Principle 2: Privacy
People have control over their data and understand what is collected, how it is used, and with whom it is shared.
- Subprinciple: Disclosure
- Companies disclose what user information they collect, when they collect, from what sources they collect, and for what purposes they collect.
- The company discloses the specific data elements they collect.
- The company discloses how data elements are collected.
- The company clearly discloses its purpose for collecting each type of user information.
- Company discloses the use of data collection/data use, and what data, that can be incorporated into a profile that supports secondary uses such as targeted advertising.
- Data sharing and use of third parties are clearly disclosed.
- The company clearly discloses what information it shares with whom.
- The company clearly discloses the purpose driving any sharing of information.
- Third party domains contacted by the product are named in the privacy policy.
- The company clearly discloses whether it shares information with government or legal authorities.
- User data rights are clearly disclosed before a person creates an account on the service.
- User data rights are clearly disclosed before a person creates an account on the service.
- The company provides a clear explanation of how users can control whether their information is incorporated into a data profile.
- Subprinciple: Data Minimization
- The only information the company collects about the user is what’s needed to make the product or service work correctly.
- The user information collected is only that which is directly relevant and necessary for the service.
- Product still works when all permissions not relevant to product’s functionality are declined.
- Company does not engage in network growth hacking (sharing contacts to the app) unless doing so is a feature of the app (e.g., for P2P payment services).
- If company does request access to user contacts, there is a clear opt-out.
- Data usage is consistent with the context of the relationship with the user and is transparent.
- Data usage is consistent with the context of the relationship with the user.
- The company only uses data to support the initial purpose for which the data was collected.
- Use of Software Development Kits is appropriate.
- The embedded SDKs are appropriate for the purpose of the app.
- Subprinciple: Data Sharing
- Data sharing and use of third parties are reasonably scoped.
- The company only shares information with third parties as is reasonably necessary to deliver the service to users.
- Data that is shared with third parties is minimized according to the intended use of the app.
- Third parties are rigorously/reasonably vetted to ensure that data is not transmitted to dangerous or high-risk endpoints.
- Company provides adequate recourse to users in the event that data is mishandled by third party.
- Data sales or transfers are opt-in by default.
- Data sales or transfers are opt in by default, with clearly defined processes in legally binding documentation to give and withdraw consent.
- Subprinciple: Data Deletion
- The company does not retain data for an excessive amount of time.
- The company provides specific retention periods for different types of information that are reasonably scoped to get rid of outdated and unnecessary information collected from or about users.
- The company describes a secure data deletion procedure that deletes and destroys data no longer needed to support the service.
- If the company does not describe a data deletion process, they clearly describe the legal or regulatory requirements that require data be retained.
- The company does not delete all data, but specifies that some data will be retained in deidentified form.
- I can delete the data the company has about me that is not needed to provide the service.
- The legally binding documentation defines user’s rights to delete their information.
- The company offers easy-to-find and -use controls that allow users to delete data not necessary to render service.
- My account and information are deleted when I leave the service.
- All user information is deleted when the user deletes their account from the service.
- All user information is deleted when the user’s service is terminated for reasons other than fraud or suspicious activity.
- All user information is deleted if the service ceases to operate or goes out of business.
- Subprinciple: Right to Access and Control
- Users can see everything the company knows about them.
- The definition of ‘user information’ includes information collected from third-parties.
- Legal documentation describes or links to information about how users can download a copy of data the company holds about them.
- Users can obtain all public-facing and private user information the company holds about them.
- Users can obtain all public-facing and private user information the company holds about them at no cost.
- Apps allow and support transfer of user data from their service to another service when requested by the user.
- Users can review and correct data that is incorrect or missing.
- Users have a right to review and correct data that is incorrect or missing.
- Procedure for users to correct data is workable.
- Subprinciple: User Privacy Control
- Users can control privacy settings.
- The product or service contains settings that allow for different levels of privacy control.
- The privacy settings can be adjusted to limit what data is accessible to other users.
- The default settings in this product prioritize user privacy; to give up privacy, users actually need to change the settings.
- User interface settings which are optimal for privacy are set by default.
- Users can restrict the service from making any secondary use of data.