controls that allow users to delete data not necessary to render service.

• Look in any user interfaces, such as web pages or mobile applications, related to the operation of the product or maintenance of user accounts related to the product.
• Look for controls related to the deletion of user data, which may exist in a “Profile” menu or window.
• If the app or web interface offers the ability to delete user data and is easy to find and use, mark PASS.
• If there is no feature in the app or web interface that offers the ability to delete user data, or such a feature exists but is unduly hard to find or use, mark FAIL.

Criteria: My account and information are deleted when I leave the service.

Methodology for Assessing Each Indicator

1) All user information is deleted when the user's service is terminated, or the service no longer operates.

• Look for sections of the legal documents dealing with data deletion or retention.
• Note whether the legal documents address the question of what happens to personal data when the user terminates their use of the service or the service ceases operations.
• If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
• If the legal documents indicate that users’ personal information is deleted within a reasonable time frame (keeping in mind that the rotation of backups can add some delay to full deletion of information) of the termination of a user’s account with the service, mark PASS.
• If the legal documents indicate that personal information is deleted within a reasonable time frame of the service ceasing operations, mark PASS.
• If only one of the above two situations pertains, mark PARTIAL PASS.
• If the legal documents do not mention what happens in either of those circumstances, mark FAIL.