Table of Contents
- Definitions
- Introduction
- Terms of Service and Privacy Policy Documents
- Terms of Service and Privacy Policy Change Notification
- Process for Terms of Service Enforcement
- Transparency About Terms of Service Enforcement
- Identity Policy
- Security Oversight
- Third-Party Requests for User Data
- Data Control
- Data Collection
- Minimal Data Collection
- Data Use
- Data Retention and Deletion
- Threat Notification
- User Notification About Third-Party Requests for User Information
- Transparency Reporting
- Governance
- Open Source
- Interoperability
- Ownership
- Resale
- Functionality Over Time
- Privacy by Default
- Best Build Practices
- Authentication
- Encryption
- Known Exploit Resistance
- Vulnerability Disclosure Program
- Security Over Time
- Product Stability
- Personal Safety
- Open Innovation
- Business Model
- Repair Accessibility
- Repair Penalty
- Data Benefits
Terms of Service and Privacy Policy Change Notification
Criteria: The company provides clear notification when it changes its terms of service and privacy policy.
See this test in action:
Note: This test applies the same indicators to a company’s terms of service and privacy policy. We have separated the process and results into a section for each document for clarity.
Terms of Service
Indicators
- Commitment to notify users about changes to the terms of service.
- Disclosure of how users will be directly notified of changes to the terms of service.
- Disclosure of timeframe for notification prior to changes to the terms of service coming into effect.
- Maintains a public archive or change log of the terms of service.
Methodology for Assessing Each Indicator
1) Commitment to notify users about changes to the terms of service.
- Obtain and review a copy of the product’s terms of service.
- Review the terms of service to determine whether they include any content commiting to notify users about any policy changes.
- If the terms of service does not indicate that the company will notify users, mark FAIL.
- If the terms of service indicates that the company will notify users, mark PASS.
2) Disclosure of how users will be directly notified of changes to the terms of service.
- Review any relevant terms of service to identify any language describing how users will be notified of changes to the terms of service.
- If the terms of service indicates how the company will notify users, mark PASS.
- If the terms of service does not indicate how the company will notify users, mark FAIL.
3) Disclosure of timeframe for notification prior to changes to the terms of service coming into effect.
- Review any relevant terms of service to identify any language describing a timeline for notifying users of changes to the terms of service.
- If the terms of service indicates when the changes will take effect, mark PASS.
- If the terms of service does not indicate when the changes will take effect, mark FAIL.
4) Maintains a public archive or change log of the terms of service.
- Review any relevant terms of service for language describing or identifying past terms of service or commitments to document terms of service policy changes.
- If the terms of service indicates that they have a policy of retaining previous policies for reference, mark PASS.
- If the terms of service contains or links to documentation of past policies, but does not provide clear language regarding whether this is a consistent practice, mark PARTIAL PASS.
- If the terms of service does not provide any language or examples that indicate public documentation of policy changes, mark FAIL.
Privacy Policy
Indicators
- Commitment to notify users about changes to the privacy policy.
- Disclosure of how users will be directly notified of changes to the privacy policy.
- Disclosure of timeframe for notification prior to changes to the privacy policy coming into effect.
- Maintains a public archive or change log of the privacy policy.
Methodology for Assessing Each Indicator
1) Commitment to notify users about changes to the privacy policy.
- Obtain and review a copy of the product’s privacy policy.
- If the privacy policy indicates that the company will notify users, mark PASS.
- If the privacy policy does not indicate that the company will notify users, mark FAIL.
2) Disclosure of how users will be directly notified of changes to the privacy policy.
- Review any relevant privacy policies for language on change notification processes.
- If the privacy policy indicates how the company will notify users, mark PASS.
- If the privacy policy does not indicate how the company will notify users, mark FAIL.
3) Disclosure of timeframe for notification prior to changes to the privacy policy coming into effect.
- Review any relevant privacy policies for language on change notification timeline.
- If the privacy policy indicates when the changes will take effect, mark PASS.
- If the privacy policy does not indicate when the changes will take effect, mark FAIL.
4) Maintains a public archive or change log of the privacy policy.
- Review any relevant privacy policies to identify any language describing past policies or commitments to document policy changes.
- If the privacy policy indicates that they have a policy of retaining previous policies for reference, mark PASS.
- If the privacy policy contains or links to documentation of past policies, but does not provide clear language regarding whether this is a consistent practice, mark PARTIAL PASS.
- If the privacy policy does not provide any language or examples that indicate public documentation of policy changes, mark FAIL.