P6. Retention of user information

The company should clearly disclose how long it retains user information.

Elements
  1. For each type of user information the company collects, does the company clearly disclose how long it retains that user information?
  2. Does the company clearly disclose what de-identified user information it retains?
  3. Does the company clearly disclose the process for de-identifying user information?
  4. Does the company clearly disclose that it deletes all user information after users terminate their account?
  5. Does the company clearly disclose the time frame in which it will delete user information after users terminate their account?
  6. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store disclose how long they retain user information?
  7. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third-party apps made available through its app store state that all user information is deleted when users terminate their accounts or delete the app?
Research guidance

Just as we expect companies to disclose what information they collect and share about us, we also expect companies to clearly disclose for how long they retain it and the extent to which they remove identifiers from user information they store. In addition, users should also be able to understand what happens to their information when they delete their accounts. In some cases, laws or regulations may require companies to retain certain information for a given period of time. In these cases, companies should clearly disclose these regulations to users. Companies that choose to retain user information for extended periods of time should also take steps to ensure that data is not tied to a specific user. Acknowledging the ongoing debates about the efficacy of de-identification processes, and the growing sophistication around re-identification practices, we still consider de-identification a positive step that companies can take to protect the privacy of their users.

In addition, if companies collect multiple types of information, we expect them to clearly disclose for how long they retain each type of information. For mobile ecosystems, we expect companies to disclose whether the privacy policies of the apps that are available in their app store state how long the app retains user information and whether all user information is deleted if users terminate or delete the app.

Potential Sources:

  • Company privacy policy
  • Company webpage or section on data protection or data collection