P10(b). Process for responding to private requests for user information

Please make sure you have read the above note on transparency reporting indicators before using this indicator.

The company should clearly disclose its process for responding to requests for user information that come through private processes.

Elements:

1. Does the company clearly disclose its process for responding to requests made through private processes?
2. Do the company’s explanations clearly disclose the basis under which it may comply with requests made through private processes?
3. Does the company clearly disclose that it carries out due diligence on requests made through private processes before deciding how to respond?
4. Does the company commit to push back on inappropriate or overbroad requests made through private processes?
5. Does the company provide clear guidance or examples of implementation of its process of responding to requests made through private processes?

Clearly disclose(s) – The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Private requests (for user information) — Requests made through a private process rather than a judicial or governmental process. Such requests are often informal and do not involve a formal legal process. According to the Wikimedia Foundation, which produces transparency reports that disclose data on the number of these types of requests it receives, private requests for user information includes cases in which another company sends them a letter or an email requesting “non-public information” about one of its users. This could include a user’s IP address and email. 

Indicator guidance: Companies increasingly receive private requests to turn over user information. Such requests are often informal requests for user information from a non-governmental entity that do not involve or come through any formal legal process. According to the Wikimedia Foundation, which produces transparency reports that disclose data on the number of these types of requests it receives, private requests for user information include cases in which another company sends them a letter or an email requesting “non-public information” about one of its users. This could include a user’s IP email address.

This indicator expects companies to disclose their processes for handling these types of requests. Companies should explain reasons for complying with these types of requests, and commit to push back on overly broad demands.

• Company transparency report
• Company law enforcement guidelines
• Company privacy policy
• Company blog posts