P4. Sharing of user information

The company should clearly disclose what user information it shares and with whom.

Elements:

1. For each type of user information the company collects, does the company clearly disclose whether it shares that user information?
2. For each type of user information the company shares, does the company clearly disclose the types of third parties with which it shares that user information?
3. Does the company clearly disclose that it may share user information with government(s) or legal authorities?
4. For each type of user information the company shares, does the company clearly disclose the names of all third parties with which it shares user information?
5. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third party apps made available through its app store disclose what user information the apps share?
6. (For mobile ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third party apps made available through its app store disclose the types of third parties with whom they share user information?
7. (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third party skills made available through its skill store disclose what user information the skills share?
8. (For personal digital assistant ecosystems): Does the company clearly disclose that it evaluates whether the privacy policies of third party skills made available through its skill store disclose the types of third parties with whom they share user information?

App — A self-contained program or piece of software designed to fulfill a particular purpose; a software application, especially as downloaded by a user to a mobile device.

App store — The platform through which a company makes its own apps as well as those created by third-party developers available for download. An app store (or app marketplace) is a type of digital distribution platform for computer software, often in a mobile context.

Clearly disclose(s) — The company presents or explains its policies or practices in its public-facing materials in a way that is easy for users to find and understand.

Mobile ecosystem — The indivisible set of goods and services offered by a mobile device company, comprising the device hardware, operating system, app store, and user account.

Personal digital assistant ecosystem — A personal digital assistant (PDA) ecosystem consists of an artificial intelligence-powered interface installed on digital devices that can interact with users through text or voice to access information on the Internet and perform certain tasks with personal data shared by the users. Users can interact with PDA ecosystems through skills, which are either made available by third-party developers/providers or the PDA itself.

Privacy policies — Documents that outline a company’s practices involving the collection and use of information, especially information about users.

Shares / sharing — The company allows a third party to access user information, either by freely giving the information to a third party (or the public, or other users) or selling it to a third party.

Skills  — Skills are voice-driven personal digital assistant capabilities allowing users to perform certain tasks or engage with online content using devices equipped with a personal digital assistant. Personal digital assistant ecosystem skills are similar to mobile ecosystem apps: users can enable or disable built-in skills or install skills developed by third-parties through stores similar to app stores.

Skill store — The platform through which a company makes its own skills as well as those created by third-party developers available for download. A skill store (or skill marketplace) is a type of digital distribution platform for computer software.

Third party – A “party” or entity that is anything other than the user or the company. For the purposes of this methodology, third parties can include government organizations, courts, or other private parties (e.g., a company, an NGO, an individual person).

User information — Any data that is connected to an identifiable person, or may be connected to such a person by combining datasets or utilizing data-mining techniques. User information may be either collected or inferred. As further explanation, user information is any data that documents a user’s characteristics and/or activities. This information may or may not be tied to a specific user account. This information includes, but is not limited to, personal correspondence, user-generated content, account preferences and settings, log and access data, data about a user’s activities or preferences collected from third parties either through behavioral tracking or purchasing of data, and all forms of metadata. User information is never considered anonymous except when included solely as a basis to generate global measures (e.g. number of active monthly users). For example, the statement, ‘Our service has 1 million monthly active users,’ contains anonymous data, since it does not give enough information to know who those 1 million users are.

Indicator guidance: Companies collect a wide range of personal information from users—from our personal details and account profiles to our browsing activities and location. Companies also often share this information with third parties, including advertisers, governments, and legal authorities. We expect companies to clearly disclose what user information (as RDR defines it) they share and with whom. Companies should specify if it shares user information with governments and with commercial entities. For mobile ecosystems, we expect the company to clearly disclose whether the privacy policies of the apps that are available in its app store specify what user information the apps share with third parties. Companies that operate personal digital assistant (PDA) ecosystems should require that third-party skills that it makes available on its skill store to clearly disclose what types of user information is shared, and with what types of third parties with whom they share it.

• Company privacy policy
• Company policies related to sharing data, interaction with third parties