P2. Changes to privacy policies

The company should clearly disclose that it provides notice and documentation to users when it changes its privacy policies.

Elements
  1. Does the company clearly disclose that it notifies users about changes to its privacy policies?
  2. Does the company clearly disclose how it will directly notify users of changes?
  3. Does the company clearly disclose the time frame within which it provides notification prior to changes coming into effect?
  4. Does the company maintain a public archive or change log?
  5. (For mobile ecosystems): Does the company clearly disclose that it requires apps sold through its app store to notify users when the app changes its privacy policy?
Research guidance

It is common for companies to change their privacy policies as their business evolves. However, these changes can significantly impact a user’s privacy rights and what user information companies can collect, share and store. We therefore expect companies to commit to notify users when they change these policies and to provide users with information to help them understand what these changes mean.

This indicator seeks clear disclosure by companies of their method and timeframe for notifying users about changes to privacy policies. We expect companies to commit to directly notifying users prior to changes coming into effect. The method of direct notification may differ based on the type of service. For services that contain user accounts, direct notification may involve sending an email or an SMS. For services that do not require a user account, direct notification may involve posting a prominent notice on the main page where users access the service. It also seeks evidence that a company provides publicly available records of previous policies so that people can understand how the company’s policies have evolved over time.

Potential sources:

  • Company privacy policy
  • Company data use policy