Governance

Criteria:

1. The company or organization publicly commits to respect users' human rights to freedom of expression and privacy.
2. The company or organization's senior leadership exercises oversight over how its policies and practices affect freedom of expression and privacy.
3. The company or organization should have mechanisms in place to implement its commitments to freedom of expression and privacy internally.
4. The company or organization implements due diligence processes, such as human rights impact assessments, to identify how all aspects of its activities affect freedom of expression and privacy and to mitigate any risks posed by those impacts.
5. The company or organization engages with a range of stakeholders on freedom of expression and privacy issues.
6. The company or organization should have grievance and remedy mechanisms to address user's freedom of expression and privacy concerns.

See this test in action:

• Smart lock
• Smart pressure cooker
• Smart baby monitor

Methodology for Assessing Each Indicator

1) Explicit and clearly articulated policy commitment to human rights, including freedom of expression and privacy.

• Obtain and review any documentation that the company has available that may discuss human rights. This could be found on the company’s website, or in documentation included with a physical device.
• This information, if it exists, may be found in the:
  • Company human rights policy
  • Privacy policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• Look for language discussing human rights, freedom of expression, and/or privacy.
• If the company discloses this human rights policy commitment in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose this policy commitment in formal policy documents or in other communications that reflect official company policy, mark FAIL.

2) The board of directors exercises formal oversight over how company practices affect freedom of expression and privacy.

• Obtain and review any documentation that the company has available that may discuss human rights as well as any documentation explaining the roles and responsibilities of the board of directors. This could be found on the company’s website, or in documentation included with a physical device.
• This information, if it exists, may be found in the:
  • Corporate and board governance documents
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• Look for text regarding oversight processes, specifically by a board of directors, if the company has one.
• If the company discloses information about board of director oversight processes in formal policy documents or in other communications that reflect official company policy on free expression and privacy, mark PASS.
• If the company does not disclose information about board of director oversight processes in formal policy documents or in other communications that reflect such official company policy, mark FAIL.

3) An executive-level committee, team, program or officer oversees how company practices affect freedom of expression and privacy.

• Obtain and review any documentation that the company has available regarding the responsibilities of the board of directors or other company officials and any documentation that may discuss human rights. This could be found on the company’s website, or in documentation included with a physical device.
• This information, if it exists, may be found in the:
  • Corporate and board governance documents
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• Look for text regarding oversight processes, specifically by an executive-level committee, team, program, or officer.
• If the company discloses information about oversight processes regarding free expression and privacy by the above group of individuals in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose information about such oversight processes by the above group of individuals in formal policy documents or in other communications that reflect official company policy, mark FAIL.

4) A management-level committee, team, program or officer oversees how company practices affect freedom of expression and privacy.

• Obtain and review any documentation that the company has available regarding the responsibilities of company leadership and officials and any documentation that may discuss human rights. This could be found on the company’s website, or in documentation included with a physical device.
• This information, if it exists, may be found in the:
  • Company governance documents
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• Look for text regarding oversight processes, specifically by a management-level committee, team, program, or officer.
• If the company discloses information about oversight processes on free expression and privacy by the above group of individuals in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose information about such oversight processes by the above group of individuals in formal policy documents or in other communications that reflect official company policy, mark FAIL.

5) Provides employee, volunteers or other staff training on freedom of expression and privacy issues.

• Obtain and review any documentation that the company has available that may discuss freedom of expression or privacy training for employees. This could be found on the company’s website including in sections providing information for new or potential employees, or in documents elsewhere about company policies.
• This information, if it exists, may be found in the:
  • Company code of conduct
  • Employee handbook
  • Company organizational chart
  • Company CSR/sustainability report
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If the company discloses that they provide such trainings in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that they provide such trainings in formal policy documents or in other communications that reflect official company policy, mark FAIL.

6) Maintains a whistleblower program through which employees, volunteers or other staff can report concerns related to how the company treats its users’ freedom of expression and privacy rights.

• Obtain and review any documentation that the company has available that may discuss whistleblower programs. This could be found on the company’s website, including in sections providing information for employees, or in documents elsewhere about company policies.
• This information, if it exists, may be found in the:
  • Company code of conduct
  • Employee handbook
  • Company organizational chart
  • Company CSR/sustainability report
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
• If the company discloses that they maintain a whistleblower program in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that they maintain a whistleblower program in formal policy documents or in other communications that reflect official company policy, mark FAIL.

7) As part of its decision-making, considers how laws affect freedom of expression and privacy in jurisdictions where it operates.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about how it conducts and uses those human rights assessments, whether it considers the impact of laws in jurisdictions where the company operates, and whether they affect decision-making processes.
• If the company discloses that it considers how laws in local jurisdictions affect freedom of expression and privacy as part of its decision-making process in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that it considers how laws affect freedom of expression and privacy as part of its decision-making process in formal policy documents or in other communications that reflect official company policy, mark FAIL.

8) Regularly assesses free expression and privacy risks associated with existing products and services.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about when it conducts and how it uses human rights assessments, and if they are conducted regularly on existing products and services.
• If the company discloses that it regularly conducts assessments measuring risks to freedom of expression and privacy from existing products and services in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that it regularly conducts freedom of expression and privacy evaluations on existing products and services in formal policy documents or in other communications that reflect official company policy, mark FAIL.

