Table of Contents
- Definitions
- Introduction
- Terms of Service and Privacy Policy Documents
- Terms of Service and Privacy Policy Change Notification
- Process for Terms of Service Enforcement
- Transparency About Terms of Service Enforcement
- Identity Policy
- Security Oversight
- Third-Party Requests for User Data
- Data Control
- Data Collection
- Minimal Data Collection
- Data Use
- Data Retention and Deletion
- Threat Notification
- User Notification About Third-Party Requests for User Information
- Transparency Reporting
- Governance
- Open Source
- Interoperability
- Ownership
- Resale
- Functionality Over Time
- Privacy by Default
- Best Build Practices
- Authentication
- Encryption
- Known Exploit Resistance
- Vulnerability Disclosure Program
- Security Over Time
- Product Stability
- Personal Safety
- Open Innovation
- Business Model
- Repair Accessibility
- Repair Penalty
- Data Benefits
Privacy by Default
Criteria: The default settings in this product prioritize my privacy; to give up privacy, I actually need to change the settings.
See the test in action:
Indicators
- Targeted advertising is off by default.
- User interface settings which are optimal for privacy are set by default.
Methodology for Assessing Each Indicator
1) Targeted advertising is off by default.
- Determine whether the product or service hosts advertising or sends ads to users.
- If the product or service hosts or sends ads, look for places where a user might be able to control privacy settings.
- If a product has multiple interfaces, such as a mobile app, a web app, or an in-device interface, make sure to investigate all of them.
- Privacy settings may be in a “profile” section of an app, or under the app’s “settings.”
- If the manufacturer has a website that users may visit, look at the website’s privacy policy for information about targeted advertising.
- If there is a privacy setting for “targeted advertising” (which may also be called “interest-based” or “behavioral” advertising), note whether the setting is on or off for a new user.
- Look in the manufacturer’s legal documents for a list of how it uses user data.
- Note whether “targeted advertising” or a similar term is listed as a possible use of user data.
- If the manufacturer does not host or display ads or if it only hosts or displays ads that are not targeted (e.g. contextual), mark PASS.
- If the manufacturer lists targeted advertising as a way it uses user data in its legal documents, and there is a user setting for controlling it that is set to “off” for a new user, mark PASS.
- If the manufacturer lists targeted advertising as a way it uses user data in its legal documents, and there is no setting for controlling it, or if there is a user setting for controlling it but it is set to “on” for a new user, mark FAIL.
2) User interface settings which are optimal for privacy are set by default.
- Look for places where a user might be able to control their privacy settings.
- If a product has multiple interfaces, such as a mobile app, a web app, or an in-device interface, make sure to investigate all of them.
- Privacy settings may be in a “profile” section of an app, or under the app’s “settings.”
- Identify all of the settings that could have an effect on the privacy of a user’s personal information, (e.g., collection of location, sharing with third parties, or usage analytics) and note how those settings are configured for a brand new user.
- If all privacy settings identified are set by default to the choice that limits the amount of personal information shared and maximizes the user’s privacy, mark PASS.
- If some or all of the settings identified are set by default to choices that do not maximize the user’s privacy, mark FAIL.
- If there are no visible settings that would enable the user to control data collection or use that may affect the user’s privacy, mark FAIL.