Table of Contents
- Definitions
- Introduction
- Terms of Service and Privacy Policy Documents
- Terms of Service and Privacy Policy Change Notification
- Process for Terms of Service Enforcement
- Transparency About Terms of Service Enforcement
- Identity Policy
- Security Oversight
- Third-Party Requests for User Data
- Data Control
- Data Collection
- Minimal Data Collection
- Data Use
- Data Retention and Deletion
- Threat Notification
- User Notification About Third-Party Requests for User Information
- Transparency Reporting
- Governance
- Open Source
- Interoperability
- Ownership
- Resale
- Functionality Over Time
- Privacy by Default
- Best Build Practices
- Authentication
- Encryption
- Known Exploit Resistance
- Vulnerability Disclosure Program
- Security Over Time
- Product Stability
- Personal Safety
- Open Innovation
- Business Model
- Repair Accessibility
- Repair Penalty
- Data Benefits
Data Control
Criteria: I can see and control everything the company knows about me.
See this test in action:
Notes:
- Some devices may capture a category of information but not transmit that data to the service provider, instead using the data only locally on the device, or presenting it for the information of the owner.
- In such cases, that data capture may not be reported in the legal documents as being collected by the service provider.
- While we encourage companies to develop products that only store collected data locally on the device instead of transmitting data to the cloud, it is still a best practice for companies to inform users of all data collected, even if a piece of information does not leave the device.
Indicators
- The definition of “user information” includes information collected from third-parties.
- Users can control the collection of their information.
- Users can delete their information.
- Users can control how their information is used to target advertising.
- Clear explanation of how users can control whether their information is used for targeted advertising.
- Users can obtain a copy of their information.
- Disclosure of what user information users can obtain.
- Users can obtain their information in a structured data format.
- Users can obtain all public-facing and private user information the company holds about them.
Methodology for Assessing Each Indicator
1) The definition of “user information” includes information collected from third-parties.
- Find the definition of “user information” (or equivalent phrase) in the legal documents.
- This definition may also take the form of a list labeled “Information We Collect” or a similar phrase.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If there is a definition of user information or a description of information the service provider collects and it includes information collected from third parties, mark PASS.
- If policies do not have a definitions section or do not define user information, mark FAIL.
- If the definition does not include information collected from third parties, look for any sections defining what data is collected.
- If there is a section describing information that is collected, but no information from third parties is reported, mark PASS.
- If legal documents indicate that information is collected from third parties (even though they failed to include that in the definition), mark FAIL.
2) Users can control the collection of their information.
- Obtain and review a copy of the product’s legal documents, comparing what information is collected and what information the owner is able to restrict from sharing.
- There are likely going to be some pieces of information that the owner cannot withhold without making the service inoperable, such as billing information. For the purposes of evaluating this indicator, reviewers can disregard data that is integral to the operation of the service or product.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- Note that products that are already designed to collect the minimal amount of data from the user may fail this indicator when in reality the product is very privacy-protective. Testers may consider giving a PASS in such an instance.
- If the legal documents give users control over what data is collected (or indicate how to enact such control via the product), with some allowances for basic pieces of information without which the service could not operate, mark PASS.
- If legal documents give users control over the collection of some, but not all types of data, mark PARTIAL PASS.
- If the legal documents do not address user control of collection, mark FAIL.
- If the legal documents explicitly deny users the ability to control collection of any data, mark FAIL.
3) Users can delete their information.
- Review the legal documents, comparing what information is collected and what information the owner is able to delete.
- There are likely going to be some pieces of information that the owner cannot delete without making the service inoperable, such as billing information. For the purposes of evaluating this indicator, reviewers can disregard data that is integral to the operation of the service or product.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- Note that products that are already designed to collect the minimal amount of data from the owner may fail this indicator when in reality the product is very privacy-protective. Testers may consider giving a PASS in such an instance.
- If the legal documents give users the ability to delete data (or indicate how to enact such control via the product), with some allowances for basic pieces of information without which the service could not operate, mark PASS.
- If the legal documents do not address users’ ability to delete data, mark FAIL.
- If the legal documents explicitly deny users the ability to delete data, mark FAIL.
4) Users can control how their information is used to target advertising.
- Review the legal documents, looking for any mention of targeted advertising.
- Search for sections describing a user’s ability to constrain how the company uses information about them for purposes of targeted advertising (sometimes referred to as behavioral advertising).
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents indicate that the company does not use or share customer information for targeted advertising, mark PASS.
- If the legal documents indicate that the company does use or share customer information for targeted advertising, and that users can control how their information is shared, mark PASS.
- If the legal documents state that customer information is used for targeted advertising and that users cannot control the use of their information for that purpose, mark FAIL.
5) Clear explanation of how users can control whether their information is used for targeted advertising.
- Review the legal documents, looking for any mention of targeted advertising.
- Look at any sections detailing with whom and under what circumstances the company will share customer information.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents provide a list of how users’ information will be shared and that list does not include sharing of information for purposes of advertising, mark PASS.
- If the legal documents do indicate that user information will be shared for purposes of advertising.
- Search for language describing how users can control the sharing of information for advertising purposes.
- If the documents describe in enough detail for the average person to follow how a user can control the sharing of their information for advertising, mark PASS.
- If the legal documents reviewed do not describe, or do not describe clearly enough to be followed, how a user can control the sharing of their information for targeted advertising, mark FAIL.
6) Users can obtain a copy of their information.
- Review the legal documents, looking for discussion of users’ ability to obtain copies of their data. Commonly used terms that describe this kind of ability include “access” and “portability.”
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents give users the right to access their own information in some form without restriction, mark PASS.
- If the legal documents give users the right to access only some of their information, or if it is not clear how much information users can obtain or how users can obtain their information, mark PARTIAL PASS.
- If the legal documents do not mention or expressly forbid users from accessing their own information, mark FAIL.
7) Disclosure of what user information users can obtain.
- Review the legal documents, looking for discussion of users’ ability to obtain copies of their data. Commonly used terms that describe this kind of ability include “access” and “portability.”
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents list in detail what information is available to obtain, mark PASS.
- If the legal documents list obtainable information generically or by category, mark PARTIAL PASS.
- If the legal documents do not list in detail what information is available to obtain, mark FAIL.
8) Users can obtain their information in a structured data format.
- Review the legal documents, looking for discussion of users’ ability to obtain copies of their data. Commonly used terms that describe this kind of ability include “access” and “portability.”
- Look for descriptions of the ability to download user data for statements about a “structured” or “machine-readable” format.
- OR, attempt to make use of the service’s data download feature and inspect the files returned by the service, looking for files in common formats, such as JSON, XML, or other structured file types.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents state that data downloads are available in a structured format, or the download itself is provided in such a format, mark PASS.
- If the download is not provided in a structured format or no download is available at all, mark FAIL.
9) Users can obtain all public-facing and private user information the company holds about them.
- Review the legal documents, looking for discussion of users’ ability to obtain copies of their data. Commonly used terms that describe this kind of ability include “access” and “portability.”
- Look for a statement establishing the ability of users to obtain all public-facing and private information the service provides has about the user.
- Note that it is not enough that the list of information that users can obtain is the same as the list of information that the service states that it collects, as the service provider may gain access to information about users from other services such as data brokers.
- If the legal documents are not clear about whether they apply to the “smart device” being evaluated, or only to the websites and other services of the service provider, limit grade to PARTIAL PASS.
- If the legal documents state that users may obtain all public-facing and private information (or just “all information”) about the user, mark PASS.
- If the legal documents do not state that users may obtain all public-facing and private information about the user or if users cannot access their information at all, mark FAIL.