P2. Changes to privacy policies
The company should clearly disclose that it provides notice and documentation to users when it changes its privacy policies.
- Does the company clearly disclose that it notifies users about changes to its privacy policies?
- Does the company clearly disclose how it will directly notify users of changes?
- Does the company clearly disclose the time frame within which it provides notification prior to changes coming into effect?
- Does the company maintain a public archive or change log?
- (For mobile ecosystems): Does the company clearly disclose that it requires apps sold through its app store to notify users when the app changes its privacy policy?
Companies frequently change their privacy policies as their business evolves. However, these changes can affect a user’s privacy rights by changing what user information companies can collect, share, and store. We therefore expect companies to commit to notify users when they change these policies and to provide users with information to help them understand what these changes mean.
This indicator seeks clear disclosure by companies of their method and timeframe for notifying users about changes to privacy policies. We expect companies to commit to directly notifying users prior to changes coming into effect. The method of direct notification may differ based on the type of service. For services that require a user account, direct notification may involve sending an email or an SMS. For services that do not require a user account, direct notification should involve posting a prominent notice on the main web page or platform where users access the service. This indicator also seeks evidence that a company provides publicly available records of previous policies so that people can understand how the company’s policies have evolved over time.
Potential sources:
- Company privacy policy
- Company data use policy
