P2(a). Changes to privacy policies

The company should clearly disclose that it directly notifies users when it changes its privacy policies, prior to these changes coming into effect.

Elements:

1. Does the company clearly disclose that it directly notifies users about all changes to its privacy policies?
2. Does the company clearly disclose how it will directly notify users of changes?
3. Does the company clearly disclose the timeframe within which it directly notifies users of changes prior to these changes coming into effect?
4. Does the company maintain a public archive or change log?
5. (For mobile ecosystems): Does the company clearly disclose that it requires apps sold through its app store to notify users when the app changes its privacy policy?
6. (For personal digital assistant ecosystems): Does the company clearly disclose that it requires skills sold through its skill store to notify users when the skill changes its privacy policy?

App — A self-contained program or piece of software designed to fulfill a particular purpose; a software application, especially as downloaded by a user to a mobile device.

App store — The platform through which a company makes its own apps as well as those created by third-party developers available for download. An app store (or app marketplace) is a type of digital distribution platform for computer software, often in a mobile context.

Change log — A record that depicts the specific changes in a document, in this case, a terms of service or privacy policy document.

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Directly notify/direct notification — By direct notification, we mean that when a company changes or updates its policy that applies to a particular service, we expect the company to notify users of these changes via the service. The method of direct notification may differ according to the type of service. For services that contain user accounts, direct notification may involve sending an email or an SMS. For services that do not require a user account, direct notification may involve posting a prominent notice on the main page where users access the service.

Mobile ecosystem — The indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account.

Personal digital assistant ecosystem — A personal digital assistant (PDA) ecosystem consists of an artificial intelligence-powered interface installed on digital devices that can interact with users through text or voice to access information on the Internet and perform certain tasks with personal data shared by the users. Users can interact with PDA ecosystems through skills, which are either made available by third-party developers/providers or the PDA itself.

Privacy policies — Documents that outline a company’s practices involving the collection and use of information, especially information about users.

Public archive — A publicly available resource that contains previous versions of a company’s policies, such as its terms of service or privacy policy, or comprehensively explains each round of changes the company makes to these policies.

Skills  — Skills are voice-driven personal digital assistant capabilities allowing users to perform certain tasks or engage with online content using devices equipped with a personal digital assistant. Personal digital assistant ecosystem skills are similar to mobile ecosystem apps: users can enable or disable built-in skills or install skills developed by third-parties through stores similar to app stores.

Skill store — The platform through which a company makes its own skills as well as those created by third-party developers available for download. A skill store (or skill marketplace) is a type of digital distribution platform for computer software.

Users — Individuals who use a product or service. This includes people who post or transmit the content online as well as those who try to access or receive the content. For indicators in the freedom of expression category, this includes third-party developers who create apps that are housed or distributed through a company’s product or service.

Indicator guidance: Companies frequently change their privacy policies as their business evolves. However, these changes can affect a user’s privacy rights by changing what user information companies can collect, share, and store. We therefore expect companies to commit to notify users when they change these policies and to provide users with information to help them understand what these changes mean.

This indicator seeks clear disclosure by companies of their method and timeframe for notifying users about changes to privacy policies. We expect companies to commit to directly notifying users prior to changes coming into effect. The method of direct notification may differ based on the type of service. For services that require a user account, direct notification may involve sending an email or an SMS. For services that do not require a user account, direct notification should involve posting a prominent notice on the main web page or platform where users access the service. This indicator also seeks evidence that a company provides publicly available records of previous policies so that people can understand how the company’s policies have evolved over time.

• Company privacy policy
• Company data use policy