9) Assesses free expression and privacy risks associated with a new activity, including the launch and/or acquisition of new products or services or entry into new markets.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about when it conducts assessments of risks to free expression and privacy, and if they are conducted before engaging in a new activity, including the launch and/or acquisition of new products or services or entry into new markets.
• If the company discloses that it conducts freedom of expression and privacy evaluations before engaging in a new activity, including the launch and/or acquisition of new products or services or entry into new markets in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that it conducts freedom of expression and privacy evaluations before engaging in a new activity, including the launch and/or acquisition of new products or services or entry into new markets in formal policy documents or in other communications that reflect official company policy, mark FAIL.

10) Assesses free expression and privacy risks associated with the processes and mechanisms used to enforce its Terms of Service.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations related to the company’s Terms of Service. This could be found on the company’s website:
  • The Terms of Service themselves
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about when it conducts free expression and privacy assessments, specifically whether they are used to assess risks associated with the processes and mechanisms used to enforce its terms of service.
• If the company discloses that it assesses free expression and privacy risks associated with the processes and mechanisms used to enforce its terms of service in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that it assesses free expression and privacy risks associated with the processes and mechanisms used to enforce its terms of service in formal policy documents or in other communications that reflect official company policy, mark FAIL.

11) Conducts in-depth due diligence wherever the company’s risk assessments identify concerns.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about when it conducts human rights risk assessments, and how any concerns raised by those assessments would be addressed.
• If the company discloses that it conducts due diligence regarding concerns raised in any risk assessments in formal policy documents or in other communications that reflect official company policy, mark PASS.
• If the company does not disclose that it conducts due diligence regarding concerns raised in any risk assessments in formal policy documents or in other communications that reflect official company policy, mark FAIL.

12) Senior executives and/or members of the company’s board of directors review and consider the results of assessments and due diligence in decision-making for the company.

• Obtain and review any documentation regarding the responsibilities of the board of directors or other company officials and any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Corporate and board governance documents
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about how it uses human rights risk assessments, and about whether they affect decision-making processes.
• Review documents to see who may review these assessments and would conduct due diligence.
• If the company discloses that senior executives and/or members of the company’s board of directors review and consider the results of human rights impact/other assessments and due diligence in decision-making for the company, mark PASS.
• If the company does not disclose that senior executives and/or members of the company’s board of directors review and consider the results of human rights impact/other assessments and due diligence in decision-making for the company, mark FAIL.

13) Conducts assessments on a regular schedule.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about when these assessments are conducted, and if it adheres to a regular schedule.
• If the company discloses a regular timeline on which they conduct human rights impact assessments, mark PASS.
• If the company does not disclose a regular timeline on which they conduct human rights impact assessments, mark FAIL.

14) The company initiates or participates in meetings with stakeholders that represent, advocate on behalf of, or are people directly and adversely impacted by the company’s business.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations, or any other efforts to engage with stakeholders interested in the human rights impacts of the company’s products and services. This could be found on the company’s website:
  • Annual or other reports describing the company’s activities
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• Look for language regarding stakeholder engagement or consultation.
• If the company discloses that they regularly consult stakeholders that represent, advocate on behalf of, or are people directly and adversely affected by the company’s business, mark PASS.
• If the company does not disclose that they regularly consult stakeholders that represent, advocate on behalf of, or are people directly and adversely affected by the company’s business, mark FAIL.

15) Clear disclosure of processes for receiving complaints.

• Obtain and review any documentation that the company has available that may discuss any process through which customers or others may submit complaints to the company, as well as those concerning human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Help page
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about a process for receiving complaints. Note that this process might be for complaints of all kinds.
• If there is a complaints process, review whether the procedure specifically identifies it as the mechanism for complaints regarding free expression and privacy concerns.
• If the company discloses that they have a process for receiving complaints,specifically related to issues of free expression and privacy, mark PASS.
• If the company discloses that they have a process for receiving all types of complaints, mark PARTIAL PASS.
• If the company does not disclose that they have a process for receiving complaints, mark FAIL.

16) Clear disclosure of process for responding to complaints.

• Obtain and review any documentation that the company has available that may discuss any process through which customers or others may submit complaints to the company, as well as those concerning human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Help page
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If there is such documentation, review company documents to see if there is any information about a process for responding to complaints it receives.
• If there is a process, review whether the process would include complaints regarding free expression and privacy concerns.
• If the company discloses that they have a process for responding to free expression and privacy complaints it receives, PASS.
• If the company discloses that they have a process for responding to general complaints it receives, mark PARTIAL PASS.
• If the company does not disclose that they have a process for responding to complaints it receives, mark FAIL.

17) The company reports on the number of complaints received.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Transparency reports
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• Review company documents for information and statistics describing the number of complaints received.
• If the company reports on the number of complaints received, mark PASS.
• If the company does not report the number of complaints received, mark FAIL.

18) The company provides evidence that it is responding to complaints.

• Obtain and review any documentation that the company has available that may discuss human rights impact assessments, or other human rights practices or evaluations. This could be found on the company’s website:
  • Transparency
  • Company human rights policy
  • Company statements, reports, or other communications that reflect official company policy
  • Regulatory documents (e.g. U.S. Federal Trade Commission)
  • Reports from third-party assessors or accreditors
  • Global Network Initiative commitments or assessment reports
  • Company annual report or sustainability report that refers to official policy documents
• If yes, review company documents to see if there is any information about a process for responding to complaints it receives.
• Review company documents to see if there are examples or evidence of cases where it has responded to complaints it receives.
• If the company discloses examples or evidence of cases where it has responded to complaints it receives, mark PASS.
• If the company does not disclose examples or evidence of cases where it has responded to complaints it receives, mark FAIL.