P7. Users’ control over their own user information

The company should clearly disclose to users what options they have to control the company’s collection, retention and use of their user information.

Elements
  1. For each type of user information the company collects, does the company clearly disclose whether users can control the company’s collection of this user information?
  2. For each type of user information the company collects, does the company clearly disclose whether users can delete this user information?
  3. Does the company clearly disclose that it provides users with options to control how their user information is used for targeted advertising?
  4. Does the company clearly disclose that targeted advertising is off by default?
  5. (For mobile ecosystems): Does the company clearly disclose that it provides users with options to control the device’s geolocation functions?
Research guidance

We expect companies to clearly disclose what options users have to control the information that companies collect and retain about them. Enabling users to control what information about them that a company collects and retains would mean giving users the ability to delete specific types of user information without requiring them to delete their entire account. We therefore expect companies to clearly disclose whether users have the option to delete specific types of user information.

In addition, we expect companies to enable users to control the use of their information for the purpose of targeted advertising. Targeted advertising requires extensive collection and retention of user information that is tantamount to tracking. Companies should therefore clearly disclose whether users have options to control how their information is being used for these purposes.

For mobile ecosystems, we expect companies to clearly disclose what options users have to control the collection of their location information. A user’s location changes frequently and many users carry their mobile devices nearly everywhere, making the collection of this type of information particularly sensitive. In addition, the location settings on mobile ecosystems can influence how other products and services access their location information. For instance, mobile apps may enable users to control location information. However, if the device on which those mobile apps run collects geolocation data by default and does not give users a way to turn this off, users may not be able to limit that mobile app’s collection of their location information. For these reasons, we expect companies to disclose that users can control how their device interacts with their location information.

Potential sources:

  • Company privacy policy
  • Company account settings page