P6. Retention of user information
The company should clearly disclose how long it retains user information.
- For each type of user information the company collects, does the company clearly disclose how long it retains that user information?
- Does the company clearly disclose what de-identified user information it retains?
- Does the company clearly disclose the process for de-identifying user information?
- Does the company clearly disclose that it deletes all user information after users terminate their account?
- Does the company clearly disclose the time frame in which it will delete user information after users terminate their account?
- (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store disclose how long they retain user information?
- (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store state that all user information is deleted when users terminate their accounts or delete the app?
Companies collect a wide range of personal information from users in exchange for the use of and access to the company’s products and services. This information can range from personal details, profiles, and account activities to information about a user’s activities and location. We expect companies to clearly disclose how long they retain user information and the extent to which they remove identifiers from user information they retain. Users should also be able to understand what happens when they delete their accounts. Companies that choose to retain user information for extended periods of time should take steps to ensure that data is not tied to a specific user. Acknowledging the ongoing debates about the efficacy of de-identification processes, and the growing sophistication around re-identification practices, we still consider de-identification a positive step that companies can take to protect the privacy of their users. If companies collect multiple types of information, we expect them to provide detail on how they handle each type of information.
For mobile ecosystems, we expect companies to disclose whether the privacy policies of the apps that are available in their app store state how long the app retains user information and whether all user information is deleted if users terminate or delete the app.
In some cases, laws or regulations may require companies to retain certain information for a given period of time. Researchers will document situations where this is the case, but a company will still lose points if it fails to meet all elements. This represents a situation where the law causes companies to fall short of best practice, and we encourage companies to advocate for laws that enable them to fully respect users’ rights to freedom of expression and privacy.
Potential Sources:
- Company privacy policy
- Company webpage or section on data protection or data collection